backstage-on-aws icon indicating copy to clipboard operation
backstage-on-aws copied to clipboard

Published 20 hours ago verified publisher icon rbogle

Error when running script

Open danielbrodin opened this issue 3 years ago • 7 comments

Hi,

First of all, thanks for the guide (if I can get it to work 😂).

I have tried to run the script, but it fails pretty fast on two env variables that doesn't exist https://github.com/rbogle/backstage-on-aws/blob/ce44f7e92582194b2605da405266a2f206ba0943/infra/app_pipeline.py#L24-L25

I tried to remove them and the parts using them just to see what happens, but then it fails here where codepipeline is missing https://github.com/rbogle/backstage-on-aws/blob/ce44f7e92582194b2605da405266a2f206ba0943/infra/backstage.py#L43-L44

Can this be solved?

danielbrodin avatar Aug 10 '22 13:08 danielbrodin

Hi! Thanks for pointing this out. Yes, I think I remember what this is. It's been a year almost since I touched this. :) Those vars are left over from a real deployment in my last role, and I am not sure why they made it into main branch.

They should be just one var: `GITHUB_APP_ARN" which is the arn for the secret in secretmanager which holds the github app cert, as described here: bootstrap. The pipeline accesses this secret writes it to file and provides it to the docker build. This way the secret is provided to the Backstage App at run time as an env var to configure Backstage's access to Github.

I can probably clean this up and test it today sometime, but happy to take a PR if you take a stab at it.

rbogle avatar Aug 10 '22 14:08 rbogle

Ok, that sounds like a fast fix. But what about the error in backstage.py about the missing codepipeline? From what I can see there is a bunch of missing variables in that file. I haven't used either aws or python that much so maybe I'm missing something?

danielbrodin avatar Aug 17 '22 07:08 danielbrodin

hi @rbogle and @danielbrodin I have been looking into this as well. I've replaced the Github App references with the single GITHUB_APP_ARN and added an import for

    aws_codepipeline as codepipeline,
    aws_codepipeline_actions as actions,

in the bacsktage.py file to resolve the missing codepipeline, as well as missing actions reference.

Now I get the following error:

  File "/home/annaz/repos/backstage-on-aws/infra/backstage.py", line 50, in __init__
    oauth_token=github_token_secret.secret_value_from_json("secret"),
NameError: name 'github_token_secret' is not defined

This is the line in question:

https://github.com/rbogle/backstage-on-aws/blob/ce44f7e92582194b2605da405266a2f206ba0943/infra/backstage.py#L48

I´m not too familiar with handling secrets from the SecretsManager, is there any code missing for retrieving a secret?

I would be happy to create a PR with my fixes!

Kind regards :)

annaz-is avatar Sep 20 '22 09:09 annaz-is

Hi @rbogle, @annaz-kvika and @danielbrodin were you able to get this working, I am still struggling, a PR or a patch would be greatly appreciated. Also, the documentation does not mention what name the key (GITHUB_APP_ARN) should take for the pem file (I presume the value is the content of a private key from the Github app) stored in the AWS Secrets Manager?

nundys avatar Oct 22 '22 10:10 nundys

Hi all, Sorry for the radio silence. I merged a PR this morning that I believe fixes the issues and questions you had. It looks like when I merged the new code with the old something went wrong and a couple of files were not completely merged.

I have not test deployed this PR to be 100% sure, but it does synth without errors

#5

rbogle avatar Oct 22 '22 15:10 rbogle

Hi @rbogle, @annaz-kvika and @danielbrodin were you able to get this working, I am still struggling, a PR or a patch would be greatly appreciated. Also, the documentation does not mention what name the key (GITHUB_APP_ARN) should take for the pem file (I presume the value is the content of a private key from the Github app) stored in the AWS Secrets Manager?

I added an example link in the docs, but TDLR: use the plaintext option for the secret and paste the whole pem contents into the textblock instead of a json object...

rbogle avatar Oct 22 '22 15:10 rbogle

Hi @rbogle, I have nearly gotten this to work except for the Secret handling in the following code:-

https://github.com/rbogle/backstage-on-aws/blob/9596831afcc7c1f7e533458b395164f6a8f73d93/infra/stage_resources.py#L43-L51

  1. It appears that the values in the dict that correspond to AUTH_GITHUB_CLIENT_* (and AWS_ACCESS_KEY_*) are not being initialised correctly because an object is returned by ecs.Secret.from_secrets_manager rather than a string.
  2. Also, the result is that the ARN in the Policy created doesn't reference the Full ARN resource but just an (incorrect) ARN without the 6 letter random string at the end. Any ideas on how best to solve these issues? Thanks

nundys avatar Nov 10 '22 19:11 nundys