search

awslabs / backstage-plugins-for-aws

AWS plugins for Backstage
Apache License 2.0
58 stars 8 forks source link

bug: The Tag function of the Pipeline plugin does not work in a private network. #139

Open Kang3498 opened 2 months ago

Kang3498 commented 2 months ago

📜 Description

There is no problem when using ARN annotation. However, if I try to use Tag, error 504 occurs. If I need a VPC endpoint, I would like you to tell me which service it should be opened to.

👍 Expected behavior

Perform tag annotation-based functions normally in a private network environment, or specify in the document that private networks are not supported.

👎 Actual Behavior with Screenshots

Can't get this, because my environment is internal.

👟 Reproduction steps

  1. Add CodePipeline Plugin to my Backstage.
  2. Set annotation and tags.
  3. Go to CI/CD page.

📃 Content

No response

🖥️ Your Environment

No response

niallthomson commented 2 months ago

Hi @Kang3498 are you using the resource tagging API (default configuration) to do tag-based lookups?

Kang3498 commented 2 months ago

Yes, that's right. Can I choose another option? I just followed this article.(https://github.com/awslabs/backstage-plugins-for-aws/blob/main/plugins/codepipeline/README.md)

niallthomson commented 2 months ago

Currently you can also use AWS Resource Explorer, and soon we'll document AWS Config. However it looks like AWS Config is the only option that offers VPC endpoints:

https://github.com/awslabs/backstage-plugins-for-aws/blob/main/docs/locating-resources.md

The only option I can see us providing beyond Config that will work in a private VPC is potentially using the Cloud Control API but we'd need to see if this can cater for tag-based lookups.

Kang3498 commented 2 months ago

After seeing your comment, I tried changing the locator to resourceExplorer and awsConfig. They generate 500 errors for different reasons regardless of the private network. Are they not ready yet? For reference, the error I received is as follows.

resourceExplorer: 500: UnauthorizedException (I have admin privileges) awsConfig: 500: InvalidExpressionException

niallthomson commented 2 months ago

@Kang3498 I just updated the documentation and have confirmed with another Backstage adopter that the AWS Config mechanism is working. I provided a note on the VPC endpoints required for AWS Config but have not had a chance to test in a VPC without internet access yet.

Kang3498 commented 2 months ago

@niallthomson With App Config, still it doesn't work. Below is the error and it was tested on a public network. The only thing I did was change the locator to AppConfig.

backstage error Request failed with status 500 syntax error at line 1, column 39 type=errorHandler name=InvalidExpressionException $fault=client $metadata=[object Object] __type=InvalidExpressionException stack=InvalidExpressionException: syntax error at line 1, column 39 [1] at de_InvalidExpressionExceptionRes (/Users/sanggyu/Project/backstage/node_modules/@aws-sdk/client-config-service/dist-cjs/index.js:3866:21) [1] at de_CommandError (/Users/sanggyu/Project/backstage/node_modules/@aws-sdk/client-config-service/dist-cjs/index.js:3793:19) [1] at process.processTicksAndRejections (node:internal/process/task_queues:95:5) [1] at async /Users/sanggyu/Project/backstage/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:20 [1] at async /Users/sanggyu/Project/backstage/node_modules/@smithy/core/dist-cjs/index.js:165:18 [1] at async /Users/sanggyu/Project/backstage/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:38 [1] at async /Users/sanggyu/Project/backstage/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:34:22 [1] at async makePagedClientRequest (/Users/sanggyu/Project/backstage/node_modules/@smithy/core/dist-cjs/index.js:430:10) [1] at async Object.paginateOperation (/Users/sanggyu/Project/backstage/node_modules/@smithy/core/dist-cjs/index.js:443:16) [1] at _AwsConfigResourceLocator.getResourceArns (/Users/sanggyu/Project/backstage/node_modules/@aws/aws-core-plugin-for-backstage-common/src/locator/aws-config-locator.ts:129:22)

niallthomson commented 1 month ago

Hi @Kang3498 I just want to make sure to clarify App Config vs AWS Config.

The error there suggests that the query to Config is malformed, which could be due to your tag annotation. Can you provide the tags annotation you have used? Please redact any sensitive information like account IDs etc.

Kang3498 commented 1 month ago

@niallthomson I'm using this one. If you have any information needed to solve the problem, please feel free to tell me.

//catalog-info.yaml
annotations:
  aws.amazon.com/aws-codepipeline-tags: cicd=test
//app-config.yaml
aws:
  locator:
    type: awsConfig
  sso:
    subdomain: d-xxxxxxxx
niallthomson commented 1 month ago

If you activate debug logging we should be able to check the AWS Config query to make sure the code is forming it correctly. Please turn log level to debug as outlined here and when the error occurs you should get a log line somewhere that says:

AWS Config query: [some query]

If you can add the query here I can check if theres a bug in the code that forms the query.

niallthomson commented 3 weeks ago

@Kang3498 the AWS Config issue should now be resolved with the releases just published