mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 00:33:50 +00:00
refactor(loadtest): change databases to use rds proxy (#31799)
This commit is contained in:
parent
da3b49a4ee
commit
678274a4ed
|
@ -81,16 +81,16 @@ create-rds-database:
|
|||
$(MAKE) -C databases/rds apply
|
||||
|
||||
.PHONY: deploy-database-agents
|
||||
deploy-database-agents: POSTGRES_NAME ?= rdspostgres
|
||||
deploy-database-agents: POSTGRES_URL ?=
|
||||
deploy-database-agents: MYSQL_NAME ?= rdsmysql
|
||||
deploy-database-agents: MYSQL_URL ?=
|
||||
deploy-database-agents: DATABASE_ROLE_ARN ?=
|
||||
deploy-database-agents: LOADTEST_TAG_VALUE ?= loadtest
|
||||
deploy-database-agents:
|
||||
ifndef TELEPORT_VERSION
|
||||
@echo "TELEPORT_VERSION is required but not provided"
|
||||
@exit 1
|
||||
endif
|
||||
ifndef DATABASE_ROLE_ARN
|
||||
@echo "DATABASE_ROLE_ARN is required but not provided"
|
||||
@exit 1
|
||||
endif
|
||||
|
||||
helm upgrade --install \
|
||||
database-agents \
|
||||
|
@ -103,11 +103,8 @@ endif
|
|||
--set proxyAddr=${PROXY_SERVER} \
|
||||
--set authToken=${NODE_TOKEN} \
|
||||
--set annotations.serviceAccount."eks\.amazonaws\.com/role-arn"=${DATABASE_ROLE_ARN} \
|
||||
--set databases[0].name=${POSTGRES_NAME} \
|
||||
--set databases[0].protocol=postgres \
|
||||
--set databases[0].uri=${POSTGRES_URL} \
|
||||
--set databases[1].name=${MYSQL_NAME} \
|
||||
--set databases[1].protocol=mysql \
|
||||
--set databases[1].uri=${MYSQL_URL}
|
||||
--set awsDatabases[0].types[0]=rdsproxy \
|
||||
--set awsDatabases[0].regions[0]=us-east-1 \
|
||||
--set awsDatabases[0].tags."loadtest"="${LOADTEST_TAG_VALUE}"
|
||||
|
||||
$(MAKE) -C control-plane enable-database-agents-monitoring
|
||||
|
|
0
assets/loadtest/control-plane/monitoring/set-password.sh
Normal file → Executable file
0
assets/loadtest/control-plane/monitoring/set-password.sh
Normal file → Executable file
|
@ -1,10 +1,8 @@
|
|||
REGION := us-east-1
|
||||
PREFIX := loadtest
|
||||
LOCAL_IP := $(shell curl -s https://checkip.amazonaws.com/)
|
||||
EKS_CLUSTER_NAME := ""
|
||||
TF_VARS = -var "region=$(REGION)" \
|
||||
-var "prefix=$(PREFIX)" \
|
||||
-var "local_ip=$(LOCAL_IP)" \
|
||||
-var "eks_cluster_name=$(EKS_CLUSTER_NAME)"
|
||||
|
||||
.PHONY: apply
|
||||
|
|
|
@ -9,6 +9,9 @@ locals {
|
|||
iam_policy_name = "${var.prefix}-database-access"
|
||||
iam_policy_name_boundary = "${var.prefix}-database-access-boundary"
|
||||
iam_role_arn = "arn:${local.partition}:iam::${local.account_id}:role/${local.iam_role_name}"
|
||||
|
||||
pg_proxy_name = "${var.prefix}-postgres-proxy"
|
||||
mysql_proxy_name = "${var.prefix}-mysql-proxy"
|
||||
}
|
||||
|
||||
provider "aws" {
|
||||
|
@ -53,15 +56,8 @@ module "postgres_security_group" {
|
|||
from_port = var.postgres_port
|
||||
to_port = var.postgres_port
|
||||
protocol = "tcp"
|
||||
description = "PostgreSQL access from within Subnet"
|
||||
description = "PostgreSQL access from within VPC"
|
||||
cidr_blocks = data.aws_vpc.selected.cidr_block
|
||||
},
|
||||
{
|
||||
from_port = var.postgres_port
|
||||
to_port = var.postgres_port
|
||||
protocol = "tcp"
|
||||
description = "PostgreSQL access from local machine (required to create database user)"
|
||||
cidr_blocks = "${var.local_ip}/32"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -82,15 +78,8 @@ module "mysql_security_group" {
|
|||
from_port = var.mysql_port
|
||||
to_port = var.mysql_port
|
||||
protocol = "tcp"
|
||||
description = "MySQL access from within Subnet"
|
||||
description = "MySQL access from within VPC"
|
||||
cidr_blocks = data.aws_vpc.selected.cidr_block
|
||||
},
|
||||
{
|
||||
from_port = var.mysql_port
|
||||
to_port = var.mysql_port
|
||||
protocol = "tcp"
|
||||
