Updates required?

[mscheper]

trafficstars

I followed a link to this project in (your?) Reddit comment, and appreciate you creating it. Unfortunately, though, I haven't managed to get it working.

I'm seeing this in the Building Django action in GitHub:

AccessDeniedException: User: arn:aws:iam::***:user/*** is not authorized to perform: lightsail:CreateContainerServiceRegistryLogin on resource: arn:aws:lightsail:***:***:* because no identity-based policy allows the lightsail:CreateContainerServiceRegistryLogin action
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
  },
  Message_: "User: arn:aws:iam::***:user/*** is not authorized to perform: lightsail:CreateContainerServiceRegistryLogin on resource: arn:aws:lightsail:***:***:* because no identity-based policy allows the lightsail:CreateContainerServiceRegistryLogin action"
}

It's been 18 months since your post, so I assume some things need to be updated, especially since LightSail won't let me set up Django 4.1 any more, environ in requirements.txt seems no longer maintained, and I'm seeing deprecation warnings, e.g:

Warning: The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

I'm going to see what I can work out, but if you plan to update this repo and the README some time soon, it would no doubt make it easier for me. I'm an old hand at Django, but I've always had other people handle ops, CI and deployment. But now, in a new project, I'm trying to manage all that myself, hence websearching and finding your Reddit post.

Feedback about the installation instructions

1. Configure AWS LightSail Container Service

• The screenshot/steps appear out of date.
• I chose a different name from 'djangoapp'. I changed the two image entries in AWS/deploymentconfig.json accordingly, but would this cause problems otherwise?

2. Set Up AWS Access Credentials

While there are indeed 'plenty of tutorials', more information would be helpful here:

• What, exactly, are the 'necessary permissions'?
• It seems this user account is for the application's use, not for the developer's personal use, and that therefore there's no need to tick Provide user access to the AWS Management Console. Is that right?
• Clicking Create access key brings up a screen discouraging using these. Is this still the best way?

3. Update GitHub Repository Secrets

• It would've been helpful if you'd specified that we want to create 'Repositry secrets', under Settings → Secrets → Actions (that last step was missing).
• There are extra keys in your screenshot. Do we need to populate these at this stage?
  • AWS_SERVICE_NAME
  • DJANGO_SECRET_KEY

Questions

1. How do I find out what the production URL is, to see whether it worked?
2. What do you recommend I read up on? I'm very familiar with Django and GitHub and I know a thing or two about AWS, but this is the first time I've used Lightsail, and I don't know anything about uWSGI, for example. Are there any resources you'd particularly recommend?
3. Re WhiteNoise: Do I need to set up a CDN, or does LightSail do that for me somehow?
4. The repo is full of gzipped files. Can I get rid of those and add *.gz to my .gitignore? It would make the repo lighter, and I presume these get created during the build process, presumably by WhiteNoise?
5. The big question: Are you planning to update and maintain this repo?

Thanks!

[two-trick-pony-NL]

Hey @mscheper I'll see if I can find the time to update the repo to answer your questions. I must say I have a few things in my private life that prevent me from diving deep. Still I did not want to leave you hanging.

• For one I think you'll need more permissions on your iAMS user, I am not quite up to date on which ones I used in the past but toy around there and it should work.
• You could do a search for all the entries to djangoapp - there may be more but renaming should generally not be an issue as it's the first thing I often do
• Using access keys is likely not the BEST way, but for me using side projects it is alwasy very convenient (until I outgrow it to a more mature solution)
• The two extra keys in the screenshot allow you to keep the DJANGO secret key and the AWS Service name out of your repository. Else they may stay in the source code and cause a secutiry issue.

As said: I'm pretty pre-occupied as it is right now, but once I do find the time to update the repo I'll tag you here ;)

[create-issue-branch[bot]]

Branch issue-1-Updates_required created!

[mscheper]

Hoi @two-trick-pony-NL,

I'll see if I can find the time to update the repo to answer your questions. I must say I have a few things in my private life that prevent me from diving deep. Still I did not want to leave you hanging.

I appreciate it.

• For one I think you'll need more permissions on your iAMS user, I am not quite up to date on which ones I used in the past but toy around there and it should work.

Right. I did it this way; it's a bit bruteforce, but it did get me further. Once I get everything working, I'll create a more restrictive policy.

I also had to create a container service, to get past other errors I was getting.

• You could do a search for all the entries to djangoapp - there may be more but renaming should generally not be an issue as it's the first thing I often do

Yep, I did that, but I still got this error:

InvalidInputException: Resource with name "djangoapp" does not exist.
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "ffd909f3-4525-4139-82a5-cfd33acf11af"
  },
  Message_: "Resource with name \"djangoapp\" does not exist."
}

Command '['lightsailctl', '--plugin', '--input-stdin']' returned non-zero exit status 1.

I even pulled the original repo all over again, from the issue-1-Updates_required branch, and created a new instance, actually calling it djangoapp this time. But I'm still getting the same error.

I don't know how GitHub is supposed to know which instance to use, though. I didn't enter the IP addresses anywhere in the repo, and I'm pretty sure there's no reference to the instance in the AIM user I created, nor the policy. Can you explain that to me?

• Using access keys is likely not the BEST way, but for me using side projects it is alwasy very convenient (until I outgrow it to a more mature solution)

Makes sense. But would those more mature solutions also work with using GitHub for CI? Which would you suggest I consider?

• The two extra keys in the screenshot allow you to keep the DJANGO secret key and the AWS Service name out of your repository. Else they may stay in the source code and cause a secutiry issue.

Of course. But is this required for the deployment to work, as shown in the steps?

Branch issue-1-Updates_required created!

It doesn't look like there have been any changes yet, though. Is that right?

[mscheper]

Also, with the way this repo is set up, to run while developing, would you expect python manage.py runserver to work? I've set up a venv and installed everything with pip, and created a .env file with a DJANGO_SECRET_KEY (which gets read just fine if I type env("DJANGO_SECRET_KEY") in the python console, after import environ, etc.), but it still blows up with django.core.exceptions.ImproperlyConfigured: Set the DJANGO_SECRET_KEY environment variable. I have it set in the shell environment, too.

[mscheper]

So with the help of this repo and reading a lot of docs, I've brewed my own Django CI system on GitHub, and I'm using Appliku for CD. (I'm actually deploying to EC2, since I'm more familiar with it, but there's a good chance I'll switch to Lightsail, since it seems simpler, cheaper and adequate for my current project.)

Thanks anyhow, @two-trick-pony-NL. Groetjes.