This message was deleted.
# atlantis-community
s
This message was deleted.
p
the app needs to be installed and then added to the repos
just like the altantis user used before
the app needs to have access to specific repos or the Org level
c
Okay. I was just worried that would cause Atlantis to try and do stuff when people submitted a PR to say terraform-my-module when there's not really any reason for that.
I guess we only have our actually infrastructure repo in the allow list, so that probably works?
p
correct
you still have that allowlist to protect from it
c
Okay, cool. Thanks!
Hrm, so we added the module repo to our GitHub app, but the plans seem to be hanging and I see invalid key errors in the log that seem to correspond to these PRs...
Now I'm wondering if adding the additional repo wouldn't have affected the existing temporary token issued to the app.
p
bad key means is not reading the RSA key created for the app ( which replaces the token)
make sure is it does not have am invalid character
how are you passing the key?
c
We didn't change anything about how the app was being passed, and it can do plans that don't contain the modules in a private repo, though.
So I don't think the key is the issue. The key is passed via env var from a secret, though.
Copy code
{"caller":"logging/simple_logger.go:163", "<http://cos.googleapis.com/container_id|cos.googleapis.com/container_id>":"ca10c190e397d763974049c2b208a84fe8f0547314912c816059fd96eba3eb63", "<http://cos.googleapis.com/container_name|cos.googleapis.com/container_name>":"klt--grmp", "<http://cos.googleapis.com/stream|cos.googleapis.com/stream>":"stdout", "json":{…}, "level":"error", "msg":"invalid key: REDACTED", "stacktrace":"<http://github.com/runatlantis/atlantis/server/logging.(*StructuredLogger).Log|github.com/runatlantis/atlantis/server/logging.(*StructuredLogger).Log>
	<http://github.com/runatlantis/atlantis/server/logging/simple_logger.go:163|github.com/runatlantis/atlantis/server/logging/simple_logger.go:163>
<http://github.com/runatlantis/atlantis/server/controllers.(*JobsController).respond|github.com/runatlantis/atlantis/server/controllers.(*JobsController).respond>
	<http://github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:92|github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:92>
<http://github.com/runatlantis/atlantis/server/controllers.(*JobsController).getProjectJobsWS|github.com/runatlantis/atlantis/server/controllers.(*JobsController).getProjectJobsWS>
	<http://github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:70|github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:70>
<http://github.com/runatlantis/atlantis/server/controllers.(*JobsController).GetProjectJobsWS|github.com/runatlantis/atlantis/server/controllers.(*JobsController).GetProjectJobsWS>
	<http://github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:83|github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:83>
net/http.HandlerFunc.ServeHTTP
	net/http/server.go:2109
<http://github.com/gorilla/mux.(*Router).ServeHTTP|github.com/gorilla/mux.(*Router).ServeHTTP>
	<http://github.com/gorilla/mux@v1.8.0/mux.go:210|github.com/gorilla/mux@v1.8.0/mux.go:210>
<http://github.com/urfave/negroni/v3.Wrap.func1|github.com/urfave/negroni/v3.Wrap.func1>
	<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:59|github.com/urfave/negroni/v3@v3.0.0/negroni.go:59>
<http://github.com/urfave/negroni/v3.HandlerFunc.ServeHTTP|github.com/urfave/negroni/v3.HandlerFunc.ServeHTTP>
	<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:33|github.com/urfave/negroni/v3@v3.0.0/negroni.go:33>
<http://github.com/urfave/negroni/v3.middleware.ServeHTTP|github.com/urfave/negroni/v3.middleware.ServeHTTP>
	<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:51|github.com/urfave/negroni/v3@v3.0.0/negroni.go:51>
<http://github.com/runatlantis/atlantis/server.(*RequestLogger).ServeHTTP|github.com/runatlantis/atlantis/server.(*RequestLogger).ServeHTTP>
	<http://github.com/runatlantis/atlantis/server/middleware.go:70|github.com/runatlantis/atlantis/server/middleware.go:70>
<http://github.com/urfave/negroni/v3.middleware.ServeHTTP|github.com/urfave/negroni/v3.middleware.ServeHTTP>
	<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:51|github.com/urfave/negroni/v3@v3.0.0/negroni.go:51>
<http://github.com/urfave/negroni/v3.(*Recovery).ServeHTTP|github.com/urfave/negroni/v3.(*Recovery).ServeHTTP>
	<http://github.com/urfave/negroni/v3@v3.0.0/recovery.go:210|github.com/urfave/negroni/v3@v3.0.0/recovery.go:210>
<http://github.com/urfave/negroni/v3.middleware.ServeHTTP|github.com/urfave/negroni/v3.middleware.ServeHTTP>
	<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:51|github.com/urfave/negroni/v3@v3.0.0/negroni.go:51>
<http://github.com/urfave/negroni/v3.(*Negroni).ServeHTTP|github.com/urfave/negroni/v3.(*Negroni).ServeHTTP>
	<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:111|github.com/urfave/negroni/v3@v3.0.0/negroni.go:111>
net/http.serverHandler.ServeHTTP
	net/http/server.go:2947
net/http.(*conn).serve
	net/http/server.go:1991", "ts":"2023-02-28T22:40:10.313Z"}
That's the error I'm seeing.
