https://pulumi.com logo
Title
b

boundless-telephone-75738

07/16/2021, 2:19 PM
So I got an postgresql rds.Instance up and running, now I want to define an extra database inside this instance, so I configure a pg.Provider
const pgProvider = (db: rds.Instance, pw: string) => {
        return new pg.Provider(`${name}-db-provider`, {
            port: db.port,
            host: db.address,
            password: pw,
            username: db.username,
            superuser: true
        });
}
but that causes pulumi to try to connect to the rds.Instance private ip. and I end up with
error: error detecting capabilities: error PostgreSQL version: dial tcp: lookup <privateip>
when trying to define a role. Is there a way to use aws.rds to create roles and databases in addition to the initialDatabase created when using
aws.rds.Instance('name', config)
From the docs it's not clear to me how to do this. Which is the reason why I moved to the postgresql package, and tried to define a provider to tell it about my rds instance. I found https://www.pulumi.com/blog/managing-your-mysql-databases-with-pulumi/ for mysql, but the pg.Provider does not accept an endpoint, I tried using endpoint for the host property, but that causes a double
:PORT:PORT
g

great-sunset-355

07/16/2021, 3:49 PM
if you have created an rds instance in a private subnet then the only way to connect is having a network connection I guess.
👍 2
b

billowy-army-68599

07/16/2021, 5:40 PM
Agree with Jan, can you share the code you used to define your DB instance?
b

boundless-telephone-75738

07/19/2021, 6:43 AM
Sorry for the late answer, but yes; this is the database code
const dbSubnets = new aws.rds.SubnetGroup(
    `unleash-iaac-private-subnets`,
    {
        subnetIds: vpc.privateSubnetIds,
    }
);
export const unleashDb = new aws.rds.Instance(name, {
    instanceClass: 'db.t3.micro',
    dbSubnetGroupName: dbSubnets.id,
    vpcSecurityGroupIds: [sg.id],
    name: 'unleash',
    allocatedStorage: 20,
    maxAllocatedStorage: 100,
    engine: 'postgres',
    engineVersion: "13.3",
    username: 'unleash',
    publiclyAccessible: false,
    skipFinalSnapshot: true,
    deletionProtection: false,
    password: randomPassword("database").result,
    allowMajorVersionUpgrade: true
});
So, I might want to expand
dbSubnet
to include the public subnet, and turn publiclyAccessible to
true
?
b

billowy-army-68599

07/19/2021, 6:55 AM
well you might, but there's security implications. you probably wnt to set up a bastion host
b

boundless-telephone-75738

07/19/2021, 6:56 AM
Will have a look at that. Thanks so much for taking the time to reply.
g

great-sunset-355

07/19/2021, 10:03 AM
Another option instead of Bastion host is any ec2 instance with access to the Database network With installed Session Manager client - this way even ec2 instance can be in the private subnet https://www.element7.io/2021/01/aws-ssm-session-manager-port-forwarding-to-rds-without-ssh/ then you can port forward only the database port to your local machine I do this with Cloud9 instance - as a bonus you get IDE. However, for the production and CI/CD I'd use a private running in my VPC to eliminate all network problems. I postgresql provider could connect to the DB on your localhost - then you could develop all the code there and then CI/CD deployment would run in VPC. And ass jaxx says I would not recommend opening your DB to the public network.
Technically with Cloud9 you get good enough IDE, It's not VSCode but it could do for development of this feautre
For completeness here is tldr portforarding flow
# on remote ec2
RDS_ENDPOINT=<instance>.<http://eu-central-1.rds.amazonaws.com:5432|eu-central-1.rds.amazonaws.com:5432>
REMOTE_PORT=5432
sudo socat TCP-LISTEN:${DEST_PORT},reuseaddr,fork TCP4:${RDS_ENDPOINT}

# on local machine:

$INSTANCE_ID=<cloud9 instanceID>  # ID of cloud9 instance
REMOTE_PORT=5432  # port where cloud9 listens on
LOCAL_PORT=5432  # port on the local machine that is exposed
aws ssm start-session --target $INSTANCE_ID --document-name AWS-StartPortForwardingSession --parameters "{\"portNumber\":[\"${REMOTE_PORT}\"], \"localPortNumber\":[\"${LOCAL_PORT}\"]}"

# access RDS at <postgresql://localhost>:$LOCAL_PORT/db
b

boundless-telephone-75738

07/19/2021, 11:11 AM
Thank you Jan. Great option.