https://pulumi.com logo
Title
t

thousands-area-40147

08/19/2021, 4:02 PM
Hey you lovely people! In Typescript, trying to use
@pulumi/postgresql
to create a role on an Aurora postgresql database after its creation, much like shown in this blog post for mysql and an RDS instance (second example). Unfortunately, I have no luck and run into a timeout error:
postgresql:index:Role (<role name>):
    error: could not start transaction: dial tcp xx.x.x.xxx:5432: connect: operation timed out
Found an issue on Github that seemed related, but wasn't able to derive a solution for my case from it. This is the part of the program that is supposed to create the role:
this.postgresProvider = new postgresql.Provider('aurora-postgresql', {
    expectedVersion: this.cluster.engineVersion,
    host: this.cluster.endpoint,
    password: this.password.result,
    port: this.cluster.port,
    username: this.cluster.masterUsername
}, {
    parent: this.cluster
});

this.postgresUser = new postgresql.Role(<role name>, {
    createDatabase: true,
    createRole: true,
    login: true,
    name: <role name>,
    roles: ['rds_iam']
}, {
    parent: this.postgresProvider,
    provider: this.postgresProvider
});
The instances on the cluster are set to not be publicly accessible, in case that has anything to do with it. Any help and pointers would be greatly appreciated! Cheers ✌️
b

bored-table-20691

08/19/2021, 4:34 PM
You likely got it with your last note - the node you’re running Pulumi on will need to be able to access the Postgres API, so if the Aurora RDS rejects that access, Pulumi won’t be able to connect.
🙌 1
t

thousands-area-40147

08/19/2021, 4:36 PM
Aaah, I suspected that might be the culprit, dang. And there's probably not an easy way around it I suppose? 😄
b

bored-table-20691

08/19/2021, 4:40 PM
But generally you would run Pulumi for a node that has network access to it.
t

thousands-area-40147

08/19/2021, 4:47 PM
Technically it does through an SSH tunnel—changed the
endpoint
parameter of the
postgresql.Provider
to
localhost
and now it works. The problem is that when the entire stack is provisioned at once (and setting up the bastion host through which the connection goes is part of it), establishing the SSH tunnel would have to be part of the program. Still, this is progress, so thank you a lot! 😄
b

bored-table-20691

08/19/2021, 4:54 PM
Yep, you’d want to set up the bastion host to be able to do that 🙂
g

great-sunset-355

08/19/2021, 5:33 PM
@thousands-area-40147 or your CI/CD runner to have that access
Github or gitlab runner can run on ECS. Technically pulumi program can run in lambda but I'd not risk that for timeouts. So if not ECS then AWS Code Deploy/Pipeline (but I hate AWS Code* services so that's pass for me)
t

thousands-area-40147

08/19/2021, 5:37 PM
We're only starting to adopt IaC, so I'll make sure to relay your input to the team! Thanks! 😄
g

great-sunset-355

08/19/2021, 5:41 PM
hmm it depends on your experience but it wouldn't be a bad idea to hire a consultant for few hours just to give you some evaluation and tips how to move forward
t

thousands-area-40147

08/19/2021, 5:44 PM
Got someone already, I just want to be able to ask informed questions 😁