I don't know if this is actually related though, since I am not sure what this is in reerence to.
p
latest atlantis?
c
I think so. Let me double check.
0.22.3
I think that's still the latest.
p
that is an ugly error
and without using the app ( just the webhook secret) it works fine?
c
I'm not sure what you mean. The app is what we're using for the connection to GitHub.
p
so this error you see is on startup?
or when is trying to authenticate using the github app?
c
It's already running. I suspect it's when it's trying to pull from the modules repository.
Or it could mean that the temp token is expiring, I'm not sure what this is, there's no real context for what's happening.
I just noticed this error around the same time Atlantis tried to make a plan and stalled out. This is the output we see in the console:
Copy code
Upgrading modules...
Downloading <http://registry.terraform.io/terraform-google-modules/kubernetes-engine/google|registry.terraform.io/terraform-google-modules/kubernetes-engine/google> 25.0.0 for gke...
- gke in .terraform/modules/gke/modules/private-cluster
Downloading <http://registry.terraform.io/terraform-google-modules/project-factory/google|registry.terraform.io/terraform-google-modules/project-factory/google> 14.1.0 for gke_project...
- gke_project in .terraform/modules/gke_project
- gke_project.budget in .terraform/modules/gke_project/modules/budget
- gke_project.essential_contacts in .terraform/modules/gke_project/modules/essential_contacts
- gke_project.gsuite_group in .terraform/modules/gke_project/modules/gsuite_group
- gke_project.project-factory in .terraform/modules/gke_project/modules/core_project_factory
- gke_project.project-factory.project_services in .terraform/modules/gke_project/modules/project_services
- gke_project.quotas in .terraform/modules/gke_project/modules/quota_manager
- gke_project.shared_vpc_access in .terraform/modules/gke_project/modules/shared_vpc_access
Downloading git::<ssh://git@github.com/my-org/terraform-modules.git?ref=v0.0.609> for labels...
p
ohhh weird
and I guess atlantis have the ssh key to pull the modules ?
c
...now that you mention it...no.
p
after atlantis clones your repo then is pure TF
so TF needs to be able to access the repo over ssh+git
c
Right. Can it use an http reference instead via the app?
p
no, this is TF downloading stuff from git not trough the atlantis github app
the same way you have in your local
c
Ah. Well...crud.
p
those are two different authentication mechanisms
but you can use this
and that should work
c
Hrm. I am pretty sure we have write git creds on 😕
Yep. 😕
Oh...but we're not using git::ssh
Maybe that's it. I'll give that a shot.
Thanks!
I'll let you know if that solves it.
p
no problem
you could try with a project that uses plublic modules ( just for testing) too, just to confirm what is the issue
c
Public modules are working just fine
Oh, you mean from github rather than the registry?
p
yes
just to test that https://git will work
or git+ssh will work with public modules
c
So yeah, we needed to use the HTTPS interface so that it pulled the modules with the GitHub app credentials. Thanks for helping me out with this!
p
my pleasure