awslabs / aws-greengrass-group-setup Goto Github PK

Create a quick start guide that covers the example file format and CLI use.

It seems the botocore version pulled in by gg_group_setup (via boto3) is botocore-1.5.95.
The latest awscli package seems to want botocore-1.7.0.

With the old botocore the new cli barfs with:
Traceback (most recent call last):
File "/usr/local/bin/aws", line 19, in
import awscli.clidriver
File "/home/jim/.local/lib/python2.7/site-packages/awscli/clidriver.py", line 35, in
from awscli.help import ProviderHelpCommand
File "/home/jim/.local/lib/python2.7/site-packages/awscli/help.py", line 27, in
from awscli.clidocs import ProviderDocumentEventHandler
File "/home/jim/.local/lib/python2.7/site-packages/awscli/clidocs.py", line 18, in
from botocore.utils import is_json_value_header
ImportError: cannot import name is_json_value_header

--clean-all doesnot work properly. We still need to do a --clean-file prior to the next run.

create group incorrectly assesses is_fresh when Core created previously.

Looks like GroupCommands accepts a profile_name parameter, but afterwards it never uses it.

_get_iot_session function also takes in a profile_name as a parameter, but no usages of this function actually pass in the profile_name.

This should be remedied so that people can pass in different profiles to edit/create Greengrass groups in different accounts.

The current work around is to change the default in ~/.aws/credentials depending on which account you want to modify.

If gg_group_setup is executed without --region parameter, the core and the group always gets created in us-west-2. It does not retrieve the region from AWS user profile.

These are the commands that I used to create a group:
gg_group_setup create-core --thing-name GGCore --config-file sampleconfig.json --region us-east-1 --cert-dir corecerts
gg_group_setup create-devices --thing-names '[device1, device2, device3]' --config-file sampleconfig.json --region us-east-1 --cert-dir devicecerts
Started greengrass daemon in the core
gg_group_setup create --group-type mock --config-file sampleconfig.json --region us-east-1
gg_group_setup deploy --config-file sampleconfig.json --region us-east-1

Deployment is successful but the group is created with a core and no devices. The things has been created in IoT but not attached to the group.

Is there any limitations while using the gg_group_setup CLI or is it possible only by writing a custom groupType using gg_group_setup as a library?

I need a stable release tag to pull for my project that contains the following PR merge:

• Issue #22 and Pull Request #23

Can you kindly make a release version v0.5.4 or v0.6.0 accordingly please?

It would be great if gg_group_setup could support create-core followed immediately by create-group. At this point in time there's an assumption in the code that there will always be devices created before a create-group is called. Came from conversation with: @neelmitra

Add a group type that is as empty as possible.

The create, clean_all, and deploy functions should ensure they are given valid regions if the region value is not None. Likely this is a simple comparison between the result of invoking boto3.client('ec2').describe_regions() with the given region value.

When one creates a Core prior to executing create-devices, the create-devices command thinks the configuration file is not "fresh".

Steps to reproduce:

1. Configure AWS credentials with something other than us-west-2 (e.g. us-east-1).
2. Create a GreenGrass Group with at least one lambda function (some code path executes GroupCommand.create) and make sure the specified region doesn't match your AWS config.

Expected result:

Lambda function lookups should be correctly scoped to the region specified as parameters.

Actual result:

Lambda function lookups aren't performed in the region specified as parameters; the default specified in AWS credentials is used.

Suggested fix:

cmd.py
GroupCommands._create_function_definition

Change this line –
aws = boto3.client('lambda')
– to this –
aws = boto3.client('lambda', region_name=region)

Greetings,

I'm working on Greengrass deployment automation and have created a script similar to this one (didn't know it existed when I started). And now I found that I cannot find any Greengrass software download links in the documentation. Do you know of any way to download the software without having to create the group and core using AWS Console?

