This message was deleted.
# awss
sparse-intern-71089
11/11/2022, 6:30 AMThis message was deleted.
q
quaint-eye-38036
11/11/2022, 10:01 AMWouldn't it help if you use an EC2 instance with 2 interfaces; one connected to the private subnet and connected to the public subent?
v
victorious-dusk-75271
11/11/2022, 10:01 AMThat will help but how do I do that with pulumi?
q
quaint-eye-38036
11/11/2022, 10:02 AMAh..ok
quaint-eye-38036
11/11/2022, 10:06 AMHave you considered creating an SSH tunnel and then passing that to pulumi to create a DB in RDS?
quaint-eye-38036
11/11/2022, 10:07 AMv
victorious-dusk-75271
11/11/2022, 10:11 AMI wonder if I can start a server on AWS from CI/CD and run the Pulumi from there. I think this will be the best option in my opinion
q
quaint-eye-38036
11/11/2022, 10:12 AMThat's also a good option
v
victorious-dusk-75271
11/11/2022, 10:12 AMI mean github action let you run your own worker
q
quaint-eye-38036
11/11/2022, 10:13 AMm
millions-furniture-75402
11/11/2022, 1:56 PMautomation api in a lambda would be the smallest footprint. Bastion isn't a bad solution, especially if you already have one that you can leverage, but then you also have an ec2 to care about now.
s
stocky-restaurant-98004
11/11/2022, 3:33 PMThere's a few options here:
1. Create a VPN gateway
2. Create an EC2 instance in your VPC that has SSM Session Manager enabled (much better than creating a bastion host IMO): https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
m
millions-furniture-75402
11/11/2022, 3:33 PMI'm confused how that's not a bastion still?
millions-furniture-75402
11/11/2022, 3:34 PMjust a bastion using the ssm proxycommand in your ssh config
v
victorious-dusk-75271
11/11/2022, 3:36 PM| automation api in a lambda
This is just to create user or run everything in there?
m
millions-furniture-75402
11/11/2022, 3:36 PMjust for the provisioning of the databases on the rds
v
victorious-dusk-75271
11/11/2022, 3:38 PMInteresting. I still have to invoke the lambda function and I do not think pulumi can do that without writing a plugin or something
m
millions-furniture-75402
11/11/2022, 3:38 PMSome related examples here https://github.com/pulumi/automation-api-examples
millions-furniture-75402
11/11/2022, 3:40 PMmillions-furniture-75402
11/11/2022, 3:42 PMIf you're more comfortable with the bastion approach https://github.com/pulumi/automation-api-examples/tree/main/nodejs/ssh-tunnel
b
billowy-army-68599
11/11/2022, 4:17 PM
this is a networking problem! i have a couple ways to solve it that aren’t production ready yet
https://connecti.cloud/
https://github.com/lbrlabs/pulumi-tailscale-bastion
👍 1
s
stocky-restaurant-98004
11/11/2022, 4:56 PM@millions-furniture-75402 You can open an SSH session right in the AWS console so that you don't need to manage keys or have direct network connectivity, plus IAM-integrated auth. That's the primary advantage.
stocky-restaurant-98004
11/11/2022, 4:57 PMFor a more robust solution, I'd look at what @billowy-army-68599 did with Tailscale. Tailscale's product is pretty impressive.
m
millions-furniture-75402
11/11/2022, 5:55 PMRight, we use ssm session manager for our bastions
millions-furniture-75402
11/11/2022, 5:56 PMnow something like cloudshell that I could proxy through would be amazing, so we wouldn't have to manage an EC2.
s
stocky-restaurant-98004
11/11/2022, 8:40 PM@millions-furniture-75402 Looking for that feature in CloudShell is exactly what I did before suggesting SSM. Was bummed it wasn't there.
When you say "bastion", are you allowing connections from the outside world, potentially for tunneling, or do you just mean "bastion" in the sense of "a thing we spin up SSH sessions on"?
m
millions-furniture-75402
11/11/2022, 8:41 PMbastion in the sense that it's a virtual machine that's running inside the VPC that we can connect to from the outside, if authorized.
👍 1
9 Views