https://pulumi.com logo
#general
Title
# general
h

handsome-xylophone-18806

02/16/2020, 2:29 PM
Hello, I would like to create an
aws.rds.Instance
with a
securityGroup
which allows only access from a specific
aws.ec2.Instance
. But If I would like to use
mysql.Provider
to create a database and user, I get this error when run
pulumi up
Copy code
error: Could not connect to server: dial tcp 10.0.8.127:3306: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
How could I achieve that?
w

white-balloon-205

02/16/2020, 4:19 PM
You would need to allow ingress to the security group from the environment you are running your deployment. Either your machine’s IP, or a CIDR block for your CI/CD system, or peer into the VPC where deployments will run, or set up a VPN connection to the target VPC.
h

handsome-xylophone-18806

02/16/2020, 9:04 PM
If I have a
rds
like this:
Copy code
const rds = new aws.rds.Instance('db', {
    vpcSecurityGroupIds: [securityGroup.id, securityGroup2.id]
    //...
});
Copy code
const provider = new mysql.Provider(...)
const db = new mysql.Database(...)
How can I remove
securityGroup2.id
from the
rds
above after creating rds and database?
securityGroup2
allows my machine to run mysql operations.
I think I must split the logic into 3 sub projects. I think Inter-Stack Dependencies is better than Micro-Stacks in this case. The first one is to create RDS with both security groups. The second will create the database (because of the security group 2). The third one will remove the security group 2. Do you have any better idea?
w

white-balloon-205

02/17/2020, 8:59 PM
It will in general be hard to remove the security group needed here as part of a desired state system (Pulumi, CloudFormation, Terraform, etc.). If it can work for your use case, I'd suggest permanently allowing ingress from the deployment context you are running in. Alternatively, you may want to use the VPN approach to VPN the deployment context into the VPC. This is more machinery to set up - but allows you to dynamically negotiate access from arbitrary external endpoints.
h

handsome-xylophone-18806

02/17/2020, 9:47 PM
Thanks for your suggestion! I am thinking about another solution. I will create a jumphost and use ansible to connect to the host inside the subnet and from here ansible can connect to the database. So basically, my machine (run ansible code) -> ec2 ssh bastion (public ip, security group to access middle host via ssh) -> ec2 middle host (private ip only, security group to access rds) -> rds. The reason I use ansible instead of pulumi for creating databases in RDS is that I don't need to install nodejs on that host.
I am also looking how to setup a vpn with pulumi as your suggestion. It could be better than using ansible via middle host.
To summarize, I have 3 good solutions: peer VPC, VPN and Ansible with middle on-demand ec2. I will check and select the one that fits to my personal project. Thanks!
4 Views