search

subzerocloud / postgrest-starter-kit

Starter Kit and tooling for authoring REST API backends with PostgREST
MIT License
744 stars 71 forks source link

Fargate RDS Example #55

Open ambsw-technology opened 5 years ago

ambsw-technology commented 5 years ago

Didn't find a repo to more directly suggest a PR/change to your subzero.cloud docs, but your fargate sample page suggests authorizing access to the DB using the cidr range of the Cluster. Logically I assume that number could change (e.g. by redeploying the cluster) so you're better off authorizing the security group for the cluster.

Here's some sample code (with slightly different variable names than you're using):

# create a subnet for the DB
aws rds create-db-subnet-group \
    --db-subnet-group-name $CLIENT-db-subnet \
    --db-subnet-group-description $CLIENT-db-subnet \
    --subnet-ids $Cluster_Resource_PubSubnetAz1 $Cluster_Resource_PubSubnetAz2

# get the Security Group ID for authorizing access
# I'm assuming each has only one and grabbing it using [0].  If you've already 
# added extra groups to either side, you may need to do something more
# complex.
export DB_SubnetGroup_VpcId=$(aws rds describe-db-subnet-groups\
 --db-subnet-group-name=$CLIENT-db-subnet\
 --query DBSubnetGroups[0].VpcId\
 --output text)
echo DB_SubnetGroup_VpcId=$DB_SubnetGroup_VpcId >> .env
export DB_SecurityGroup_VpcId=$(aws ec2 describe-security-groups\
 --filters Name=vpc-id,Values=${DB_SubnetGroup_VpcId}\
 --region ${AWS_REGION}\
 --query SecurityGroups[0].GroupId\
 --output text) >> .env
echo DB_SecurityGroup_VpcId=$DB_SecurityGroup_VpcId >> .env

... including making the cluster

# get the Cluster security group
# see https://docs.amazonaws.cn/en_us/AmazonECS/latest/userguide/ecs-cli-tutorial-fargate.html
export Cluster_Resource_EcsSecurityGroup=$(aws ec2 describe-security-groups\
 --filters Name=vpc-id,Values=${Cluster_Resource_Vpc}\
 --region ${AWS_REGION}\
 --query SecurityGroups[0].GroupId\
 --output text)
echo Cluster_Resource_EcsSecurityGroup=$Cluster_Resource_EcsSecurityGroup >> .env

# allow ECS nodes to connect to this db
aws ec2 authorize-security-group-ingress \
    --region $AWS_REGION \
    --group-id $DB_SecurityGroup_VpcId \
    --protocol tcp \
    --port 5432 \
    --source-group $Cluster_Resource_EcsSecurityGroup

I'm keeping all of the DB stuff separate from the ECS app which may be unnecessary but feels more futureproof. This also means I can build them in any order (so long as I authorize the one to the other last).

ruslantalpa commented 5 years ago

That’a a god point, i’ll go over this once i finish some urgent tasks.

Thank you