i have a postgres hosted in an ec2 instance on a private subnet. I need to copy over and run some intialization scripts to open connections, create a database and user, etc. How would i go about copying over files and running commands for an instance in a private subnet? i know of the

command.remote.ConnectionArgs

,

command.remote.CopyFile

, and

command.remote.Command

but this wouldn’t work if the instance is in a private subnet.

this is a networking problem, you either need to use a bastion/jumpbox or a vpn

Commands for initialization can also be handled through SSM (aws.ssm has the Document and Association resources that you'd need for this approach), or you can use userdata (cloud-init package's GetConfig function is the way to go here).

You also pair pulumi's

command.local.Command

to use the aws CLI to invoke handy built-in AWS SSM / Systems Manager features, like running remote commands/scripts, or starting a port forwarding session. One of the nice parts of this approach is that your automations never touch your SSH keys...but there are some pre-reqs for using Systems Manager.

And you still need access, since the command does run on the machine. cloud-init and SSM documents run on the machine itself, which makes it handy if the machine is on an isolated subnet, for example.