I'm looking to have the Postgres Provider talk to my RDS cluster that is only available (through a security group) to my EKS nodes. One way I can stitch that together manually is by `kubectl run`ing https://hub.docker.com/r/marcnuri/port-forward in my cluster and then using

kubectl port-forward

. Is there a good way to do this in Pulumi? I'm familiar with the

commands

package, but I can't quite figure out how to make that work in a declarative style such that it cleans up well after itself (shuts down the container in eks, kills the

port-forward

command...etc.)

vpn to the cluster?

the cluster doesn't exist before invoking

pulumi up

fair point! Then if you're doing something like populating the schema, I'd just run a job in that cluster that invokes

psql

. Port-forwarding sounds like a mess

it means i would have to give up on the benefits of the pulumi postgres package in terms of creating/updating resources

true as well

was considering that - it means detecting changes on every

up

because if yes, it may be possible to chain resources in the order of "create a relaxed SG" -> "do the postgres things" -> "make SG restrictive again"

the other slightly annoying thing about it is it's not so easy to move an rds instance between subnets, so i'm not sure how doable that is

you can also run a vpn to the vpc I think

the vpc also doesn't exist before hand

create the vpc - configure the vpn there - run the local.Command that connects to that vpn

ah, yeah, that's interesting

it does sound rather like an overkill and I'm not sure how well it'll play with your CICD

yeah, i'll have to explore. thanks for the ideas!

put a tailscale subnet router in the vpc https://github.com/lbrlabs/pulumi-tailscale-bastion