diff --git a/Dockerfile b/Dockerfile index e058f30a8..4bb9a2dde 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,6 +35,17 @@ COPY --from=js-static $APP_DIR/bundles ./bundles RUN uv run --locked -- ./manage.py collectstatic +FROM python:3.12 AS vault-lambda-extension + +WORKDIR /vault + +# https://developer.hashicorp.com/vault/docs/platform/aws/lambda-extension +ADD --checksum=sha256:69b95ca2f99196868077fa5d360db24aaed16fdf6038e72273163aa4cc372b0b \ + https://releases.hashicorp.com/vault-lambda-extension/0.10.3/vault-lambda-extension_0.10.3_linux_amd64.zip \ + /vault.zip + +RUN python -m zipfile -e /vault.zip /vault + FROM amazon/aws-lambda-python:3.12 COPY --from=ghcr.io/astral-sh/uv:0.2.37 /uv /bin/uv @@ -43,27 +54,17 @@ ARG FUNCTION_DIR="/var/task/" COPY pyproject.toml uv.lock $FUNCTION_DIR -# Setup Python environment -RUN dnf install -y unzip \ - # silent, show errors and location (aka follow redirect) - && curl -sSL --output vault-lambda-extension.zip \ - https://releases.hashicorp.com/vault-lambda-extension/0.10.3/vault-lambda-extension_0.10.3_linux_amd64.zip \ - && unzip vault-lambda-extension.zip -d /opt \ - && dnf remove -y unzip \ - && dnf clean all \ - && rm vault-lambda-extension.zip \ - && rm -rf /var/cache/dnf - # FIXME: once uv supports using uv.lock to install into system python this should actually use the lockfile RUN uv pip install -r pyproject.toml --extra prod --verify-hashes --no-cache --system --compile-bytecode && rm /bin/uv COPY ./ $FUNCTION_DIR RUN ZAPPA_HANDLER_PATH=$(python -c "from zappa import handler; print (handler.__file__)") \ - && echo $ZAPPA_HANDLER_PATH \ - && cp $ZAPPA_HANDLER_PATH $FUNCTION_DIR +&& echo $ZAPPA_HANDLER_PATH \ +&& cp $ZAPPA_HANDLER_PATH $FUNCTION_DIR COPY --from=static-files /srv/app/webpack-stats.json ./ +COPY --from=vault-lambda-extension /vault/extensions/vault-lambda-extension /opt/extensions/vault-lambda-extension ARG VERSION # https://docs.sentry.io/platforms/python/guides/logging/configuration/releases/#setting-a-release ENV SENTRY_VERSION=${VERSION}