Title
c
Chastity Blackwell
02/28/2023, 9:03 PMHey, when connecting Atlantis to Github as a GitHub app, how do I give it access to private repositories for modules? Previously I've always done it with a GitHub token, so it's been pretty easy to just make sure that token has access to those repos, but I'm not sure how this works with the App method. Do I basically have to give Atlantis a token anyway so it can access that, or is there another way around that? I assume I don't want to add the app to that repo because it will make Atlantis think it needs to handle PRs there, but maybe I'm wrong?
p
PePe Amengual
02/28/2023, 9:05 PMthe app needs to be installed and then added to the repos
just like the altantis user used before
the app needs to have access to specific repos or the Org level
c
Chastity Blackwell
02/28/2023, 9:07 PMOkay. I was just worried that would cause Atlantis to try and do stuff when people submitted a PR to say terraform-my-module when there's not really any reason for that.
I guess we only have our actually infrastructure repo in the allow list, so that probably works?
p
PePe Amengual
02/28/2023, 9:08 PMcorrect
you still have that allowlist to protect from it
c
Chastity Blackwell
02/28/2023, 9:14 PMOkay, cool. Thanks!
Hrm, so we added the module repo to our GitHub app, but the plans seem to be hanging and I see invalid key errors in the log that seem to correspond to these PRs...
Now I'm wondering if adding the additional repo wouldn't have affected the existing temporary token issued to the app.
p
PePe Amengual
03/01/2023, 5:28 PMbad key means is not reading the RSA key created for the app ( which replaces the token)
make sure is it does not have am invalid character
how are you passing the key?
c
Chastity Blackwell
03/01/2023, 5:57 PMWe didn't change anything about how the app was being passed, and it can do plans that don't contain the modules in a private repo, though.
So I don't think the key is the issue. The key is passed via env var from a secret, though.
{"caller":"logging/simple_logger.go:163", "<http://cos.googleapis.com/container_id|cos.googleapis.com/container_id>":"ca10c190e397d763974049c2b208a84fe8f0547314912c816059fd96eba3eb63", "<http://cos.googleapis.com/container_name|cos.googleapis.com/container_name>":"klt--grmp", "<http://cos.googleapis.com/stream|cos.googleapis.com/stream>":"stdout", "json":{…}, "level":"error", "msg":"invalid key: REDACTED", "stacktrace":"<http://github.com/runatlantis/atlantis/server/logging.(*StructuredLogger).Log|github.com/runatlantis/atlantis/server/logging.(*StructuredLogger).Log>
<http://github.com/runatlantis/atlantis/server/logging/simple_logger.go:163|github.com/runatlantis/atlantis/server/logging/simple_logger.go:163>
<http://github.com/runatlantis/atlantis/server/controllers.(*JobsController).respond|github.com/runatlantis/atlantis/server/controllers.(*JobsController).respond>
<http://github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:92|github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:92>
<http://github.com/runatlantis/atlantis/server/controllers.(*JobsController).getProjectJobsWS|github.com/runatlantis/atlantis/server/controllers.(*JobsController).getProjectJobsWS>
<http://github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:70|github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:70>
<http://github.com/runatlantis/atlantis/server/controllers.(*JobsController).GetProjectJobsWS|github.com/runatlantis/atlantis/server/controllers.(*JobsController).GetProjectJobsWS>
<http://github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:83|github.com/runatlantis/atlantis/server/controllers/jobs_controller.go:83>
net/http.HandlerFunc.ServeHTTP
net/http/server.go:2109
<http://github.com/gorilla/mux.(*Router).ServeHTTP|github.com/gorilla/mux.(*Router).ServeHTTP>
<http://github.com/gorilla/mux@v1.8.0/mux.go:210|github.com/gorilla/mux@v1.8.0/mux.go:210>
<http://github.com/urfave/negroni/v3.Wrap.func1|github.com/urfave/negroni/v3.Wrap.func1>
<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:59|github.com/urfave/negroni/v3@v3.0.0/negroni.go:59>
<http://github.com/urfave/negroni/v3.HandlerFunc.ServeHTTP|github.com/urfave/negroni/v3.HandlerFunc.ServeHTTP>
<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:33|github.com/urfave/negroni/v3@v3.0.0/negroni.go:33>
<http://github.com/urfave/negroni/v3.middleware.ServeHTTP|github.com/urfave/negroni/v3.middleware.ServeHTTP>
<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:51|github.com/urfave/negroni/v3@v3.0.0/negroni.go:51>
<http://github.com/runatlantis/atlantis/server.(*RequestLogger).ServeHTTP|github.com/runatlantis/atlantis/server.(*RequestLogger).ServeHTTP>
<http://github.com/runatlantis/atlantis/server/middleware.go:70|github.com/runatlantis/atlantis/server/middleware.go:70>
<http://github.com/urfave/negroni/v3.middleware.ServeHTTP|github.com/urfave/negroni/v3.middleware.ServeHTTP>
<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:51|github.com/urfave/negroni/v3@v3.0.0/negroni.go:51>
<http://github.com/urfave/negroni/v3.(*Recovery).ServeHTTP|github.com/urfave/negroni/v3.(*Recovery).ServeHTTP>
<http://github.com/urfave/negroni/v3@v3.0.0/recovery.go:210|github.com/urfave/negroni/v3@v3.0.0/recovery.go:210>
<http://github.com/urfave/negroni/v3.middleware.ServeHTTP|github.com/urfave/negroni/v3.middleware.ServeHTTP>
<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:51|github.com/urfave/negroni/v3@v3.0.0/negroni.go:51>
<http://github.com/urfave/negroni/v3.(*Negroni).ServeHTTP|github.com/urfave/negroni/v3.(*Negroni).ServeHTTP>
<http://github.com/urfave/negroni/v3@v3.0.0/negroni.go:111|github.com/urfave/negroni/v3@v3.0.0/negroni.go:111>
net/http.serverHandler.ServeHTTP
net/http/server.go:2947
net/http.(*conn).serve
net/http/server.go:1991", "ts":"2023-02-28T22:40:10.313Z"}That's the error I'm seeing.
I don't know if this is actually related though, since I am not sure what this is in reerence to.
p
PePe Amengual
03/01/2023, 6:16 PMlatest atlantis?
c
Chastity Blackwell
03/01/2023, 6:16 PMI think so. Let me double check.
0.22.3
I think that's still the latest.
p
PePe Amengual
03/01/2023, 6:22 PMthat is an ugly error
and without using the app ( just the webhook secret) it works fine?
c
Chastity Blackwell
03/01/2023, 6:24 PMI'm not sure what you mean. The app is what we're using for the connection to GitHub.
p
PePe Amengual
03/01/2023, 6:24 PMso this error you see is on startup?
or when is trying to authenticate using the github app?
c
Chastity Blackwell
03/01/2023, 6:25 PMIt's already running. I suspect it's when it's trying to pull from the modules repository.
Or it could mean that the temp token is expiring, I'm not sure what this is, there's no real context for what's happening.
I just noticed this error around the same time Atlantis tried to make a plan and stalled out. This is the output we see in the console:
Upgrading modules...
Downloading <http://registry.terraform.io/terraform-google-modules/kubernetes-engine/google|registry.terraform.io/terraform-google-modules/kubernetes-engine/google> 25.0.0 for gke...
- gke in .terraform/modules/gke/modules/private-cluster
Downloading <http://registry.terraform.io/terraform-google-modules/project-factory/google|registry.terraform.io/terraform-google-modules/project-factory/google> 14.1.0 for gke_project...
- gke_project in .terraform/modules/gke_project
- gke_project.budget in .terraform/modules/gke_project/modules/budget
- gke_project.essential_contacts in .terraform/modules/gke_project/modules/essential_contacts
- gke_project.gsuite_group in .terraform/modules/gke_project/modules/gsuite_group
- gke_project.project-factory in .terraform/modules/gke_project/modules/core_project_factory
- gke_project.project-factory.project_services in .terraform/modules/gke_project/modules/project_services
- gke_project.quotas in .terraform/modules/gke_project/modules/quota_manager
- gke_project.shared_vpc_access in .terraform/modules/gke_project/modules/shared_vpc_access
Downloading git::<ssh://git@github.com/my-org/terraform-modules.git?ref=v0.0.609> for labels...p
PePe Amengual
03/01/2023, 6:27 PMohhh weird
and I guess atlantis have the ssh key to pull the modules ?
c
Chastity Blackwell
03/01/2023, 6:29 PM...now that you mention it...no.
p
PePe Amengual
03/01/2023, 6:29 PMafter atlantis clones your repo then is pure TF
so TF needs to be able to access the repo over ssh+git
c
Chastity Blackwell
03/01/2023, 6:29 PMRight. Can it use an http reference instead via the app?
p
PePe Amengual
03/01/2023, 6:30 PMno, this is TF downloading stuff from git not trough the atlantis github app
the same way you have in your local
c
Chastity Blackwell
03/01/2023, 6:31 PMAh. Well...crud.
p
PePe Amengual
03/01/2023, 6:31 PMthose are two different authentication mechanisms
but you can use this
and that should work
c
Chastity Blackwell
03/01/2023, 6:33 PMHrm. I am pretty sure we have write git creds on 😕
Yep. 😕
Oh...but we're not using git::ssh
Maybe that's it. I'll give that a shot.
Thanks!
I'll let you know if that solves it.
p
PePe Amengual
03/01/2023, 6:34 PMno problem
you could try with a project that uses plublic modules ( just for testing) too, just to confirm what is the issue
c
Chastity Blackwell
03/01/2023, 6:36 PMPublic modules are working just fine
Oh, you mean from github rather than the registry?
p
PePe Amengual
03/01/2023, 6:53 PMyes
just to test that https://git will work
or git+ssh will work with public modules
c
Chastity Blackwell
03/01/2023, 7:38 PMSo yeah, we needed to use the HTTPS interface so that it pulled the modules with the GitHub app credentials. Thanks for helping me out with this!
p
PePe Amengual
03/01/2023, 7:56 PMmy pleasure