https://pulumi.com logo
Title
v

victorious-dusk-75271

11/11/2022, 6:30 AM
Hi, I can't figure out how to create a database because my RDS server runs in private subnets. How do you guys do it?
q

quaint-eye-38036

11/11/2022, 10:01 AM
Wouldn't it help if you use an EC2 instance with 2 interfaces; one connected to the private subnet and connected to the public subent?
v

victorious-dusk-75271

11/11/2022, 10:01 AM
That will help but how do I do that with pulumi?
q

quaint-eye-38036

11/11/2022, 10:02 AM
Ah..ok
Have you considered creating an SSH tunnel and then passing that to pulumi to create a DB in RDS?
v

victorious-dusk-75271

11/11/2022, 10:11 AM
I wonder if I can start a server on AWS from CI/CD and run the Pulumi from there. I think this will be the best option in my opinion
q

quaint-eye-38036

11/11/2022, 10:12 AM
That's also a good option
v

victorious-dusk-75271

11/11/2022, 10:12 AM
I mean github action let you run your own worker
q

quaint-eye-38036

11/11/2022, 10:13 AM
m

millions-furniture-75402

11/11/2022, 1:56 PM
automation api in a lambda would be the smallest footprint. Bastion isn't a bad solution, especially if you already have one that you can leverage, but then you also have an ec2 to care about now.
s

stocky-restaurant-98004

11/11/2022, 3:33 PM
There's a few options here: 1. Create a VPN gateway 2. Create an EC2 instance in your VPC that has SSM Session Manager enabled (much better than creating a bastion host IMO): https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
m

millions-furniture-75402

11/11/2022, 3:33 PM
I'm confused how that's not a bastion still?
just a bastion using the ssm proxycommand in your ssh config
v

victorious-dusk-75271

11/11/2022, 3:36 PM
| automation api in a lambda This is just to create user or run everything in there?
m

millions-furniture-75402

11/11/2022, 3:36 PM
just for the provisioning of the databases on the rds
v

victorious-dusk-75271

11/11/2022, 3:38 PM
Interesting. I still have to invoke the lambda function and I do not think pulumi can do that without writing a plugin or something
m

millions-furniture-75402

11/11/2022, 3:38 PM
If you're more comfortable with the bastion approach https://github.com/pulumi/automation-api-examples/tree/main/nodejs/ssh-tunnel
b

billowy-army-68599

11/11/2022, 4:17 PM
this is a networking problem! i have a couple ways to solve it that aren’t production ready yet https://connecti.cloud/ https://github.com/lbrlabs/pulumi-tailscale-bastion
s

stocky-restaurant-98004

11/11/2022, 4:56 PM
@millions-furniture-75402 You can open an SSH session right in the AWS console so that you don't need to manage keys or have direct network connectivity, plus IAM-integrated auth. That's the primary advantage.
For a more robust solution, I'd look at what @billowy-army-68599 did with Tailscale. Tailscale's product is pretty impressive.
m

millions-furniture-75402

11/11/2022, 5:55 PM
Right, we use ssm session manager for our bastions
now something like cloudshell that I could proxy through would be amazing, so we wouldn't have to manage an EC2.
s

stocky-restaurant-98004

11/11/2022, 8:40 PM
@millions-furniture-75402 Looking for that feature in CloudShell is exactly what I did before suggesting SSM. Was bummed it wasn't there. When you say "bastion", are you allowing connections from the outside world, potentially for tunneling, or do you just mean "bastion" in the sense of "a thing we spin up SSH sessions on"?
m

millions-furniture-75402

11/11/2022, 8:41 PM
bastion in the sense that it's a virtual machine that's running inside the VPC that we can connect to from the outside, if authorized.