New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question: What is a proper setting for rds serverless v2 public access for a copilot storage generated database #4643
Comments
Hi @phasetr!
...something along those lines! I hope that answers your questions! |
@huanjani Thank you for your comment. I'll try it! |
@huanjani I tried, but I have the following error:
My full sample is here. This message means Aurora serverless v2 (Aurora-Postgresql?) cannot access publicly? However I can acceess publicly it from the AWS console setting. (I am an AWS newbie, so I still do not understand thoroughly the behavior and setting.) What is a proper setting? |
Hi, @phasetr. Ahhh, yes, I just found this: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.CreateInstance.html#Aurora.CreateDBCluster.SettingsNotApplicableDBClusters; apparently that property can't be applied to Aurora clusters. 😤 I think you'll have to configure the security group to accept traffic over the internet. In terms of varying accessibility among environments, you could use Conditions/Mappings in your addons template again, or you could have the associated workload placed in private/public subnets with the
field in your workload manifest, which can differ from env to env using the I see that you're using a Request-Driven Web Service, which also has the https://aws.github.io/copilot-cli/docs/manifest/rd-web-service/#http-private field, but I don't think you want the service itself to be private, right? |
@huanjani Thank you!
Yes, I am going to create an public service. I'm not entirely sure, but I remember seeing a message that I couldn't initialize it without the network setting when I run |
Yes, you can remove the whole |
Hi, @huanjani. I'm struggling and restart the setting. I have the follwoing error.
First I run the commands Here is a temporary setting, in particular I commented out the http setting in environments/staging/manifest.yml. The copilot setting files is created by |
Ah, so sorry @phasetr-- I misread your message above:
And you were right. In order to add your Aurora cluster, you will need VPC access. So uncomment the But I do think the way to configure the access to your DB is through the security group. But just to confirm-- when you say you want the DB to be publicly accessible, do you mean open to the internet or just accessible by your workload/service? If the latter, then you will have that once they're in the same VPC. |
Thank you, @huanjani.
I mean open to the internet. My intention is to access the DB in the test/development (or staging) environments for simplicity, in particular, by local GUI tools. Of course I know it is not secure. I hear that, in general, I should access the DBs by some intermediate EC2 for security. However I do not understand the setting for copilot (or other means, CDK or CloudFormation). So my reluctant second choice is open access to the DBs, since I need the developing/staging envirionments as soon as possible. Here is another, some related question: If I choose the load balanced service, I can access ap containers using |
Hi, @phasetr. We are now working on creating a publicly accessible Aurora db of our own, in order to confirm how you could do it. I will keep you posted on that. In the meantime, yes-- you can use |
Thank you, @huanjani.
I also had in mind the fine-tuning of table items without an administration page. Hence I'll choose closed db setting for a while and I'm looking forward to a new feature! |
One more thought: https://aws.github.io/copilot-cli/docs/developing/storage/#using-copilot-svc-exec |
This issue is stale because it has been open 60 days with no response activity, and is tagged with |
This issue is closed due to inactivity. Feel free to reopen the issue if you have any follow-ups! |
I can create an rds serverless PostreSQL database in AWS console which can access publicly, but I do not understand a setting for aws copilot generated one.
I know a property
PubliclyAccesible
in CloudFormation spec, but I'd like to understand the security setting for various environments. In particular, I set publicly access setting open for test or staging environments, but the production environment setting more secure.Thanks in advance.
The text was updated successfully, but these errors were encountered: