I have a postgres RDS in a private VPC created via pulumi and I also use the postgres provider to set up some grants, schemas and roles in the RDS. I want to run pulumi commands in github workflows but wondering what the best way to set up access to this is? Currently the postgres resources time out due to not having access since the github workflow is outside the network

You'd either have to run a self-managed GitHub Actions Runner in that same VPC or set fixed outgoing IP addresses on the GitHub managed runners and allow those to connect to the RDS instance.

Right, thanks!

You could also use a bastion host in the VPC to do remote port forwarding. This is even possible without exposing the bastion directly to the internet by using AWS SSM Session Manager. A t4g.nano instance would run you ~3$ a month. Ideally put it in an ASG to guarantee uptime and automatically replace it

Ah right, so essentially setting up a bastion host and doing something like this:

aws ssm start-session \
    --target instance-id \
    --document-name AWS-StartPortForwardingSessionToRemoteHost \
    --parameters '{"host":["<http://mydb.example.us-east-2.rds.amazonaws.com|mydb.example.us-east-2.rds.amazonaws.com>"],"portNumber":["3306"], "localPortNumber":["3306"]}'

before the pulumi commands should be enough?

Yeah, that should do the trick IIRC!

awesome, thanks for the tip!

^ This. If you use Pulumi Automation, you can even do this as part of a single program that executes your Pulumi stack after establishing the SSM session. I've done this before and it worked really well 🙂