This message was deleted.
# aws
s
This message was deleted.
q
Wouldn't it help if you use an EC2 instance with 2 interfaces; one connected to the private subnet and connected to the public subent?
v
That will help but how do I do that with pulumi?
q
Ah..ok
Have you considered creating an SSH tunnel and then passing that to pulumi to create a DB in RDS?
v
I wonder if I can start a server on AWS from CI/CD and run the Pulumi from there. I think this will be the best option in my opinion
q
That's also a good option
v
I mean github action let you run your own worker
q
m
automation api in a lambda would be the smallest footprint. Bastion isn't a bad solution, especially if you already have one that you can leverage, but then you also have an ec2 to care about now.
s
There's a few options here: 1. Create a VPN gateway 2. Create an EC2 instance in your VPC that has SSM Session Manager enabled (much better than creating a bastion host IMO): https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
m
I'm confused how that's not a bastion still?
just a bastion using the ssm proxycommand in your ssh config
v
| automation api in a lambda This is just to create user or run everything in there?
m
just for the provisioning of the databases on the rds
v
Interesting. I still have to invoke the lambda function and I do not think pulumi can do that without writing a plugin or something
m
If you're more comfortable with the bastion approach https://github.com/pulumi/automation-api-examples/tree/main/nodejs/ssh-tunnel
b
this is a networking problem! i have a couple ways to solve it that aren’t production ready yet https://connecti.cloud/ https://github.com/lbrlabs/pulumi-tailscale-bastion
👍 1
s
@millions-furniture-75402 You can open an SSH session right in the AWS console so that you don't need to manage keys or have direct network connectivity, plus IAM-integrated auth. That's the primary advantage.
For a more robust solution, I'd look at what @billowy-army-68599 did with Tailscale. Tailscale's product is pretty impressive.
m
Right, we use ssm session manager for our bastions
now something like cloudshell that I could proxy through would be amazing, so we wouldn't have to manage an EC2.
s
@millions-furniture-75402 Looking for that feature in CloudShell is exactly what I did before suggesting SSM. Was bummed it wasn't there. When you say "bastion", are you allowing connections from the outside world, potentially for tunneling, or do you just mean "bastion" in the sense of "a thing we spin up SSH sessions on"?
m
bastion in the sense that it's a virtual machine that's running inside the VPC that we can connect to from the outside, if authorized.
👍 1