description = "MySQL access from local machine (required to create database user)"
|
||||
cidr_blocks = "${var.local_ip}/32"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -131,8 +120,8 @@ module "pg" {
|
|||
db_subnet_group_name = module.subnet_group.db_subnet_group_id
|
||||
|
||||
create_db_subnet_group = false
|
||||
publicly_accessible = true
|
||||
iam_database_authentication_enabled = true
|
||||
publicly_accessible = false
|
||||
iam_database_authentication_enabled = false
|
||||
multi_az = false
|
||||
create_cloudwatch_log_group = false
|
||||
skip_final_snapshot = true
|
||||
|
@ -170,8 +159,8 @@ module "mysql" {
|
|||
db_subnet_group_name = module.subnet_group.db_subnet_group_id
|
||||
|
||||
create_db_subnet_group = false
|
||||
publicly_accessible = true
|
||||
iam_database_authentication_enabled = true
|
||||
publicly_accessible = false
|
||||
iam_database_authentication_enabled = false
|
||||
multi_az = false
|
||||
create_cloudwatch_log_group = false
|
||||
skip_final_snapshot = true
|
||||
|
@ -182,53 +171,6 @@ module "mysql" {
|
|||
create_db_parameter_group = false
|
||||
}
|
||||
|
||||
data "aws_secretsmanager_secret_version" "pg_master_password" {
|
||||
secret_id = module.pg.db_instance_master_user_secret_arn
|
||||
}
|
||||
|
||||
provider "postgresql" {
|
||||
host = module.pg.db_instance_address
|
||||
port = var.postgres_port
|
||||
username = var.database_master_username
|
||||
password = jsondecode(data.aws_secretsmanager_secret_version.pg_master_password.secret_string)["password"]
|
||||
superuser = false
|
||||
sslmode = "disable"
|
||||
connect_timeout = 15
|
||||
}
|
||||
|
||||
resource "postgresql_role" "teleport_user" {
|
||||
count = var.create_postgres ? 1 : 0
|
||||
name = var.teleport_database_user
|
||||
roles = ["rds_iam"]
|
||||
login = true
|
||||
depends_on = [module.postgres_security_group, module.pg]
|
||||
}
|
||||
|
||||
data "aws_secretsmanager_secret_version" "mysql_master_password" {
|
||||
secret_id = module.mysql.db_instance_master_user_secret_arn
|
||||
}
|
||||
|
||||
provider "mysql" {
|
||||
endpoint = format("%s:%s", module.mysql.db_instance_address, var.mysql_port)
|
||||
username = var.database_master_username
|
||||
password = jsondecode(data.aws_secretsmanager_secret_version.mysql_master_password.secret_string)["password"]
|
||||
tls = "skip-verify"
|
||||
}
|
||||
|
||||
resource "mysql_user" "teleport_user" {
|
||||
user = var.teleport_database_user
|
||||
host = "%"
|
||||
auth_plugin = "AWSAuthenticationPlugin"
|
||||
depends_on = [module.mysql_security_group, module.mysql]
|
||||
}
|
||||
|
||||
resource "mysql_grant" "teleport_user" {
|
||||
user = mysql_user.teleport_user.user
|
||||
host = mysql_user.teleport_user.host
|
||||
database = "%"
|
||||
privileges = ["ALL"]
|
||||
}
|
||||
|
||||
module "database_agent_policy" {
|
||||
source = "terraform-aws-modules/iam/aws//modules/iam-policy"
|
||||
version = "~> 5.28"
|
||||
|
@ -244,10 +186,10 @@ module "database_agent_policy" {
|
|||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"rds:DescribeDBInstances",
|
||||
"rds:DescribeDBClusters",
|
||||
"rds:ModifyDBInstance",
|
||||
"rds:ModifyDBCluster"
|
||||
"rds:DescribeDBProxies",
|
||||
"rds:DescribeDBProxyEndpoints",
|
||||
"rds:DescribeDBProxyTargets",
|
||||
"rds:ListTagsForResource"
|
||||
],
|
||||
"Resource": "*"
|
||||
},
|
||||
|
@ -280,10 +222,10 @@ module "database_agent_policy_boundary" {
|
|||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"rds:DescribeDBInstances",
|
||||
"rds:DescribeDBClusters",
|
||||
"rds:ModifyDBInstance",
|
||||
"rds:ModifyDBCluster",
|
||||
"rds:DescribeDBProxies",
|
||||
"rds:DescribeDBProxyEndpoints",
|
||||
"rds:DescribeDBProxyTargets",
|
||||
"rds:ListTagsForResource",
|
