search

winglang / wing

A programming language for the cloud ☁️ A unified programming model, combining infrastructure and runtime code into one language ⚡
https://winglang.io
Other
4.9k stars 194 forks source link

winglibs: checks can't be rolled out #5204

Open skorfmann opened 8 months ago

skorfmann commented 8 months ago

I tried this:

add a check to the application and run wing test -t tf-aws

This happened:

it fails in the terraform apply phase, the used AWS role has admin access

Terraform has been successfully initialized!

2023-12-13T10:02:46.439Z wing:test terraform apply -auto-approve
✖ terraform apply

Command failed: terraform apply -auto-approve
╷
│ Error: invoking Lambda Function (Function-c85f4e8a): returned error: "{"errorType":"AccessDenied","errorMessage":"Access Denied","trace":["AccessDenied: Access Denied","    at throwDefaultError (/home/runner/work/wing.cloud/wing.cloud/apps/@wingcloud/infrastructure/target/test/main.tfaws/.wing/../../../../../../../node_modules/.pnpm/@winglang+sdk@0.51.21_constructs@10.3.0/node_modules/@winglang/sdk/node_modules/@smithy/smithy-client/dist-cjs/default-error-handler.js:8:22)","    at <anonymous> (/home/runner/work/wing.cloud/wing.cloud/apps/@wingcloud/infrastructure/target/test/main.tfaws/.wing/../../../../../../../node_modules/.pnpm/@winglang+sdk@0.51.21_constructs@10.3.0/node_modules/@winglang/sdk/node_modules/@smithy/smithy-client/dist-cjs/default-error-handler.js:18:21)","    at de_PutObjectCommandError (/home/runner/work/wing.cloud/wing.cloud/apps/@wingcloud/infrastructure/target/test/main.tfaws/.wing/../../../../../../../node_modules/.pnpm/@winglang+sdk@0.51.21_constructs@10.3.0/node_modules/@winglang/sdk/node_modules/@aws-sdk/client-s3/dist-cjs/protocols/Aws_restXml.js:5721:12)","    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)","    at <anonymous> (/home/runner/work/wing.cloud/wing.cloud/apps/@wingcloud/infrastructure/target/test/main.tfaws/.wing/../../../../../../../node_modules/.pnpm/@winglang+sdk@0.51.21_constructs@10.3.0/node_modules/@winglang/sdk/node_modules/@smithy/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24)","    at <anonymous> (/home/runner/work/wing.cloud/wing.cloud/apps/@wingcloud/infrastructure/target/test/main.tfaws/.wing/../../../../../../../node_modules/.pnpm/@winglang+sdk@0.51.21_constructs@10.3.0/node_modules/@winglang/sdk/node_modules/@aws-sdk/middleware-signing/dist-cjs/awsAuthMiddleware.js:14:20)","    at <anonymous> (/home/runner/work/wing.cloud/wing.cloud/apps/@wingcloud/infrastructure/target/test/main.tfaws/.wing/../../../../../../../node_modules/.pnpm/@winglang+sdk@0.51.21_constructs@10.3.0/node_modules/@winglang/sdk/node_modules/@smithy/middleware-retry/dist-cjs/retryMiddleware.js:27:46)","    at <anonymous> (/home/runner/work/wing.cloud/wing.cloud/apps/@wingcloud/infrastructure/target/test/main.tfaws/.wing/../../../../../../../node_modules/.pnpm/@winglang+sdk@0.51.21_constructs@10.3.0/node_modules/@winglang/sdk/node_modules/@aws-sdk/middleware-flexible-checksums/dist-cjs/flexibleChecksumsMiddleware.js:63:20)","    at <anonymous> (/home/runner/work/wing.cloud/wing.cloud/apps/@wingcloud/infrastructure/target/test/main.tfaws/.wing/../../../../../../../node_modules/.pnpm/@winglang+sdk@0.51.21_constructs@10.3.0/node_modules/@winglang/sdk/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/region-redirect-endpoint-middleware.js:14:24)","    at <anonymous> (/home/runner/work/wing.cloud/wing.cloud/apps/@wingcloud/infrastructure/target/test/main.tfaws/.wing/../../../../../../../node_modules/.pnpm/@winglang+sdk@0.51.21_constructs@10.3.0/node_modules/@winglang/sdk/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/region-redirect-middleware.js:9:20)"]}"
│ 
│   with data.aws_lambda_invocation.TestcCT5tLuqZZ_APIsmoketests_checksCheck_cloudOnDeploy_Invocation_FFBDD68F,
│   on main.tf.json line 5263, in data.aws_lambda_invocation.TestcCT5tLuqZZ_APIsmoketests_checksCheck_cloudOnDeploy_Invocation_FFBDD68F:
│ 5263:       }
- terraform destroy
│

I expected this:

it works without access errors

Is there a workaround?

No response

Anything else?

No response

Wing Version

0.51.21

Node.js Version

18.7

Platform(s)

MacOS

Community Notes

skorfmann commented 8 months ago

the check has a lifted value (an SSM parameter). Looks like only the first invocation - pretty much immediately after creation - is failing. Subsequent calls via console or terraform apply are succeeding.

2023-12-13T11:37:58.005+01:00
2023-12-13T10:37:58.005Z    1af87741-175a-4212-8317-99e5e5db5b98    INFO    check failed: User: arn:aws:sts::207534322588:assumed-role/terraform-20231213103740649300000003/Function-c80746ea is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:207534322588:parameter/wing-cloud/apps/config/api-url because no identity-based policy allows the ssm:GetParameter action
eladb commented 8 months ago

Copying @Chriscbr - is this an issue with OnDeploy?

github-actions[bot] commented 6 months ago

Hi,

This issue hasn't seen activity in 60 days. Therefore, we are marking this issue as stale for now. It will be closed after 7 days. Feel free to re-open this issue when there's an update or relevant information to be added. Thanks!