Skip to content
This repository has been archived by the owner on Apr 16, 2022. It is now read-only.

Fargate RDS Example #55

Open
ambsw-technology opened this issue Aug 30, 2019 · 1 comment
Open

Fargate RDS Example #55

ambsw-technology opened this issue Aug 30, 2019 · 1 comment

Comments

@ambsw-technology
Copy link

ambsw-technology commented Aug 30, 2019
edited

Didn't find a repo to more directly suggest a PR/change to your subzero.cloud docs, but your fargate sample page suggests authorizing access to the DB using the cidr range of the Cluster. Logically I assume that number could change (e.g. by redeploying the cluster) so you're better off authorizing the security group for the cluster.

Here's some sample code (with slightly different variable names than you're using):

# create a subnet for the DB
aws rds create-db-subnet-group \
    --db-subnet-group-name $CLIENT-db-subnet \
    --db-subnet-group-description $CLIENT-db-subnet \
    --subnet-ids $Cluster_Resource_PubSubnetAz1 $Cluster_Resource_PubSubnetAz2

# get the Security Group ID for authorizing access
# I'm assuming each has only one and grabbing it using [0].  If you've already 
# added extra groups to either side, you may need to do something more
# complex.
export DB_SubnetGroup_VpcId=$(aws rds describe-db-subnet-groups\
 --db-subnet-group-name=$CLIENT-db-subnet\
 --query DBSubnetGroups[0].VpcId\
 --output text)
echo DB_SubnetGroup_VpcId=$DB_SubnetGroup_VpcId >> .env
export DB_SecurityGroup_VpcId=$(aws ec2 describe-security-groups\
 --filters Name=vpc-id,Values=${DB_SubnetGroup_VpcId}\
 --region ${AWS_REGION}\
 --query SecurityGroups[0].GroupId\
 --output text) >> .env
echo DB_SecurityGroup_VpcId=$DB_SecurityGroup_VpcId >> .env

... including making the cluster

# get the Cluster security group
# see https://docs.amazonaws.cn/en_us/AmazonECS/latest/userguide/ecs-cli-tutorial-fargate.html
export Cluster_Resource_EcsSecurityGroup=$(aws ec2 describe-security-groups\
 --filters Name=vpc-id,Values=${Cluster_Resource_Vpc}\
 --region ${AWS_REGION}\
 --query SecurityGroups[0].GroupId\
 --output text)
echo Cluster_Resource_EcsSecurityGroup=$Cluster_Resource_EcsSecurityGroup >> .env

# allow ECS nodes to connect to this db
aws ec2 authorize-security-group-ingress \
	--region $AWS_REGION \
	--group-id $DB_SecurityGroup_VpcId \
	--protocol tcp \
	--port 5432 \
	--source-group $Cluster_Resource_EcsSecurityGroup

I'm keeping all of the DB stuff separate from the ECS app which may be unnecessary but feels more futureproof. This also means I can build them in any order (so long as I authorize the one to the other last).
@ruslantalpa
Copy link
Member

That’a a god point, i’ll go over this once i finish some urgent tasks.

Thank you

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ruslantalpa @ambsw-technology