DevOps module 2 seeder breaks pipeline build

[jkuhnert]

Immediately after running https://github.com/aws-samples/aws-serverless-workshops/tree/master/DevOps/2_ContinuousDeliveryPipeline#1-seed-the-uni-api-codecommit-git-repository the "uni-api-Pipeline" Deploy phase fails because of a missing template-configuration.json file in artifact.

I attempted to restore the template from the only working revision of repo that worked with pipeline (the first one) but that wasn't enough. The documentation quickly skips on to adding the update lambda but the pipeline build is already broken at this point and remains broken.

[AtlasApollo]

Hi, I can confirm issue this also. Thanks.

[samdengler]

Thanks - I can take a look at this shortly. @jkuhnert @AtlasApollo which AWS Region(s) were not working for you?

[jkuhnert]

I think I was trying it with us-west-2.

[AtlasApollo]

I was in us-east-1. Thank you Sam, the workshops are great!

[MickyHCorbett]

The GenerateChangeSet stage of Deploy can be successfully run if the CodeDeployRole from the default app (the one that gets initially created) is added to template.yml, under Parameters. The error in the Deploy is then at that ExecuteChangeSet which causes a stack rollback saying it can't find the LambdaTrustRole.

[samdengler]

Thanks for the feedback. It looks like CodeStar has changed the default pipeline to require a template-configuration.json in the buildspec.yml: https://gist.github.com/samdengler/d8f2170a07874831966fc7b040ed79c7

I'll update the preconfigured code packages to include the change. Might be Jan 2 before I get it completed. Let me know if you need it sooner.

[mcoming]

@samdengler It appears the first seed removes template-configuration.json and removes it from the artifacts: in buildspec.yml as well as the sed command to perform the substitutions. Also the CodeDeployRole parameter is missing in template.yml after first seed which resulted in Error

Parameters: [CodeDeployRole] do not exist in the template

I got as far as creating change set after second seed but it failed to deploy

Finally, following the clean up doc instructions, I did not see in my console all the policies listed in the doc that were to be detached from the roles

[samdengler]

@mcoming @MickyHCorbett @AtlasApollo @jkuhnert - I've fixed the breaking changes on a branch: https://github.com/aws-samples/aws-serverless-workshops/tree/fsd-codestar-breakfix

I have done some testing, but would appreciate a second pair of 👀

Thanks again for all the feedback!

[AtlasApollo]

Thank you very much! I’ll run it tomorrow and report back.

On Wednesday, January 2, 2019, Sam Dengler notifications@github.com wrote:

@mcoming https://github.com/mcoming @MickyHCorbett https://github.com/MickyHCorbett @AtlasApollo https://github.com/AtlasApollo @jkuhnert https://github.com/jkuhnert

• I've fixed the breaking changes on a branch: https://github.com/aws- samples/aws-serverless-workshops/tree/fsd-codestar-breakfix

I have done some testing, but would appreciate a second pair of 👀

Thanks again for all the feedback!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/aws-samples/aws-serverless-workshops/issues/178#issuecomment-451004803, or mute the thread https://github.com/notifications/unsubscribe-auth/AAKFKexqD3sLdl3z2y5PT2IwObdoL4U3ks5u_TJBgaJpZM4ZadpJ .

[MickyHCorbett]

Just ran the first Seed (Seed 1) and it ran through the whole pipeline fine. The Deploy stage ran fine. The Hello World changed to Missing Authentication Token until the "/unicorns" was added. I'll start running through the rest tomorrow but if it is a common error then this may be the fix. Much appreciated. Thanks Sam.

[MickyHCorbett]

Seed 2 works as well.

[AtlasApollo]

Hi @samdengler -- I tried to run Seed-1-ServerlessApplicationModel in us-east-1 a couple of times, but each time the result is ROLLBACK_COMPLETE, the source URL is:

https://s3.amazonaws.com/fsd-aws-wildrydes-us-east-1/uni-api-1-v3.zip

I also tried in us-west-1, and same result. I am not sure if I am doing something wrong?

Thanks @samdengler !

[MickyHCorbett]

@samdengler In Seed 2 the error in API Gateway is "...assumed-role/CodeStar-uni-api-Execution/uni-api-read is not authorized to perform: dynamodb:GetItem on resource". The error appeared (for uni-api-update) when I added the Update function so I re-seeded and just tested the API Gateway functions as is without doing the Update to make sure nothing funny was happening when the Update was added. Edit: The error is still there is what I meant to add

[mcoming]

@samdengler

Code Deploy was failing for me after appending the update function to the end of template.yml, until I added the function before the LambdaExecutionRole: resource and modified the Role property

From:

      Role:
        Fn::ImportValue:
          !Join ['-', [!Ref 'ProjectId', !Ref 'AWS::Region', 'LambdaTrustRole']]

