Hi guys, I’m wondering what’s the canonical way with Pulumi to access and manage RDS instances/clusters in a private subnet ? I created a postgresql provider with

@pulumi/postgresql

but obviously it can’t reach the

endpoint

which does not resolve outside my vpc/subnet. I was thinking using an

aws.ec2clientvpn

but not sure I can then use some kind of provider from it to connect my program to the vpn and access the rds instances. Thanks for your ideas/rex !

The best I’ve come up with so far is an a lambda in the same private subnet that can run the provisioner. However, pulumi currently has a limitation where it won’t package (some of) its own libraries in lamdbas, so it would have to be deployed separately. Inline with your approach would maybe be setting up a bastion with a ssh local forward to the rds host, establishing the ssh connection before running

pulumi up

@millions-furniture-75402 thanks ! Indeed I came up with more or less the same conclusion (giving what I know/understand so far), but didn’t think using lambdas for provisioning, that’s a neat idea. I was actually thinking setting up the vpn in another pulumi project and then start a client as a prerequisite on the provisioner host before running the

pulumi up

for the main platform project.

Let me know what approach you end up going with. Right now I’ve settled for having a manual step for provisioning databases with the aid of a script on a bastion.

i personally use a vpn, although the clientvpn was a little bit of a pain to set up. I switched to using tailscale and a bastion host, and it works pretty flawlessly https://twitter.com/briggsl/status/1283141723489595392?s=20

@billowy-army-68599 great, thanks ! I’ll have a look and keep you guys updated here

Nice, @billowy-army-68599! I'll have to look closer at your solution, and Tailscale!