fix(lambda-python): bundling with poetry is broken (#21945)

It looks like something was changed in the base image and there is no longer write access to the `/tmp` directory which causes bundling with poetry to fail (see linked issue). This PR updates the Dockerfile to create a new cache location for both `pip` and `poetry` and switches to using a virtualenv for python so that it is no longer using root.

To test this I executed the `integ.function.poetry` integration test both before (to reproduce the error) and after the fix. I'm actually not sure why our integration tests didn't start failing in the pipeline. The only thing I can think of is that we are caching the docker images and it just hasn't pulled down a newer one that has this issue.

fixes #21867


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: corymhall

packages/@aws-cdk/aws-lambda-python/lib/Dockerfile

@@ -7,10 +7,35 @@ ARG PIP_INDEX_URL
 ARG PIP_EXTRA_INDEX_URL
 ARG HTTPS_PROXY
 
+# Create a new location for the pip cache
+# Ensure all users can write to pip cache
+RUN mkdir /tmp/pip-cache && \
+    chmod -R 777 /tmp/pip-cache
+
+# set the cache location
+ENV PIP_CACHE_DIR=/tmp/pip-cache
+
+# create a new virtualenv for python to use
+# so that it isn't using root
+RUN python -m venv /usr/app/venv
+ENV PATH="/usr/app/venv/bin:$PATH"
+
 # Upgrade pip (required by cryptography v3.4 and above, which is a dependency of poetry)
 RUN pip install --upgrade pip
 
+
 # pipenv 2022.4.8 is the last version with Python 3.6 support
 RUN pip install pipenv==2022.4.8 poetry
 
+# Create a new location for the poetry cache
+# Ensure all users can write to poetry cache
+RUN mkdir /tmp/poetry-cache && \
+    chmod -R 777 /tmp/poetry-cache
+
+# set the poetry cache
+ENV POETRY_CACHE_DIR=/tmp/poetry-cache
+
+# create non root user and change allow execute command for non root user
+RUN /sbin/useradd -u 1000 user && chmod 711 /
+
 CMD [ "python" ]

packages/@aws-cdk/aws-lambda-python/package.json

@@ -75,6 +75,7 @@
     "@aws-cdk/assertions": "0.0.0",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/integ-runner": "0.0.0",
+    "@aws-cdk/integ-tests": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",
     "@types/jest": "^27.5.2"
   },

packages/@aws-cdk/aws-lambda-python/test/integ.function.poetry.ts

@@ -1,9 +1,7 @@
-// disabling update workflow because we don't want to include the assets in the snapshot
-// python bundling changes the asset hash pretty frequently
-/// !cdk-integ pragma:disable-update-workflow
 import * as path from 'path';
 import { Runtime } from '@aws-cdk/aws-lambda';
 import { App, CfnOutput, Stack, StackProps } from '@aws-cdk/core';
+import { IntegTest } from '@aws-cdk/integ-tests';
 import { Construct } from 'constructs';
 import * as lambda from '../lib';
 
@@ -35,5 +33,13 @@ class TestStack extends Stack {
 }
 
 const app = new App();
-new TestStack(app, 'cdk-integ-lambda-python');
+const testCase = new TestStack(app, 'cdk-integ-lambda-python');
+
+new IntegTest(app, 'poetry', {
+  testCases: [testCase],
+  // disabling update workflow because we don't want to include the assets in the snapshot
+  // python bundling changes the asset hash pretty frequently
+  stackUpdateWorkflow: false,
+});
+
 app.synth();