Less than two MFA types available on a white screen. No dashboards. Fresh aws acc. Fresh deployment (terraform) #1388
Comments
|
I see you set |
|
@epicfaace it is actually set to the custom domain - it's the same domain I use to login to this newly installed instance of Crossfeed. Is there anything I can check etc? |
|
Can you try manually navigating to the crossfeed/backend/src/api/app.ts Line 62 in a70e552 |
|
@epicfaace I see what you mean - like it is on https://api.crossfeed.cyber.dhs.gov/ In my case however the output is the HTML generated by the frontend code (not the API) - exactly like it would be if you query https://crossfeed.cyber.dhs.gov/ So I've now changed the ssm "/crossfeed/prod/DOMAIN" from "example.com" to "api.example.com" Now I think that the following commands did nothing during the deployment (and continue to do so) In AWS Lambda I keep having only one function - the crossfeed-security-headers-prod one. |
What output do you get from these commands? |
|
@epicfaace thank you for your time helping me on all this! The output is the same for both commands - please see the screenshots bellow.
|
|
Hmm, it looks like you might have another command installed that is running when you call You could try replacing "sls" with "serverless", for example, |
|
@epicfaace thank you! On macos Now I have this error: So I have to request a quota increate at https://console.aws.amazon.com/servicequotas/home/services/lambda/quotas/L-B99A9384 In your experience what number would you recommend for running just the Crossfeed project on a fresh aws account specifically? |
|
I'm not sure, this is probably specific to your AWS account and what else you're running on it? Are you sure you're using a fresh AWS account (is it possible it was contaminated by previous deploy attempts)? You could also alternatively just comment out this line ( ) and it should still work. |
|
Thank you. I've requested the quota increase to 200 - that solved that particular problem. However that did not solve the initial error message from the Title/screenshot but I'll investigate it later and post updates here. |
|
@epicfaace can you please help me debug these specific 502 errors?
I confirm that I'm using revision 6f2582c |
|
Hi @linkrage , unfortunately it's hard to tell what's going on without more logs / context. Can you try:
|
|
@epicfaace I just deployed the latest master - no change in behavior at all on my end. Here are some logs on the topic: /aws/lambda/crossfeed-prod-scheduler: /aws/api-gateway/crossfeed-prod: /aws/lambda/crossfeed-prod-api: BTW since the beginning I have 2 ECS clusters: |
|
Oh -- you need to invoke the lambda function "crossfeed-prod-syncdb"
through the AWS console in the AWS lambda tab. Can you try that first?
This function actually creates the database tables.
If that works, then if you don't mind updating the documentation, I'd
really appreciate it!
…--
Ashwin Ramaswami
On Tue, Feb 22, 2022 at 12:30 PM linkrage ***@***.***> wrote:
@epicfaace <https://github.com/epicfaace> I just deployed the latest
master - no change in behavior at all on my end.
Here are some logs on the topic:
/aws/lambda/crossfeed-prod-scheduler:
2022-02-22T18:37:05.730+02:00 START RequestId: 0409b0d3-f0de-4545-90c9-365d03fe190b Version: $LATEST
2022-02-22T18:37:05.735+02:00 2022-02-22T16:37:05.735Z 0409b0d3-f0de-4545-90c9-365d03fe190b INFO Running scheduler...
2022-02-22T18:37:05.750+02:00 2022-02-22T16:37:05.749Z 0409b0d3-f0de-4545-90c9-365d03fe190b ERROR Invoke Error {"errorType":"QueryFailedError","errorMessage":"relation \"scan\" does not exist","code":"42P01","query":"SELECT \"Scan\".\"id\" AS \"Scan_id\", \"Scan\".\"createdAt\" AS \"Scan_createdAt\", \"Scan\".\"updatedAt\" AS \"Scan_updatedAt\", \"Scan\".\"name\" AS \"Scan_name\", \"Scan\".\"arguments\" AS \"Scan_arguments\", \"Scan\".\"frequency\" AS \"Scan_frequency\", \"Scan\".\"lastRun\" AS \"Scan_lastRun\", \"Scan\".\"isGranular\" AS \"Scan_isGranular\", \"Scan\".\"isUserModifiable\" AS \"Scan_isUserModifiable\", \"Scan\".\"isSingleScan\" AS \"Scan_isSingleScan\", \"Scan\".\"manualRunPending\" AS \"Scan_manualRunPending\", \"Scan\".\"createdById\" AS \"Scan_createdById\", \"Scan__organizations\".\"id\" AS \"Scan__organizations_id\", \"Scan__organizations\".\"createdAt\" AS \"Scan__organizations_createdAt\", \"Scan__organizations\".\"updatedAt\" AS \"Scan__organizations_updatedAt\", \"Scan__organizations\".\"name\" AS \"Scan__organizations_name\", \"Scan__organizations\".