self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-19 00:33:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(loadtest): change databases to use rds proxy (#31799)

Browse source
This commit is contained in:
Gabriel Corado 2023-09-18 15:06:11 -03:00 committed by GitHub
parent da3b49a4ee
commit 678274a4ed
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 82 additions and 114 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
assets/loadtest/Makefile
View file

@ -81,16 +81,16 @@ create-rds-database:
$(MAKE) -C databases/rds apply
.PHONY: deploy-database-agents
deploy-database-agents: POSTGRES_NAME ?= rdspostgres
deploy-database-agents: POSTGRES_URL ?=
deploy-database-agents: MYSQL_NAME ?= rdsmysql
deploy-database-agents: MYSQL_URL ?=
deploy-database-agents: DATABASE_ROLE_ARN ?=
deploy-database-agents: LOADTEST_TAG_VALUE ?= loadtest
deploy-database-agents:
ifndef TELEPORT_VERSION
@echo "TELEPORT_VERSION is required but not provided"
@exit 1
endif
ifndef DATABASE_ROLE_ARN
@echo "DATABASE_ROLE_ARN is required but not provided"
@exit 1
endif
helm upgrade --install \
database-agents \
@ -103,11 +103,8 @@ endif
--set proxyAddr=${PROXY_SERVER} \
--set authToken=${NODE_TOKEN} \
--set annotations.serviceAccount."eks\.amazonaws\.com/role-arn"=${DATABASE_ROLE_ARN} \
--set databases[0].name=${POSTGRES_NAME} \
--set databases[0].protocol=postgres \
--set databases[0].uri=${POSTGRES_URL} \
--set databases[1].name=${MYSQL_NAME} \
--set databases[1].protocol=mysql \
--set databases[1].uri=${MYSQL_URL}
--set awsDatabases[0].types[0]=rdsproxy \
--set awsDatabases[0].regions[0]=us-east-1 \
--set awsDatabases[0].tags."loadtest"="${LOADTEST_TAG_VALUE}"
$(MAKE) -C control-plane enable-database-agents-monitoring

0
assets/loadtest/control-plane/monitoring/set-password.sh Normal file → Executable file
View file

2
assets/loadtest/databases/rds/Makefile
View file

@ -1,10 +1,8 @@
REGION := us-east-1
PREFIX := loadtest
LOCAL_IP := $(shell curl -s https://checkip.amazonaws.com/)
EKS_CLUSTER_NAME := ""
TF_VARS = -var "region=$(REGION)" \
-var "prefix=$(PREFIX)" \
-var "local_ip=$(LOCAL_IP)" \
-var "eks_cluster_name=$(EKS_CLUSTER_NAME)"
.PHONY: apply

146
assets/loadtest/databases/rds/main.tf
View file

@ -9,6 +9,9 @@ locals {
iam_policy_name = "${var.prefix}-database-access"
iam_policy_name_boundary = "${var.prefix}-database-access-boundary"
iam_role_arn = "arn:${local.partition}:iam::${local.account_id}:role/${local.iam_role_name}"
pg_proxy_name = "${var.prefix}-postgres-proxy"
mysql_proxy_name = "${var.prefix}-mysql-proxy"
}
provider "aws" {
@ -53,15 +56,8 @@ module "postgres_security_group" {
from_port = var.postgres_port
to_port = var.postgres_port
protocol = "tcp"
description = "PostgreSQL access from within Subnet"
description = "PostgreSQL access from within VPC"
cidr_blocks = data.aws_vpc.selected.cidr_block
},
{
from_port = var.postgres_port
to_port = var.postgres_port
protocol = "tcp"
description = "PostgreSQL access from local machine (required to create database user)"
cidr_blocks = "${var.local_ip}/32"
}
]
}
@ -82,15 +78,8 @@ module "mysql_security_group" {
from_port = var.mysql_port
to_port = var.mysql_port
protocol = "tcp"
description = "MySQL access from within Subnet"
description = "MySQL access from within VPC"
cidr_blocks = data.aws_vpc.selected.cidr_block
},
{
from_port = var.mysql_port
to_port = var.mysql_port
protocol = "tcp"
description = "MySQL access from local machine (required to create database user)"
cidr_blocks = "${var.local_ip}/32"
}
]
}
@ -131,8 +120,8 @@ module "pg" {
db_subnet_group_name = module.subnet_group.db_subnet_group_id
create_db_subnet_group = false
publicly_accessible = true
iam_database_authentication_enabled = true
publicly_accessible = false
iam_database_authentication_enabled = false
multi_az = false
create_cloudwatch_log_group = false
skip_final_snapshot = true
@ -170,8 +159,8 @@ module "mysql" {
db_subnet_group_name = module.subnet_group.db_subnet_group_id
create_db_subnet_group = false
publicly_accessible = true
iam_database_authentication_enabled = true
publicly_accessible = false
iam_database_authentication_enabled = false
multi_az = false
create_cloudwatch_log_group = false
skip_final_snapshot = true
@ -182,53 +171,6 @@ module "mysql" {
create_db_parameter_group = false
}
data "aws_secretsmanager_secret_version" "pg_master_password" {
secret_id = module.pg.db_instance_master_user_secret_arn
}
provider "postgresql" {
host = module.pg.db_instance_address
port = var.postgres_port
username = var.database_master_username
password = jsondecode(data.aws_secretsmanager_secret_version.pg_master_password.secret_string)["password"]
superuser = false
sslmode = "disable"
connect_timeout = 15
}
resource "postgresql_role" "teleport_user" {
count = var.create_postgres ? 1 : 0
name = var.teleport_database_user
roles = ["rds_iam"]
login = true
depends_on = [module.postgres_security_group, module.pg]
}
data "aws_secretsmanager_secret_version" "mysql_master_password" {
secret_id = module.mysql.db_instance_master_user_secret_arn
}
provider "mysql" {
endpoint = format("%s:%s", module.mysql.db_instance_address, var.mysql_port)
username = var.database_master_username
password = jsondecode(data.aws_secretsmanager_secret_version.mysql_master_password.secret_string)["password"]
tls = "skip-verify"
}
resource "mysql_user" "teleport_user" {
user = var.teleport_database_user
host = "%"
auth_plugin = "AWSAuthenticationPlugin"
depends_on = [module.mysql_security_group, module.mysql]
}
resource "mysql_grant" "teleport_user" {
user = mysql_user.teleport_user.user
host = mysql_user.teleport_user.host
database = "%"
privileges = ["ALL"]
}
module "database_agent_policy" {
source = "terraform-aws-modules/iam/aws//modules/iam-policy"
version = "~> 5.28"
@ -244,10 +186,10 @@ module "database_agent_policy" {
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"rds:ModifyDBInstance",
"rds:ModifyDBCluster"
"rds:DescribeDBProxies",
"rds:DescribeDBProxyEndpoints",
"rds:DescribeDBProxyTargets",
"rds:ListTagsForResource"
],
"Resource": "*"
},
@ -280,10 +222,10 @@ module "database_agent_policy_boundary" {
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"rds:ModifyDBInstance",
"rds:ModifyDBCluster",
"rds:DescribeDBProxies",
"rds:DescribeDBProxyEndpoints",
"rds:DescribeDBProxyTargets",
"rds:ListTagsForResource",
"rds-db:connect"
],
"Resource": "*"
@ -315,3 +257,57 @@ module "iam_eks_role" {
"${var.eks_cluster_name}" = ["${var.database_access_namespace}:${var.database_access_svc_account_name}"]
}
}
module "postgres_proxy" {
source = "terraform-aws-modules/rds-proxy/aws"
version = "~> 3"
create = var.create_postgres
name = local.pg_proxy_name
vpc_subnet_ids = data.aws_subnets.selected.ids
vpc_security_group_ids = [module.postgres_security_group.security_group_id]
auth = {
"master_user" = {
description = "${var.database_master_username} master user"
secret_arn = module.pg.db_instance_master_user_secret_arn
iam_auth = "REQUIRED"
}
}
engine_family = "POSTGRESQL"
debug_logging = false
target_db_instance = true
db_instance_identifier = module.pg.db_instance_identifier
tags = {
"loadtest" = var.prefix
}
}
module "mysql_proxy" {
source = "terraform-aws-modules/rds-proxy/aws"
version = "~> 3"
create = var.create_mysql
name = local.mysql_proxy_name
vpc_subnet_ids = data.aws_subnets.selected.ids
vpc_security_group_ids = [module.mysql_security_group.security_group_id]
auth = {
"master_user" = {
description = "${var.database_master_username} master user"
secret_arn = module.mysql.db_instance_master_user_secret_arn
iam_auth = "REQUIRED"
}
}
engine_family = "MYSQL"
debug_logging = false
target_db_instance = true
db_instance_identifier = module.mysql.db_instance_identifier
tags = {
"loadtest" = var.prefix
}
}

10
assets/loadtest/databases/rds/outputs.tf
View file

@ -1,13 +1,3 @@
output "postgres_address" {
description = "PostgreSQL address including port"
value = try("${module.pg.db_instance_address}:${var.postgres_port}", "")
}
output "mysql_address" {
description = "MySQL address including port"
value = try("${module.mysql.db_instance_address}:${var.mysql_port}", "")
}
output "database_agent_role_arn" {
description = "IAM Role ARN that must be used by the database agents."
value = module.iam_eks_role.iam_role_arn

11
assets/loadtest/databases/rds/variables.tf
View file

@ -13,7 +13,7 @@ variable "region" {
variable "instance_class" {
type = string
description = "Database instance machine class."
default = "db.t3.medium"
default = "db.t4g.xlarge"
}
variable "create_postgres" {
@ -40,21 +40,16 @@ variable "create_mysql" {
default = true
}
variable "local_ip" {
type = string
description = "Local IP address. It is used to create a security group with external access, which is required when Terraform creates the Teleport database user."
}
variable "database_master_username" {
type = string
description = "Database master username"
default = "postgres"
default = "teleport"
}
variable "database_name" {
type = string
description = "Database name"
default = "postgres"
default = "teleport"
}
variable "teleport_database_user" {

8
assets/loadtest/databases/rds/versions.tf
View file

@ -5,13 +5,5 @@ terraform {
source = "hashicorp/aws"
version = "~> 5.12"
}
postgresql = {
source = "cyrilgdn/postgresql"
version = "~> 1.20"
}
mysql = {
source = "petoju/mysql"
version = "~> 3.0"
}
}
}