nwestfall / lambda-github-runner

Github Action Runner inside of Lambda - A Completely Serverless Solution
MIT License
89 stars 9 forks source link

Runner deploy failing trying to get-object from not-yet-created bucket #1

Open jeff-wishnie opened 2 years ago

jeff-wishnie commented 2 years ago

Hello, this setup looks very cool. I'm trying to try it out but am getting an error deploying with Terraform, and am not familiar enough with Terraform to easily debug.

There is a step that is attempting to pull a zip from an s3 bucket that has yet to be created that is erroring out.

Any guidance appreciated!


╷
│ Error: local-exec provisioner error
│ 
│   with module.lambda_webhook_pull.null_resource.lambda_github_webhook_pull_zip,
│   on webhook_module/main.tf line 2, in resource "null_resource" "lambda_github_webhook_pull_zip":
│    2:     provisioner "local-exec" {
│ 
│ Error running command 'mkdir -p ../files && aws s3api get-object --bucket lambda-github-webhook --key lambda-github-webhook-function.zip --request-payer true ../files/lambda-github-webhook-function.zip': exit status 254. Output: 
│ An error occurred (AccessDenied) when calling the GetObject operation: Access Denied```
nwestfall commented 2 years ago

I believe this means your IAM role doesn't have permission to something. It will need to get an object from S3 and it getting an "AccessDenied"

Can you confirm your IAM Policy that is used while running terraform?

jeff-wishnie commented 2 years ago

I can confirm that the AWS account has full S3 GetObject permissions.

I think the issue is lack of permissions to retrieve lambda-github-webhook-function.zip from a bucket you own.

nwestfall commented 2 years ago

Hmm, let me investigate that.

nwestfall commented 2 years ago

I changed the objects, ACLs, let me know if that works!

michael1997 commented 2 years ago

I'm also still getting the same permission denied issue. Tested with both a restricted role and administrator access.

fgregg commented 2 years ago

can confirm this is a permissions issue. i manually compiled and created lambda-github-webhook-function.zip and put it an s3 bucket accessible to me. i then updated webhook_module/main.tf to point to my bucket, and the was able to successfully complete terraform apply

tricker-a commented 2 years ago

I changed the objects, ACLs, let me know if that works!

still doesn't work

ceejatec commented 1 year ago

A solution to this problem is to change deploy/webook_module/main.tf to compile the webhook code locally, rather than pulling it from S3:

resource "null_resource" "lambda_github_webhook_pull_zip" {
    provisioner "local-exec" {
        command = "mkdir -p ${var.file_destination} && cd ${var.file_destination}/../src/lambda-github-webhook && GOOS=linux go build -o ../../main && cd ../.. && zip ${abspath(var.file_destination)}/lambda-github-webhook-function.zip main"
    }
}
hnprashanth commented 4 months ago

A solution to this problem is to change deploy/webook_module/main.tf to compile the webhook code locally, rather than pulling it from S3:

resource "null_resource" "lambda_github_webhook_pull_zip" {
    provisioner "local-exec" {
        command = "mkdir -p ${var.file_destination} && cd ${var.file_destination}/../src/lambda-github-webhook && GOOS=linux go build -o ../../main && cd ../.. && zip ${abspath(var.file_destination)}/lambda-github-webhook-function.zip main"
    }
}

This worked for me, thank you!