\"rootDomains\" AS \"Scan__organizations_rootDomains\", \"Scan__organizations\".\"ipBlocks\" AS \"Scan__organizations_ipBlocks\", \"Scan__organizations\".\"isPassive\" AS \"Scan__organizations_isPassive\", \"Scan__organizations\".\"parentId\" AS \"Scan__organizations_parentId\", \"Scan__organizations\".\"createdById\" AS \"Scan__organizations_createdById\", \"Scan__tags\".\"id\" AS \"Scan__tags_id\", \"Scan__tags\".\"createdAt\" AS \"Scan__tags_createdAt\", \"Scan__tags\".\"updatedAt\" AS \"Scan__tags_updatedAt\", \"Scan__tags\".\"name\" AS \"Scan__tags_name\", \"Scan__tags__organizations\".\"id\" AS \"Scan__tags__organizations_id\", \"Scan__tags__organizations\".\"createdAt\" AS \"Scan__tags__organizations_createdAt\", \"Scan__tags__organizations\".\"updatedAt\" AS \"Scan__tags__organizations_updatedAt\", \"Scan__tags__organizations\".\"name\" AS \"Scan__tags__organizations_name\", \"Scan__tags__organizations\".\"rootDomains\" AS \"Scan__tags__organizations_rootDomains\", \"Scan__tags__organizations\".\"ipBlocks\" AS \"Scan__tags__organizations_ipBlocks\", \"Scan__tags__organizations\".\"isPassive\" AS \"Scan__tags__organizations_isPassive\", \"Scan__tags__organizations\".\"parentId\" AS \"Scan__tags__organizations_parentId\", \"Scan__tags__organizations\".\"createdById\" AS \"Scan__tags__organizations_createdById\" FROM \"scan\" \"Scan\" LEFT JOIN \"scan_organizations_organization\" \"Scan_Scan__organizations\" ON \"Scan_Scan__organizations\".\"scanId\"=\"Scan\".\"id\" LEFT JOIN \"organization\" \"Scan__organizations\" ON \"Scan__organizations\".\"id\"=\"Scan_Scan__organizations\".\"organizationId\" LEFT JOIN \"scan_tags_organization_tag\" \"Scan_Scan__tags\" ON \"Scan_Scan__tags\".\"scanId\"=\"Scan\".\"id\" LEFT JOIN \"organization_tag\" \"Scan__tags\" ON \"Scan__tags\".\"id\"=\"Scan_Scan__tags\".\"organizationTagId\" LEFT JOIN \"organization_tag_organizations_organization\" \"Scan__tags_Scan__tags__organizations\" ON \"Scan__tags_Scan__tags__organizations\".\"organizationTagId\"=\"Scan__tags\".\"id\" LEFT JOIN \"organization\" \"Scan__tags__organizations\" ON \"Scan__tags__organizations\".\"id\"=\"Scan__tags_Scan__tags__organizations\".\"organizationId\"","parameters":[],"driverError":{"errorType":"error","errorMessage":"relation \"scan\" does not exist","code":"42P01","length":105,"name":"error","severity":"ERROR","position":"2016","file":"parse_relation.c","line":"1376","routine":"parserOpenTable","stack":["error: relation \"scan\" does not exist"," at Parser.parseErrorMessage (/var/task/src/tasks/scheduler.js:142675:98)"," at Parser.handlePacket (/var/task/src/tasks/scheduler.js:142514:29)"," at Parser.parse (/var/task/src/tasks/scheduler.js:142427:38)"," at Socket.<anonymous> (/var/task/src/tasks/scheduler.js:41488:42)"," at Socket.emit (events.js:400:28)"," at Socket.emit (domain.js:475:12)"," at addChunk (internal/streams/readable.js:293:12)"," at readableAddChunk (internal/streams/readable.js:267:9)"," at Socket.Readable.push (internal/streams/readable.js:206:10)"," at TCP.onStreamRead (internal/stream_base_commons.js:188:23)"]},"length":105,"severity":"ERROR","position":"2016","file":"parse_relation.c","line":"1376","routine":"parserOpenTable","stack":["QueryFailedError: relation \"scan\" does not exist"," at QueryFailedError.TypeORMError [as constructor] (/var/task/src/tasks/scheduler.js:678:28)"," at new QueryFailedError (/var/task/src/tasks/scheduler.js:2908:28)"," at PostgresQueryRunner.<anonymous> (/var/task/src/tasks/scheduler.js:46423:31)"," at step (/var/task/src/tasks/scheduler.js:218:23)"," at Object.throw (/var/task/src/tasks/scheduler.js:199:53)"," at rejected (/var/task/src/tasks/scheduler.js:190:65)"," at processTicksAndRejections (internal/process/task_queues.js:95:5)"]}
2022-02-22T18:37:05.750+02:00 END RequestId: 0409b0d3-f0de-4545-90c9-365d03fe190b
2022-02-22T18:37:05.750+02:00 REPORT RequestId: 0409b0d3-f0de-4545-90c9-365d03fe190b Duration: 15.83 ms Billed Duration: 16 ms Memory Size: 4096 MB Max Memory Used: 177 MB
/aws/api-gateway/crossfeed-prod:
2022-02-22T19:06:15.938+02:00 requestId: 81cab78f-e316-4bb0-9429-cbbec0a284fa, ip: xxx.xxx.xxx.xxx, caller: -, user: -, requestTime: 22/Feb/2022:17:06:15 +0000, httpMethod: POST, resourcePath: /{any+}, status: 502, protocol: HTTP/1.1, responseLength: 36
/aws/lambda/crossfeed-prod-api:
2022-02-22T18:45:59.663+02:00 START RequestId: 685f109f-3a3c-44e0-a102-451090aace17 Version: $LATEST
