https://www.runatlantis.io/ logo
Title
c

Chastity Blackwell

02/28/2023, 9:03 PM
Hey, when connecting Atlantis to Github as a GitHub app, how do I give it access to private repositories for modules? Previously I've always done it with a GitHub token, so it's been pretty easy to just make sure that token has access to those repos, but I'm not sure how this works with the App method. Do I basically have to give Atlantis a token anyway so it can access that, or is there another way around that? I assume I don't want to add the app to that repo because it will make Atlantis think it needs to handle PRs there, but maybe I'm wrong?
p

PePe Amengual

02/28/2023, 9:05 PM
the app needs to be installed and then added to the repos
just like the altantis user used before
the app needs to have access to specific repos or the Org level
c

Chastity Blackwell

02/28/2023, 9:07 PM
Okay. I was just worried that would cause Atlantis to try and do stuff when people submitted a PR to say terraform-my-module when there's not really any reason for that.
I guess we only have our actually infrastructure repo in the allow list, so that probably works?
p

PePe Amengual

02/28/2023, 9:08 PM
correct
you still have that allowlist to protect from it
c

Chastity Blackwell

02/28/2023, 9:14 PM
Okay, cool. Thanks!
Hrm, so we added the module repo to our GitHub app, but the plans seem to be hanging and I see invalid key errors in the log that seem to correspond to these PRs...
Now I'm wondering if adding the additional repo wouldn't have affected the existing temporary token issued to the app.
p

PePe Amengual

03/01/2023, 5:28 PM
bad key means is not reading the RSA key created for the app ( which replaces the token)
make sure is it does not have am invalid character
how are you passing the key?
c

Chastity Blackwell

03/01/2023, 5:57 PM
We didn't change anything about how the app was being passed, and it can do plans that don't contain the modules in a private repo, though.
So I don't think the key is the issue. The key is passed via env var from a secret, though.
{"caller":"logging/simple_logger.go:163", "<http://cos.googleapis.com/container_id|cos.googleapis.com/container_id>":"ca10c190e397d763974049c2b208a84fe8f0547314912c816059fd96eba3eb63", "<http://cos.googleapis.com/container_name|cos.googleapis.com/container_name>":"klt--grmp", "<http://cos.googleapis.com/stream|cos.googleapis.com/stream>":"stdout", "json":{…}, "level":"error", "msg":"invalid key: REDACTED", "stacktrace":"<http://github.com/runatlantis/atlantis/server/logging.(*StructuredLogger).Log|github.com/runatlantis/atlantis/server/logging.(*StructuredLogger).Log>
	<http://github.com/runatlantis/atlantis/server/logging/simple_logger.go:163|github.com/runatlantis/atlantis/server/logging/simple_logger.go:163>
<http://github.com/runatlantis/atlantis/server/controllers.(*JobsController).respond|github.com/runatlantis/atlantis/server/controllers.(*JobsController).respond>
	<http://github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:92|github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:92>
<http://github.com/runatlantis/atlantis/server/controllers.(*JobsController).getProjectJobsWS|github.com/runatlantis/atlantis/server/controllers.(*JobsController).getProjectJobsWS>
	<http://github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:70|github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:70>
<http://github.com/runatlantis/atlantis/server/controllers.(*JobsController).GetProjectJobsWS|github.com/runatlantis/atlantis/server/controllers.(*JobsController).GetProjectJobsWS>
	<http://github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:83|github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:83>
net/http.HandlerFunc.ServeHTTP
	net/http/server.go:2109
<http://github.com/gorilla/mux.(*Router).ServeHTTP|github.com/gorilla/mux.(*Router).ServeHTTP>
	<http://github.com/gorilla/mux@v1.8.0/mux.go:210|github.com/gorilla/mux@v1.8.0/mux.go:210>
<http://github.com/urfave/negroni/v3.Wrap.func1|github.com/urfave/negroni/v3.Wrap.func1>
	<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:59|github.com/urfave/negroni/v3@v3.0.0/negroni.go:59>
<http://github.com/urfave/negroni/v3.HandlerFunc.ServeHTTP|github.com/urfave/negroni/v3.HandlerFunc.ServeHTTP>
	<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:33|github.com/urfave/negroni/v3@v3.0.0/negroni.go:33>
<http://github.com/urfave/negroni/v3.middleware.ServeHTTP|github.com/urfave/negroni/v3.middleware.ServeHTTP>
	<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:51|github.com/urfave/negroni/v3@v3.0.0/negroni.go:51>
<http://github.com/runatlantis/atlantis/server.(*RequestLogger).ServeHTTP|github.com/runatlantis/atlantis/server.(*RequestLogger).ServeHTTP>
	<http://github.com/runatlantis/atlantis/server/middleware.go:70|github.com/runatlantis/atlantis/server/middleware.go:70>
<http://github.com/urfave/negroni/v3.middleware.ServeHTTP|github.com/urfave/negroni/v3.middleware.ServeHTTP>
	<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:51|github.com/urfave/negroni/v3@v3.0.0/negroni.go:51>
<http://github.com/urfave/negroni/v3.(*Recovery).ServeHTTP|github.com/urfave/negroni/v3.(*Recovery).ServeHTTP>
	<http://github.com/urfave/negroni/v3@v3.0.0/recovery.go:210|github.com/urfave/negroni/v3@v3.0.0/recovery.go:210>
<http://github.com/urfave/negroni/v3.middleware.ServeHTTP|github.com/urfave/negroni/v3.middleware.ServeHTTP>
	<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:51|github.com/urfave/negroni/v3@v3.0.0/negroni.go:51>
<http://github.com/urfave/negroni/v3.(*Negroni).ServeHTTP|github.com/urfave/negroni/v3.(*Negroni).ServeHTTP>
	<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:111|github.com/urfave/negroni/v3@v3.0.0/negroni.go:111>
net/http.serverHandler.ServeHTTP
	net/http/server.go:2947
net/http.(*conn).serve
	net/http/server.go:1991", "ts":"2023-02-28T22:40:10.313Z"}
That's the error I'm seeing.
I don't know if this is actually related though, since I am not sure what this is in reerence to.
p

PePe Amengual

03/01/2023, 6:16 PM
latest atlantis?
c

Chastity Blackwell

03/01/2023, 6:16 PM
I think so. Let me double check.
0.22.3
I think that's still the latest.
p

PePe Amengual

03/01/2023, 6:22 PM
that is an ugly error
and without using the app ( just the webhook secret) it works fine?
c

Chastity Blackwell

03/01/2023, 6:24 PM
I'm not sure what you mean. The app is what we're using for the connection to GitHub.
p

PePe Amengual

03/01/2023, 6:24 PM
so this error you see is on startup?
or when is trying to authenticate using the github app?
c

Chastity Blackwell

03/01/2023, 6:25 PM
It's already running. I suspect it's when it's trying to pull from the modules repository.
Or it could mean that the temp token is expiring, I'm not sure what this is, there's no real context for what's happening.
I just noticed this error around the same time Atlantis tried to make a plan and stalled out. This is the output we see in the console:
Upgrading modules...
Downloading <http://registry.terraform.io/terraform-google-modules/kubernetes-engine/google|registry.terraform.io/terraform-google-modules/kubernetes-engine/google> 25.0.0 for gke...
- gke in .terraform/modules/gke/modules/private-cluster
Downloading <http://registry.terraform.io/terraform-google-modules/project-factory/google|registry.terraform.io/terraform-google-modules/project-factory/google> 14.1.0 for gke_project...
- gke_project in .terraform/modules/gke_project
- gke_project.budget in .terraform/modules/gke_project/modules/budget
- gke_project.essential_contacts in .terraform/modules/gke_project/modules/essential_contacts
- gke_project.gsuite_group in .terraform/modules/gke_project/modules/gsuite_group
- gke_project.project-factory in .terraform/modules/gke_project/modules/core_project_factory
- gke_project.project-factory.project_services in .terraform/modules/gke_project/modules/project_services
- gke_project.quotas in .terraform/modules/gke_project/modules/quota_manager
- gke_project.shared_vpc_access in .terraform/modules/gke_project/modules/shared_vpc_access
Downloading git::<ssh://git@github.com/my-org/terraform-modules.git?ref=v0.0.609> for labels...
p

PePe Amengual

03/01/2023, 6:27 PM
ohhh weird
and I guess atlantis have the ssh key to pull the modules ?
c

Chastity Blackwell

03/01/2023, 6:29 PM
...now that you mention it...no.
p

PePe Amengual

03/01/2023, 6:29 PM
after atlantis clones your repo then is pure TF
so TF needs to be able to access the repo over ssh+git
c

Chastity Blackwell

03/01/2023, 6:29 PM
Right. Can it use an http reference instead via the app?
p

PePe Amengual

03/01/2023, 6:30 PM
no, this is TF downloading stuff from git not trough the atlantis github app
the same way you have in your local
c

Chastity Blackwell

03/01/2023, 6:31 PM
Ah. Well...crud.
p

PePe Amengual

03/01/2023, 6:31 PM
those are two different authentication mechanisms
but you can use this
and that should work
c

Chastity Blackwell

03/01/2023, 6:33 PM
Hrm. I am pretty sure we have write git creds on 😕
Yep. 😕
Oh...but we're not using git::ssh
Maybe that's it. I'll give that a shot.
Thanks!
I'll let you know if that solves it.
p

PePe Amengual

03/01/2023, 6:34 PM
no problem
you could try with a project that uses plublic modules ( just for testing) too, just to confirm what is the issue
c

Chastity Blackwell

03/01/2023, 6:36 PM
Public modules are working just fine
Oh, you mean from github rather than the registry?
p

PePe Amengual

03/01/2023, 6:53 PM
yes
just to test that https://git will work
or git+ssh will work with public modules
c

Chastity Blackwell

03/01/2023, 7:38 PM
So yeah, we needed to use the HTTPS interface so that it pulled the modules with the GitHub app credentials. Thanks for helping me out with this!
p

PePe Amengual

03/01/2023, 7:56 PM
my pleasure