https://pulumi.com logo
Join Slack
Powered by
Hello, I would like to create an `aws.rds.Instance...
# general
h
Hello, I would like to create an 
aws.rds.Instance
with a 
securityGroup
which allows only access from a specific 
aws.ec2.Instance
. But If I would like to use 
mysql.Provider
to create a database and user, I get this error when run 
pulumi up
Copy code
error: Could not connect to server: dial tcp 10.0.8.127:3306: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
How could I achieve that?
w
You would need to allow ingress to the security group from the environment you are running your deployment. Either your machine’s IP, or a CIDR block for your CI/CD system, or peer into the VPC where deployments will run, or set up a VPN connection to the target VPC.
h
If I have a 
rds
like this:
Copy code
const rds = new aws.rds.Instance('db', {
    vpcSecurityGroupIds: [securityGroup.id, securityGroup2.id]
    //...
});
Copy code
const provider = new mysql.Provider(...)
const db = new mysql.Database(...)
How can I remove 
securityGroup2.id
from the 
rds
above after creating rds and database? 
securityGroup2
allows my machine to run mysql operations.
I think I must split the logic into 3 sub projects. I think Inter-Stack Dependencies is better than Micro-Stacks in this case. The first one is to create RDS with both security groups. The second will create the database (because of the security group 2). The third one will remove the security group 2. Do you have any better idea?
w
It will in general be hard to remove the security group needed here as part of a desired state system (Pulumi, CloudFormation, Terraform, etc.). If it can work for your use case, I'd suggest permanently allowing ingress from the deployment context you are running in. Alternatively, you may want to use the VPN approach to VPN the deployment context into the VPC. This is more machinery to set up - but allows you to dynamically negotiate access from arbitrary external endpoints.
h
Thanks for your suggestion! I am thinking about another solution. I will create a jumphost and use ansible to connect to the host inside the subnet and from here ansible can connect to the database. So basically, my machine (run ansible code) -> ec2 ssh bastion (public ip, security group to access middle host via ssh) -> ec2 middle host (private ip only, security group to access rds) -> rds. The reason I use ansible instead of pulumi for creating databases in RDS is that I don't need to install nodejs on that host.
I am also looking how to setup a vpn with pulumi as your suggestion. It could be better than using ansible via middle host.
To summarize, I have 3 good solutions: peer VPC, VPN and Ansible with middle on-demand ec2. I will check and select the one that fits to my personal project. Thanks!
4 Views
Open in Slack
PreviousNext
Powered by