2022-02-22T18:45:59.754+02:00 2022-02-22T16:45:59.753Z 685f109f-3a3c-44e0-a102-451090aace17 ERROR [HPM] Error occurred while trying to proxy request /matomo.js from api.example.com to http://matomo.crossfeed.local (ENOTFOUND) (https://nodejs.org/api/errors.html#errors_common_system_errors)
2022-02-22T18:45:59.756+02:00 END RequestId: 685f109f-3a3c-44e0-a102-451090aace17
2022-02-22T18:45:59.756+02:00 REPORT RequestId: 685f109f-3a3c-44e0-a102-451090aace17 Duration: 92.41 ms Billed Duration: 93 ms Memory Size: 1024 MB Max Memory Used: 183 MB
BTW since the beginning I have 2 ECS clusters:
crossfeed-prod-worker - 0 Services
crossfeed-matomo-prod - 1 Service
—
Reply to this email directly, view it on GitHub
<#1388 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAM4MX6KBFL6IFQ5MMAV4TDU4PB3RANCNFSM5NT25EBQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Thanks! That fixed all the mentioned errors so far! What's the most elegant way of dealing with this part in "pages/AuthCreateAccount/AuthCreateAccount.tsx" ? I've used stage=prod (etc.) for everything during deployment.
|
|
You need to 1) make an account, then 2) call the
crossfeed-prod-makeGlobalAdmin lambda function through the AWS console with
the payload {email: "[your email address]"}, then 3) go back to Crossfeed
and log in. This is just one-time setup required for the first global admin
account you create on a deployed Crossfeed instance.
…--
Ashwin Ramaswami
On Tue, Feb 22, 2022 at 1:08 PM linkrage ***@***.***> wrote:
@epicfaace <https://github.com/epicfaace>
Thanks! That fixed all the mentioned errors so far!
*What's the most elegant way of dealing with this part in
"pages/AuthCreateAccount/AuthCreateAccount.tsx" ?*
I've used stage=*prod* (etc.) for everything during deployment.
Request URL: https://api.example.com/organizations/public
Request Method: GET
Status Code: 403
[image: screenshot-1]
<https://user-images.githubusercontent.com/2017450/155191597-e23e6868-f40e-4dfd-b708-f64d2ec91844.png>
—
Reply to this email directly, view it on GitHub
<#1388 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAM4MX5YOXJKGOSX53TU373U4PGKDANCNFSM5NT25EBQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@epicfaace I managed to login after doing that. Now I get 403 HTTP error when I try to do something useful - e.g. create an "organization" in Crossfeed, invite user etc. The API response is "User must accept terms of use" Is there a better way to proceed with this other than editing the backend/src/api/app.ts ? |
|
Try going to Note that the TOU are really only specific to CISA's crossfeed instance, which we should probably remove if you're standing up your own instance. |
|
Thanks, this one did not work unfortunatelly. Whitelisting the desired domains in backend/src/api/app.ts worked. |
|
Okay, that's great! probably a bug that needs to be fixed in the future. |
🐛 Summary
What's wrong? Please be specific.
When I login with my cognito newly created user I see "Less than two MFA types available" on a white screen.
No dashboards etc.
This happens right after entering the correct auth code from the authenticator mobile app.
Please see the screenshots for details and let me know what additional debug info I should bring in (and possibly how to get that for you).
To reproduce
Using the Terraform scripts I deployed Crossfeed (modified prod vars/confs) on a fresh/empty aws account with the following ssms set to a random string as they were required by the Terraform scripts:
And these ssms were set correctly (proper keys & user-agent string) as in the docs:
Terraform deployed successfully without any erorrs etc.
I've tested the deployment on a different fresh aws account before the final no-error deployment mentioned here.
This ssm was manually corrected:
Steps to reproduce the behavior:
What am I missing?
Everything was done according to the docs and yet you can see what bothers me in the screenshots.
Expected behavior
What did you expect to happen that didn't?
Crossfeed to be working properly when installed via the Terraform scripts on a brand new/fresh aws account.
Any helpful log output or screenshots
Paste the results here:
git status:
git diff backend/env.yml backend/package.json backend/tools/deploy-worker.sh infrastructure/Makefile infrastructure/main.tf infrastructure/prod.config infrastructure/prod.tfvars infrastructure/users.tf
Add any screenshots of the problem here.
The text was updated successfully, but these errors were encountered: