Hey you lovely people In Typescript trying to use ` pulumi p Pulumi Community #aws

Hey you lovely people! In Typescript, trying to us...

thousands-area-40147

08/19/2021, 4:02 PM

Hey you lovely people! In Typescript, trying to use

@pulumi/postgresql

to create a role on an Aurora postgresql database after its creation, much like shown in this blog post for mysql and an RDS instance (second example). Unfortunately, I have no luck and run into a timeout error:

Copy code

postgresql:index:Role (<role name>):
    error: could not start transaction: dial tcp xx.x.x.xxx:5432: connect: operation timed out

Found an issue on Github that seemed related, but wasn't able to derive a solution for my case from it. This is the part of the program that is supposed to create the role:

Copy code

this.postgresProvider = new postgresql.Provider('aurora-postgresql', {
    expectedVersion: this.cluster.engineVersion,
    host: this.cluster.endpoint,
    password: this.password.result,
    port: this.cluster.port,
    username: this.cluster.masterUsername
}, {
    parent: this.cluster
});

this.postgresUser = new postgresql.Role(<role name>, {
    createDatabase: true,
    createRole: true,
    login: true,
    name: <role name>,
    roles: ['rds_iam']
}, {
    parent: this.postgresProvider,
    provider: this.postgresProvider
});

The instances on the cluster are set to not be publicly accessible, in case that has anything to do with it. Any help and pointers would be greatly appreciated! Cheers ✌️

bored-table-20691

08/19/2021, 4:34 PM

You likely got it with your last note - the node you’re running Pulumi on will need to be able to access the Postgres API, so if the Aurora RDS rejects that access, Pulumi won’t be able to connect.

🙌 1

thousands-area-40147

08/19/2021, 4:36 PM

Aaah, I suspected that might be the culprit, dang. And there's probably not an easy way around it I suppose? 😄

bored-table-20691

08/19/2021, 4:40 PM

There’s a similar discussion here: https://pulumi-community.slack.com/archives/CRH5ENVDX/p1626445179027100

bored-table-20691

08/19/2021, 4:40 PM

But generally you would run Pulumi for a node that has network access to it.

thousands-area-40147

08/19/2021, 4:47 PM

Technically it does through an SSH tunnel—changed the

endpoint

parameter of the

postgresql.Provider

localhost

and now it works. The problem is that when the entire stack is provisioned at once (and setting up the bastion host through which the connection goes is part of it), establishing the SSH tunnel would have to be part of the program. Still, this is progress, so thank you a lot! 😄

bored-table-20691

08/19/2021, 4:54 PM

Yep, you’d want to set up the bastion host to be able to do that 🙂

great-sunset-355

08/19/2021, 5:33 PM

@thousands-area-40147 or your CI/CD runner to have that access

great-sunset-355

08/19/2021, 5:35 PM

Github or gitlab runner can run on ECS. Technically pulumi program can run in lambda but I'd not risk that for timeouts. So if not ECS then AWS Code Deploy/Pipeline (but I hate AWS Code* services so that's pass for me)

thousands-area-40147

08/19/2021, 5:37 PM

We're only starting to adopt IaC, so I'll make sure to relay your input to the team! Thanks! 😄

great-sunset-355

08/19/2021, 5:41 PM

hmm it depends on your experience but it wouldn't be a bad idea to hire a consultant for few hours just to give you some evaluation and tips how to move forward

thousands-area-40147

08/19/2021, 5:44 PM

Got someone already, I just want to be able to ask informed questions 😁

22 Views

Open in Slack

Previous Next