Feature/spilo fixes #164
Merged
Feature/spilo fixes #164
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Reusing an EBS-snapshot didn't work correctly due to the erasing of the data volume. With this commit, you can build a Spilo out of a snapshot.
|
@feikesteenbergen could you tackle the decreasing code coverage please? |
…tration and ELB's. Having only one security group for all Spilo's in one account doesn't quite cut it. We need to be able to distinguish which databases are allowed to be accessed by which application. We also need to be able to restrict access to Patroni, replica's or masters. As pg_hba.conf is of limited use (it only reports the ELB address), we need Security Groups to shield access away from the Spilo. This change creates the following Security Groups: - Member: Internode communication and Bastion Host communication is allowed on all ports. Connections from the ELB's is allowed. - Master: Connection from a cidrblock is allowed (default: vpc) - Replica: Connection from a cidrblock is allowed (default: vpc) In this way we reduce the chance of exposure when running public facing Spilo's.
To increase security, allow access to directories only in S3. When running multiple Spilo's in one account it is now impossible to delete or update the wrong directory.
| Resource: | ||
| - arn:aws:s3:::{{wal_s3_bucket}}/spilo/* | ||
| - arn:aws:s3:::{{wal_s3_bucket}} | ||
| - "arn:aws:s3:::zalando-acid-eu-west-1-spilo-app/spilo/{{Arguments.version}}/*" |
There was a problem hiding this comment.
Should be {{wal_s3_bucket}}
Changed the tedious formatting of placeholders for senza create into their own variables.
This makes the template much more readable.
Attach the {{version}} placeholder to many resources to ease identification.
We rely on convention to find out the security group of the Odd host. With this patch we only add rules for the Odd Host if we can find it and if the user confirms it.
|
Closing (temporarily) |
|
+1 |
|
👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.