To:

Role: !GetAtt LambdaExecutionRole.Arn

After which Code Deploy was successful, but the API Gateway test of PUT failed and I'm seeing similar error as @MickyHCorbett

Fri Jan 04 18:58:03 UTC 2019 : Endpoint response body before transformations: {"errorMessage":"User: arn:aws:sts::x:assumed-role/CodeStar-uni-api-Execution/uni-api-update is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:x:table/awscodestar-uni-api-lambda-Table-x"

[mcoming]

Got past not authorized to perform dynamodb:PutItem by adding policy from Using Identity-Based Policies for DynamoDB Example 1 to CodeStar-uni-api-Execution role. Get ARN from DynamoDB console.

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllAPIActionsOnUniApiLambdaTable",
            "Effect": "Allow",
            "Action": "dynamodb:*",
            "Resource": "arn:aws:dynamodb:us-east-1:x:table/awscodestar-uni-api-lambda-Table-x"
        }
    ]
}

[mcoming]

@samdengler package.json on the breakfix branch

is missing "aws-xray-sdk": "^1.1.6"

So in X-Ray I get exception

Error: Cannot find module 'aws-xray-sdk'

[MickyHCorbett]

@mcoming I added the explicit DynamoDB policy as a standalone inline policy and it allowed API Gateway access. Thanks very much. @samdengler I'm wondering if the easiest thing to do moving forward is to create an extra Statement in the CodeStar_uni-api_PermissionsBoundary list of statements that is explicitly given an Sid name. The DynamoDB access is in Sid 1 but it appears to be ignored. If it were in its own Sid it would have the same effect as an extra inline policy. Also even though it's a bit frustrating having the recent Codestar app baseline changes, it is a great learning experience!

[samdengler]

@MickyHCorbett @mcomin thanks for the testing and feedback. I'll dig into it and have an update early next week.

[HoraceShmorace]

This is still happening. Maybe update the readme to say it's broken, and to not start this workshop.

[jkuhnert]

@samdengler We're currently using these workshops to help train developers quickly on using serverless, I wonder if there would be some value in amazon more officially having someone(s) maintain this repo ? It's an awesome way to get acclimated to serverless and AWS. We will be sad to see it eventually decay. Just an idea.

Lot easier than trying to read dense developer guides or finding random blog posts.

[samdengler]

@jkuhnert thanks for the feedback, and I'm glad that you're finding the content useful! I'll commit to get everything working again by Monday, Feb 4.

We have the opposite intent for this material, actually. It's a bit dated with all the new features around code deployment, developer tools, etc. I'll be working on a refresh in H1, including more responsive support for maintenance.

If you have feedback on what you'd like to see, please share with me in separate GH issues that I can assign to myself and we can use for discussion. The workshops are most effective when they connect with what's useful to you and your developers. Thanks for your support!

[jkuhnert]

Ok, will do. Thanks @samdengler .

[samdengler]

@jkuhnert @HoraceShmorace @mcoming @AtlasApollo - Modules 1 - 3 should be working now. If you have a chance to test them out, please let me know if you still see errors. Module 4 is working up to the Lambda Invocation Action to test the Beta stage. This may be related to a CodeStar change to the bounded permission policy (https://forums.aws.amazon.com/thread.jspa?messageID=885078). I'm following up on this internally and will complete the changes to Module 4.

[charlesguse]

I (and some others I was working with today) are still experiencing the [template-configuration.json] does not exist error. I just tried adding that and came across more issues and found that the template found in awscodestar-uni-api-lambda does not match the template found in the repository after running the second seed.

Please let me know if there is any info you would like from me to help diagnose and fix the issue more. I have really appreciated being able to use these workshops and would love to understand what the issue is. I am surprised to see the templates not match between the repository and the stack.

Thank you for the work you have done with this @samdengler .

[jkuhnert]

@samdengler One of our developers has confirmed modules 1 - 3 worked for him on your fix branch, thank you very much.

[samdengler]

@charlesguse - thanks for the feedback. Can you please try the fsd-codestar-breakfix branch? (https://github.com/aws-samples/aws-serverless-workshops/tree/fsd-codestar-breakfix)

@jkuhnert has confirmed modules 1 - 3 work, and it would be great to get a second confirmation from you as well.

Module 4 is still under construction as we work through an IAM Boundary Permission restriction preventing the custom Lambda action.

[samdengler]

It looks like the changes required to enable Module 4 may take a little more time. I didn't want to hold up the other fixes, so I've commented out references to it in the READMEs to merge to master. Once available, I will retest Module 4 and restore the links.

I'll keep this issue open until that is complete.

[samdengler]

Thanks for your feedback. We've update the DevOps Serverless Workshop with new content: https://cicd.serverlessworkshops.io/