Thank you,
Shavkat

I use Environment Variables on Lambda Function Definitions to keep my apps aligned with 12factor app principles.

The current cfg.json#lambda_functions/<functionName> and gg_group_setup create doesn't allow me to do this in anyway.

As the API is currently exposed, lambda functions referenced with gg_group_setup are on-demand by default with no option to set them to pinned. I need a way to specify that a lambda function is long-lived / pinned – see create_function_definition.

I've been able hack in support by overriding GroupCommands._create_function_definition in a subclass.

After subclassing, the relevant config –
"lambda_functions": { "function_name": { "arn": "function_arn", "arn_qualifier": "dev" }
– is updated to look like this –
"lambda_functions": { "function_name": { "arn": "function_arn", "arn_qualifier": "dev", "pinned": false }

Are there plans to expose this functionality? I can package these changes up into a PR if that's helpful.

The default behavior of an instantiated group should support auto-discovery of the Greengrass Core.
A command like this works:

aws greengrass create-function-definition-version \
--function-definition-id 4d941bc7-92a1-4f45-8d64-EXAMPLEf76c3 \
--functions '[{"FunctionArn":"arn:aws:lambda:::function:GGIPDetector:1","Id":"1","FunctionConfiguration":{"Pinned":true,"MemorySize":32768,"Timeout":3}}]' \
--region us-west-2

Essentially, use create-function-defintion-version and add arn:aws:lambda:::function:GGIPDetector:1 just like any other Lambda with the function configuration as shown above.

Originally reported by @neelmitra in Issue #15 as "the mock service role does not work". Specifically:

In addition the mock service role does not work, we still need to create a separate role with AWSGreengrassResourceAccessRolePolicy and associate to the account as below.

aws greengrass associate-service-role-to-account --role-arn arn:aws:iam::xxxxxxxxxxxxx:role/GreengrassRole

Can the group type be configurable as empty , mock or any name the user chooses ?

In addition the mock service role does not work, we still need to create a seperate role with AWSGreengrassResourceAccessRolePolicy and associate to the account as below.

aws greengrass associate-service-role-to-account --role-arn arn:aws:iam::xxxxxxxxxxxxx:role/GreengrassRole

Hi,

Thank you for create this tool, quit handy!
But I have to change ak/sk to the default, otherwise gg_group_setup create-core not work and return error: The security token included in the request is invalid.

2021-01-29 15:04:23,105|botocore.credentials|INFO: Found credentials in shared credentials file: ~/.aws/credentials
Traceback (most recent call last):
  File "/opt/homebrew/bin/gg_group_setup", line 8, in <module>
    sys.exit(main())
  File "/opt/homebrew/lib/python3.9/site-packages/gg_group_setup/cmd.py", line 900, in main
    fire.Fire(gc)
  File "/opt/homebrew/lib/python3.9/site-packages/fire/core.py", line 141, in Fire
    component_trace = _Fire(component, args, parsed_flag_args, context, name)
  File "/opt/homebrew/lib/python3.9/site-packages/fire/core.py", line 466, in _Fire
    component, remaining_args = _CallAndUpdateTrace(
  File "/opt/homebrew/lib/python3.9/site-packages/fire/core.py", line 681, in _CallAndUpdateTrace
    component = fn(*varargs, **kwargs)
  File "/opt/homebrew/lib/python3.9/site-packages/gg_group_setup/cmd.py", line 711, in create_core
    keys_cert, thing = self.create_thing(thing_name, region, cert_dir)
  File "/opt/homebrew/lib/python3.9/site-packages/gg_group_setup/cmd.py", line 627, in create_thing
    keys_cert = iot_client.create_keys_and_certificate(setAsActive=True)
  File "/opt/homebrew/lib/python3.9/site-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/opt/homebrew/lib/python3.9/site-packages/botocore/client.py", line 676, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (UnrecognizedClientException) when calling the CreateKeysAndCertificate operation: The security token included in the request is invalid.