-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does this work on Terraform Cloud? #37
Comments
You need to install the session manager AWS CLI integration to use this repo, otherwise the bash scripts that call AWS cli don't work. See this docs from AWS: This is a separate installation from the AWS-CLI tool, so you need to have both installed. I'm unsure how this can be done on Terraform Cloud. We should nevertheless add this requirement to this repo README. |
That is why I made that Go program which uses the AWS session-manager-plugin Go library. This avoids the need for the installation as the binary has the logic in it (and that logic comes from AWS's implementation which is built into the plugin one normally installs). Im trying to turn this into a Terraform provider to see if that works in the cloud. I worry that Terraform cloud won't allow a Provider to listen on a local port, where that local port is reachable from another provider (e.g. the postgres provider). |
I just got around to building and releasing a wrapped version of SSM Session Manager Plugin as a provider. It works in TF Cloud for both EKS + RDS: https://registry.terraform.io/providers/ComplyCo/aws-ssm-tunnels. I think the developer experience could be a bit better because I needed to add a keepalive resource to keep the tunnel from getting prematurely shut down. |
I'm trying to see if I can set up a tunnel via SSM so that I can keep my resources in a private subnet, but still use Terraform cloud. When trying to get the PG provider to connect, it fails with
Error connecting to PostgreSQL server 127.0.0.1 (scheme: postgres): dial tcp 127.0.0.1:25252: connect: connection refused
I have added a data.external script to check the file descriptor on the local port (and nothing shows up).
I really love the idea in #36, but when trying that, I ran into an issue
SessionManagerPlugin is not found
.This led to me implement my own Go binary for setting up the tunnel. Note, to get this working, I had to replace the
go.mod
github.com/twinj/uuid
value withgithub.com/twinj/uuid v0.0.0-20151029044442-89173bcdda19
(see: aws/session-manager-plugin#73)I had to build it for amd64 linux to get it to run on Terraform cloud.
This succeeds in running, and SSM shows a connection. But checking the file descriptors on the local port and the pid for this binary come back with empty results after running.
My suspicious are, either Terraform cloud terminates the
data.external....
after it returns an output, or thedata.external....
processes are run in some sort of isolation which prevents them from exposing the local port for use.I know this was a pretty big brain dump, but I would love to figure out how to get SSM tunnels working with Terraform cloud because that would be awesome from a security perspective.
In the future, if this go program is the way to do it, i think it should be turned into a Terraform provider.
The text was updated successfully, but these errors were encountered: