moia-oss / bastion-host-forward Goto Github PK

Hi

I'm just wondering if you can see any advantages to use this over the AWS-StartPortForwardingSessionToRemoteHost SSM template:

https://aws.amazon.com/blogs/mt/use-port-forwarding-in-aws-systems-manager-session-manager-to-connect-to-remote-hosts/

Given following CDK2-stack:

const createServerlessDatabaseCluster = (
  scope: Construct,
  props: {
    vpc: IVpc;
  }
): IServerlessCluster => {
  const clusterId: string = uniqueResourceName('DB');
  const credentials = Credentials.fromGeneratedSecret('importerdbuser');
  const cluster: ServerlessCluster = new ServerlessCluster(scope, clusterId, {
    engine: DatabaseClusterEngine.AURORA_POSTGRESQL,
    parameterGroup: ParameterGroup.fromParameterGroupName(
      scope,
      'ParameterGroup',
      'default.aurora-postgresql10'
    ),
    vpc: props.vpc,
    defaultDatabaseName: 'importer',
    credentials,
    enableDataApi: true
  });

  return cluster;
};

const createServerlessClusterBastianHost = (
  scope: Construct,
  props: {
    vpc: IVpc;
    serverlessCluster: IServerlessCluster;
  }
): BastionHostAuroraServerlessForward => {
  const securityGroup = SecurityGroup.fromSecurityGroupId(
    scope,
    'AuroraSecurityGroup',
    'odsufa5addasdj',
    { mutable: false }
  );

  const serverlessCluster = ServerlessCluster.fromServerlessClusterAttributes(scope, 'Aurora', {
    clusterIdentifier: props.serverlessCluster.clusterIdentifier,
    port: props.serverlessCluster.clusterEndpoint.port,
    clusterEndpointAddress: props.serverlessCluster.clusterEndpoint.hostname,
    securityGroups: [securityGroup]
  });

  const bastianHost: BastionHostAuroraServerlessForward = new BastionHostAuroraServerlessForward(
    scope,
    'BastionHost',
    {
      vpc: props.vpc,
      serverlessCluster
    }
  );
  return bastianHost;
};


const vpc = new Vpc(this, 'TheVPC', {});
const databaseCluster = createServerlessDatabaseCluster(this, { vpc });
createServerlessClusterBastianHost(this, { vpc, serverlessCluster: databaseCluster });

And following SSM:

aws ssm \
    --profile aws_my-sso-profile  \
    start-session \
    --target i-0fdba891c51868e23 \
    --document-name AWS-StartPortForwardingSession \
    --parameters '{"portNumber": ["5432"], "localPortNumber":["5432"]}'

It gives me:

Starting session with SessionId: xxx
Port 5432 opened for sessionId xxx.
Waiting for connections...

When I then try to establish a connection:

SSM notices it and prints this:

Connection accepted for session [xxx]

However, the connections fails nevertheless:

~/.aws/config:

[profile aws_my-sso-profile]
sso_start_url = https://xxxx.awsapps.com/start
sso_region = eu-central-1
sso_account_name = aws_xxxx
sso_account_id = xxxxx
sso_role_name = AdminPermissionSet
region = eu-central-1
credential_process = aws-sso-util credential-process --profile aws_xxxx
sso_auto_populated = true

Any thoughts?
Thanks

Hello,

Is this EC2 instance meant to be placed in a Private or a Private Isolated Subnet?

Currently the library seems to pin its dependency on CDK to be exactly 1.74.0, which causes type error when I try to use it with our project which uses 1.77.0. It would be nice if you can upgrade the CDK version, or specify a less strict version requirement.

Hello,

I'm really interested in your construct. I'm trying to use it with an aurora Serverless database, but with no success so far. Do you have already done that?

Hi,

Would it be possible to add serverTimeout parameter similar to the clientTimeout one for configuring that in HAProxy while creating the bastion?

I have a CDK configuration that I've inherited from previous developers, and they've set up two bastion hosts:

    new BastionHostRDSForward(this, 'BastionHost', {
      name: 'BastionHost',
      rdsInstance: this.applicationDatabaseInstance,
      vpc: this.props.infra.vpc,
    });

    new BastionHostRDSForward(this, 'AnalyticsBastionHost', {
      name: 'AnalyticsBastionHost',
      rdsInstance: this.analyticsDatabaseInstance,
      vpc: this.props.infra.vpc,
    });

Trying to deploy this stack fails with an error saying "Launch template name already in use". One bastion host can be deployed successfully, if I comment one of them out.

This makes sense, since the launch template created for the first bastion host is called "ResourceLaunchTemplate". This looks like a default name, and creating another host fails since launch template names need to be unique on an account.

Any ideas on how to fix this?

Right now, I'm creating a bastion as follows:

new BastionHostRDSForward(scope, "Ec2Bastion", {
    vpc: vpc,
    rdsInstance: rdsInstance,
    name: "BastionHost",
  });

In every pipeline run, I deploy the stack. The problem is, that the bastion gets recreated on every deploy. That makes it generate a new id.
Ideally, the bastion doesn't gets recreated and keeps the same id if it already exists.

I really like the idea of using SSM sessions and haproxy together!

Previously I was using some hand-rolled SSH solution that used tunneling, wasn't great.

I was wondering if instead of using EC2, would it be possible to use Fargate Service?

Would be easier to just use an existing an official haproxy image.

Are the costs much different?

Also, was thinking that maybe with either EC2 or Fargate, it'd be possible to start/stop the service via some sort of CLI, or even detecting the connection? Or maybe even some SSM event?

Not sure, just throwing some ideas out there in case you know more :)

Is there a way to get the IP address of the EC2 instance? I want to add it to the security group so that the database can only communicate with that instance.

Hi,

The construct is not compliant with the following Config rule once the EBS volume attached to the instance is not encrypted:
https://docs.aws.amazon.com/config/latest/developerguide/encrypted-volumes.html

Is it possible to add parameters in order to specify if volume is needed or not?
If can't remove the ebs volume I would say to add the "encrypted=True" option to the volume and optionally specify a KMS key.

Thanks in advance!

It would be really nice if it were possible to adjust the timeout used by haproxy.

Our usecase for this is that we use our bastion to do management tasks on our database, however when doing this we sometimes write some code which causes the connection to timeout, which is really annoying.

Hi

I might be missing something but is there a way for a single bastion host act as a proxy for multiple backend services?

i.e. We have multiple RDS servers that we would like to be able to connect to via a single bastion host, currently it seems like its a 1-1 relation?

Thanks

I've setup BastionHostAuroraServerlessForward per instructions.

Then I run:

aws ssm start-session \
  --target i-x \
  --document-name AWS-StartPortForwardingSession \
  --parameters '{"portNumber": ["5432"], "localPortNumber":["5432"]}'

And get:

Starting session with SessionId: foo-060bbc90196b150bf
Port 5432 opened for sessionId foo-060bbc90196b150bf.
Waiting for connections...

Then I try to connect with a local client, and get the following error:

Connection to destination port failed, check SSM Agent logs.

After checking the logs (/var/log/amazon/ssm/amazon-ssm-agent.log) on the bastion, I get:

2021-11-27 08:15:50 ERROR [ssm-session-worker] [foo-060bbc90196b150bf]
[DataBackend] [pluginName=Port] Unable to dial connection to server: dial tcp :5432: connect: connection refused

However, if I install a psql client inside the bastion, I am able to connect to the RDS cluster just fine. So this rules out a networking issue.

Any ideas?

Thanks!