Running CDKTF on FIPS enabled OS (Error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS)

Terraform CDK for Terraform
1

I am attempting to run cdktf on an OS that has FIPS enabled but in doing so it appears there are a number of algorithms that are used by default that are not FIPS compliant. Is cdktf supported on a FIPS compliant OS and is there any additional configuration/versions required to make this work?

[root@098acf70ab36 app]# cdktf synth

⠇  Synthesizing
[2023-10-25T00:10:28.090] [ERROR] default - jsii.errors.JavaScriptError: 
  @jsii/kernel.RuntimeError: Error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS
      at Kernel._Kernel_ensureSync (/tmp/tmpysx4l1go/lib/program.js:10487:23)
      at Kernel.invoke (/tmp/tmpysx4l1go/lib/program.js:9851:102)
      at KernelHost.processRequest (/tmp/tmpysx4l1go/lib/program.js:11691:36)
      at KernelHost.run (/tmp/tmpysx4l1go/lib/program.js:11651:22)
      at Immediate._onImmediate (/tmp/tmpysx4l1go/lib/program.js:11652:46)
      at process.processImmediate (node:internal/timers:476:21)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/app/main.py", line 108, in <module>

[2023-10-25T00:10:28.092] [ERROR] default -     app.synth()
  File "/root/.local/share/virtualenvs/app-ueEJiAOq/lib/python3.11/site-packages/cdktf/__init__.py", line 218, in synth
    return typing.cast(None, jsii.invoke(self, "synth", []))
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/.local/share/virtualenvs/app-ueEJiAOq/lib/python3.11/site-packages/jsii/_kernel/__init__.py", line 149, in wrapped
    return _recursize_dereference(kernel, fn(kernel, *args, **kwargs))
                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/.local/share/virtualenvs/app-ueEJiAOq/lib/python3.11/site-packages/jsii/_kernel/__init__.py", line 399, in invoke
    response = self.provider.invoke(
               ^^^^^^^^^^^^^^^^^^^^^
  File "/root/.local/share/virtualenvs/app-ueEJiAOq/lib/python3.11/site-packages/jsii/_kernel/providers/process.py", line 380, in invoke
    return self._process.send(request, InvokeResponse)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/.local/share/virtualenvs/app-ueEJiAOq/lib/python3.11/site-packages/jsii/_kernel/providers/process.py", line 342, in send
    raise RuntimeError(resp.error) from JavaScriptError(resp.stack)

cdktf debug
language: python
cdktf-cli: 0.16.3
node: v18.18.2
cdktf: 0.16.3
constructs: 10.3.0
jsii: 1.91.0
terraform: 1.5.4
arch: x64
os: linux 3.10.0-1160.95.1.el7.x86_64
python: Python 3.11.2
pip: null
pipenv: pipenv, version 2023.10.3
2

after more digging it appears that the generation of unique ids is causing the failure (https://github.com/hashicorp/terraform-cdk/blob/e207a50aae198ac7cc78dc40356b35946c9d1ad8/packages/cdktf/lib/private/unique.ts). There doesn’t seem to be a way to quickly change the hash algorithm from a consumers perspective, but at the stack level it appears possible to overwrite _allocate_logical_id to provide a custom function. While this is sufficient I’m curious if there’s a “simpler” way to swap out the hashing implementation based on the running environment (FIPS vs non FIPS).