Open r0mant opened 1 month ago
There's also no "refresh" button, which means if you get to this page and realize you need to create a new security group, then you have to restart the entire enrollment flow again to select your new security group.
can we create a security group ourselves, as a part of the script user runs in CloudShell
If we do that, then they will likely need to add that security group to their databases' security group inbound rules. We could modify all those security groups for them as well in the script.
highlight the "recommended" sec. groups e.g. the one in which the database itself is deployed?
I wouldn't recommend deploying into the same security group as the databases because we need outbound allowed to 0.0.0.0 (to reach teleport cluster and reach our public ECR repo to pull the image), and being in the same security group doesn't grant access unless the security group allows inbound from itself.
Here are the network requirements:
and here's what we could do to address each:
I believe you can assign multiple security groups though. What if we create a security group for outbound, and at the same time assign the same security group the db uses if necessary?
We could check the database security groups to see if they allow inbound from themselves.
We discussed this in 1x1, but I think we could consolidate actions 3 and 4 into a single column: "Database Connectivity" (yes/no/unknown) and just show details on hover, e.g.
The security group selector works but can be fairly confusing, especially for a new user. Specifically, if I have multiple security groups, how do I know which one to pick?
I wonder what we can do to streamline this step more - can we create a security group ourselves, as a part of the script user runs in CloudShell? Or highlight the "recommended" sec. groups e.g. the one in which the database itself is deployed?