Add support for AWS SSM #24
Description
Currently, we create the necessary RDS objects like databases using a Kubernetes job from the Helm terraform module.
Ideally, we would like to have a better control over that and possibly use the Postgres Terraform module instead.
We can use an EC2 bastion host running AWS SSM Session Manager to tunnel access to RDS, eg:
resource "aws_instance" "bastion" {
ami = data.aws_ami.amazon_linux.id
instance_type = "t3.micro"
subnet_id = var.database_subnet_ids[0] # Inside the RDS VPC
vpc_security_group_ids = [aws_security_group.bastion.id]
iam_instance_profile = aws_iam_instance_profile.ssm_instance_profile.name
tags = { Name = "${local.name_prefix}-bastion" }
}
resource "aws_iam_role" "ssm_role" {
name = "${local.name_prefix}-ssm-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = { Service = "ec2.amazonaws.com" }
}]
})
}
resource "aws_iam_instance_profile" "ssm_instance_profile" {
name = "${local.name_prefix}-ssm-profile"
role = aws_iam_role.ssm_role.name
}
resource "aws_iam_role_policy_attachment" "ssm_core" {
role = aws_iam_role.ssm_role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}Then, the Terraform PostgreSQL provider can connect via the bastion’s private IP.
provider "postgresql" {
host = aws_instance.bastion.private_ip
port = 5432
database = var.database_name
username = var.database_username
password = var.database_password
sslmode = "require"
}