stelligent / mu

A full-stack DevOps on AWS framework
https://getmu.io
MIT License
974 stars 134 forks source link

Adding ACM certificate to ELB causes new ECR repository #419

Closed jgunnink closed 5 years ago

jgunnink commented 5 years ago

Hello - firstly, thanks for this excellent tool. It's proven extremely valuable.

I just wanted to raise an issue I have discovered during the development process for the current project we have been utilising Mu for. Regarding the naming convention used for ECR when an SSL certificate reference goes in.

In short adding the certificate like so:

environments:
- name: production
  provider: ecs-fargate
    loadbalancer:
      certificate: "abcd1234-f281-4e42-9205-abcd1234abcd"

Caused the build pipeline to fail saying it didn't have access to push to the ECR repository.

At further inspection it appears to be using a different naming convention than it was using prior to this change going in. It was previously using mu-project-prod, as specified in the services section of the YAML file:

service:
  name: project-prod 

However now it's using the name of the github repo instead:

  pipeline:
    source:
      provider: GitHub
      repo: org_name/project

with this error in the build:

ERROR ·[0m   mu-repo-project:  EcsRepo (AWS::ECR::Repository) CREATE_FAILED User: arn:aws:sts::<acct number>:assumed-role/mu-pipeline-project-prod-ci-ap-southeast-2/AWSCodeBuild-<UUID> is not authorized to perform: ecr:DescribeRepositories on resource: arn:aws:ecr:ap-southeast-2:<acct number>:repository/mu-project (Service: AmazonECR; Status Code: 400; Error Code: AccessDeniedException; Request ID: <UUID>)

I am wondering why it is now trying to use a different ECR name. I don't believe anything else has been changed, but just wondering if this is perhaps a bug which may not have surfaced until now, simply due to naming conventions.

We have two pipelines which are in separate aws accounts, each pipeline is very similar to the other with some minor differences between them. Nothing special has been tweaked with the mu application.

I appreciate any help, thank you 😄

jgunnink commented 5 years ago

Just came back to update, in the off-chance this helps someone out, and for posterity. The issue ended up being with my YAML indenting syntax. The correct indentation I found to work as expected is:

environments:
- name: production
  provider: ecs-fargate
  loadbalancer:
    certificate: "abcd1234-f281-4e42-9205-abcd1234abcd"
bryan-yu commented 5 years ago

crazy things