||||
"rds-db:connect"
|
||||
],
|
||||
"Resource": "*"
|
||||
|
@ -315,3 +257,57 @@ module "iam_eks_role" {
|
|||
"${var.eks_cluster_name}" = ["${var.database_access_namespace}:${var.database_access_svc_account_name}"]
|
||||
}
|
||||
}
|
||||
|
||||
module "postgres_proxy" {
|
||||
source = "terraform-aws-modules/rds-proxy/aws"
|
||||
version = "~> 3"
|
||||
|
||||
create = var.create_postgres
|
||||
name = local.pg_proxy_name
|
||||
vpc_subnet_ids = data.aws_subnets.selected.ids
|
||||
vpc_security_group_ids = [module.postgres_security_group.security_group_id]
|
||||
|
||||
auth = {
|
||||
"master_user" = {
|
||||
description = "${var.database_master_username} master user"
|
||||
secret_arn = module.pg.db_instance_master_user_secret_arn
|
||||
iam_auth = "REQUIRED"
|
||||
}
|
||||
}
|
||||
|
||||
engine_family = "POSTGRESQL"
|
||||
debug_logging = false
|
||||
target_db_instance = true
|
||||
db_instance_identifier = module.pg.db_instance_identifier
|
||||
|
||||
tags = {
|
||||
"loadtest" = var.prefix
|
||||
}
|
||||
}
|
||||
|
||||
module "mysql_proxy" {
|
||||
source = "terraform-aws-modules/rds-proxy/aws"
|
||||
version = "~> 3"
|
||||
|
||||
create = var.create_mysql
|
||||
name = local.mysql_proxy_name
|
||||
vpc_subnet_ids = data.aws_subnets.selected.ids
|
||||
vpc_security_group_ids = [module.mysql_security_group.security_group_id]
|
||||
|
||||
auth = {
|
||||
"master_user" = {
|
||||
description = "${var.database_master_username} master user"
|
||||
secret_arn = module.mysql.db_instance_master_user_secret_arn
|
||||
iam_auth = "REQUIRED"
|
||||
}
|
||||
}
|
||||
|
||||
engine_family = "MYSQL"
|
||||
debug_logging = false
|
||||
target_db_instance = true
|
||||
db_instance_identifier = module.mysql.db_instance_identifier
|
||||
|
||||
tags = {
|
||||
"loadtest" = var.prefix
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,13 +1,3 @@
|
|||
output "postgres_address" {
|
||||
description = "PostgreSQL address including port"
|
||||
value = try("${module.pg.db_instance_address}:${var.postgres_port}", "")
|
||||
}
|
||||
|
||||
output "mysql_address" {
|
||||
description = "MySQL address including port"
|
||||
value = try("${module.mysql.db_instance_address}:${var.mysql_port}", "")
|
||||
}
|
||||
|
||||
output "database_agent_role_arn" {
|
||||
description = "IAM Role ARN that must be used by the database agents."
|
||||
value = module.iam_eks_role.iam_role_arn
|
||||
|
|
|
@ -13,7 +13,7 @@ variable "region" {
|
|||
variable "instance_class" {
|
||||
type = string
|
||||
description = "Database instance machine class."
|
||||
default = "db.t3.medium"
|
||||
default = "db.t4g.xlarge"
|
||||
}
|
||||
|
||||
variable "create_postgres" {
|
||||
|
@ -40,21 +40,16 @@ variable "create_mysql" {
|
|||
default = true
|
||||
}
|
||||
|
||||
variable "local_ip" {
|
||||
type = string
|
||||
description = "Local IP address. It is used to create a security group with external access, which is required when Terraform creates the Teleport database user."
|
||||
}
|
||||
|
||||
variable "database_master_username" {
|
||||
type = string
|
||||
description = "Database master username"
|
||||
default = "postgres"
|
||||
default = "teleport"
|
||||
}
|
||||
|
||||
variable "database_name" {
|
||||
type = string
|
||||
description = "Database name"
|
||||
default = "postgres"
|
||||
default = "teleport"
|
||||
}
|
||||
|
||||
variable "teleport_database_user" {
|
||||
|
|
|
@ -5,13 +5,5 @@ terraform {
|
|||
source = "hashicorp/aws"
|
||||
version = "~> 5.12"
|
||||
}
|
||||
postgresql = {
|
||||
source = "cyrilgdn/postgresql"
|
||||
version = "~> 1.20"
|
||||
}
|
||||
mysql = {
|
||||
source = "petoju/mysql"
|
||||
version = "~> 3.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue