-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add connection files to gitignore we don't want to commit those. Created new Make targets for DB connections Make it really easy for an engineer to get the information for connecting to the RDS DB from the bastion when debugging issues. Update the documentation for RDS Bastion reflect new changes since AWS Secrets have been used and the explain to use the new make targets. ND-510
- Loading branch information
Stephen.James
committed
Sep 11, 2024
1 parent
fdea5d7
commit a922de2
Showing
6 changed files
with
120 additions
and
36 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -54,3 +54,5 @@ VpnCerts | |
|
||
# ignore tfenv pinned version file | ||
.terraform-version | ||
|
||
/.db_connection* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
#!/usr/bin/env bash | ||
|
||
db_type=${1} | ||
file_name=".db_connection.${ENV}.${db_type}" | ||
terraform_outputs=$(terraform output -json) | ||
|
||
if [ ${db_type} == "admin" ]; then | ||
## Admin RDS | ||
admin_db_username=admin | ||
admin_db_fqdn=$(echo ${terraform_outputs} | jq -r '.terraform_outputs.value.admin.rds.fqdn') | ||
admin_db_port=$(echo ${terraform_outputs} | jq -r '.terraform_outputs.value.admin.rds.port') | ||
admin_db_name=$(echo ${terraform_outputs} | jq -r '.terraform_outputs.value.admin.rds.name') | ||
|
||
cat << EOF > ./${file_name} | ||
Connections strings for ${ENV} environment RDS | ||
NAC Admin RDS: | ||
Test connection: | ||
Copy command below to test RDS DB access from Admin RDS Bastion. | ||
---- | ||
curl -v telnet://${admin_db_fqdn}:${admin_db_port} --output rds.admin.txt | ||
Connect to DB with MySQL client: | ||
Copy command below to test RDS DB access from Admin RDS Bastion. | ||
----- | ||
mysql --user=${admin_db_username} --host=${admin_db_fqdn} --port=${admin_db_port} --ssl --password | ||
Create DB dump and push to S3 | ||
-------- | ||
filename="\`date "+%Y_%m_%d-%H_%M_%S"\`_${ENV}_${admin_db_name}_rds-dump.sql"; \\ | ||
mysqldump \\ | ||
-u "${admin_db_username}" \\ | ||
-p \\ | ||
--ssl \\ | ||
--set-gtid-purged=OFF \\ | ||
--triggers --routines --events \\ | ||
-h "${admin_db_fqdn}" \\ | ||
"${admin_db_name}" > ~/${filename}; \\ | ||
ls -al; \\ | ||
aws s3 cp ~/\${filename} s3://mojo-file-transfer/ --profile s3-role; \\ | ||
aws s3 ls s3://mojo-file-transfer/ --profile s3-role; | ||
EOF | ||
fi | ||
|
||
cat ./${file_name} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
#!/usr/bin/env bash | ||
|
||
aws_secretsmanager_get_secret_value() { | ||
db_type=${1} | ||
|
||
if [ ${db_type} == "admin" ]; then | ||
aws secretsmanager get-secret-value \ | ||
--secret-id /moj-network-access-control/${ENV}/admin/db | jq --raw-output '.SecretString' | jq -r .password | ||
aws secretsmanager get-secret-value \ | ||
--secret-id /moj-network-access-control/${ENV}/admin/db | jq --raw-output '.SecretString' | jq -r .username | ||
fi | ||
} | ||
|
||
assume_role_in_environment() { | ||
export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \ | ||
$(aws sts assume-role \ | ||
--role-arn "${TF_VAR_assume_role}" \ | ||
--role-session-name MySessionName \ | ||
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ | ||
--output text)) | ||
} | ||
|
||
main() { | ||
assume_role_in_environment | ||
aws_secretsmanager_get_secret_value "${1}" | ||
} | ||
|
||
main "${1}" |
This file was deleted.
Oops, something went wrong.