chore(lambda-layer-awscli): install awscli with pip and requirements.txt (#18800)

We are currently bundling the AWS CLI in the Lambda Layer and need a
mechanism to automatically upgrade when new versions are released.

This changes the way we bundle the AWS CLI, from using the install
script to using pip to install from a `requirements.txt` file. This will
enable dependabot to auto upgrade the version of the awscli specified in
requirements.txt

Also added integration tests to ensure that the AWS CLI is executable from within
various Python runtimes. 

The `assetHash` has been updated to fingerprint the entire `layer` directory since
we want to deploy a new version anytime anything in that directory changes, not just the
Dockerfile.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: corymhall

packages/@aws-cdk/lambda-layer-awscli/README.md

@@ -12,6 +12,8 @@
 
 This module exports a single class called `AwsCliLayer` which is a `lambda.Layer` that bundles the AWS CLI.
 
+Any Lambda Function that uses this layer must use a Python 3.x runtime.
+
 Usage:
 
 ```ts

packages/@aws-cdk/lambda-layer-awscli/awscli.version

@@ -1,4 +1,4 @@
-FROM public.ecr.aws/lambda/provided:latest
+FROM public.ecr.aws/sam/build-python3.7
 
 USER root
 RUN mkdir -p /opt
@@ -9,27 +9,19 @@ WORKDIR /tmp
 #
 
 RUN yum update -y \
-    && yum install -y zip unzip wget tar gzip python3
+    && yum install -y zip unzip wget tar gzip
 
 #
 # aws cli
 #
 
-ARG AWSCLI_VERSION=0.0.0
-
-RUN curl https://s3.amazonaws.com/aws-cli/awscli-bundle-${AWSCLI_VERSION}.zip -o awscli-bundle.zip
-RUN unzip awscli-bundle.zip
-RUN python3 ./awscli-bundle/install -i /opt/awscli -b /opt/awscli/aws
+COPY requirements.txt ./
+RUN python -m pip install -r requirements.txt -t /opt/awscli
 
 # organize for self-contained usage
-RUN mv /opt/awscli                                      /opt/awscli.tmp
-RUN pyver=$(python3 -c 'import sys; v = sys.version_info; print(f"{v[0]}.{v[1]}")') && \
-    mv /opt/awscli.tmp/lib/python${pyver}/site-packages /opt/awscli
-RUN mv /opt/awscli.tmp/bin                              /opt/awscli/bin
-RUN mv /opt/awscli/bin/aws                              /opt/awscli
+RUN mv /opt/awscli/bin/aws /opt/awscli
 
 # cleanup
-RUN rm -fr /opt/awscli.tmp
 RUN rm -rf \
     /opt/awscli/pip* \
     /opt/awscli/setuptools* \

packages/@aws-cdk/lambda-layer-awscli/build-tools/bump-awscli-version.sh

@@ -3,13 +3,11 @@ set -euo pipefail
 
 cd $(dirname $0)
 
-version=$(cat ../awscli.version)
-
-echo ">> Building AWS Lambda layer inside a docker image for CLI version ${version}..."
+echo ">> Building AWS Lambda layer inside a docker image..."
 
 TAG='aws-lambda-layer'
 
-docker build -t ${TAG} . --build-arg AWSCLI_VERSION=${version}
+docker build -t ${TAG} .
 
 echo ">> Extrating layer.zip from the build container..."
 CONTAINER=$(docker run -d ${TAG} false)

packages/@aws-cdk/lambda-layer-awscli/layer/Dockerfile

@@ -0,0 +1 @@
+awscli==1.22.46

packages/@aws-cdk/lambda-layer-awscli/layer/build.sh

@@ -1,7 +1,6 @@
-import * as crypto from 'crypto';
-import * as fs from 'fs';
 import * as path from 'path';
 import * as lambda from '@aws-cdk/aws-lambda';
+import { FileSystem } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 
 /**
@@ -11,17 +10,10 @@ export class AwsCliLayer extends lambda.LayerVersion {
   constructor(scope: Construct, id: string) {
     super(scope, id, {
       code: lambda.Code.fromAsset(path.join(__dirname, 'layer.zip'), {
-        // we hash the Dockerfile (it contains the tools versions) because hashing the zip is non-deterministic
-        assetHash: hashFile(path.join(__dirname, '..', 'layer', 'Dockerfile')),
+        // we hash the layer directory (it contains the tools versions and Dockerfile) because hashing the zip is non-deterministic
+        assetHash: FileSystem.fingerprint(path.join(__dirname, '../layer')),
       }),
       description: '/opt/awscli/aws',
     });
   }
 }
-
-function hashFile(fileName: string) {
-  return crypto
-    .createHash('sha256')
-    .update(fs.readFileSync(fileName))
-    .digest('hex');
-}

packages/@aws-cdk/lambda-layer-awscli/layer/requirements.txt

@@ -74,6 +74,7 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@aws-cdk/assertions": "0.0.0",
+    "@aws-cdk/custom-resources": "0.0.0",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/cdk-integ-tools": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",