Postgresql 地形、RDS(博士后)和生产
如何使用Terraform将Postgres数据库部署到生产中的RDS 我目前正在本地运行Terraform run,将我的RDS实例部署到AWS环境中。但是,为了创建Postgres资源(使用cyrilgdn提供的提供者),我必须公开我的RDS实例。这在PROD环境中是不受欢迎的,原因很明显。那么,对于PROD Terraform部署的环境,人们如何解决这个问题呢?我想唯一的办法是在专有网络的RDS专用子网内运行Terraform。。。但这怎么可能呢??还是我遗漏了什么重要的东西:SPostgresql 地形、RDS(博士后)和生产,postgresql,amazon-web-services,terraform,amazon-rds,terraform-provider-azure,Postgresql,Amazon Web Services,Terraform,Amazon Rds,Terraform Provider Azure,如何使用Terraform将Postgres数据库部署到生产中的RDS 我目前正在本地运行Terraform run,将我的RDS实例部署到AWS环境中。但是,为了创建Postgres资源(使用cyrilgdn提供的提供者),我必须公开我的RDS实例。这在PROD环境中是不受欢迎的,原因很明显。那么,对于PROD Terraform部署的环境,人们如何解决这个问题呢?我想唯一的办法是在专有网络的RDS专用子网内运行Terraform。。。但这怎么可能呢??还是我遗漏了什么重要的东西:S prov
provider "aws" {
access_key = var.aws_access_key
secret_key = var.aws_secret_key
region = var.aws_region
default_tags {
tags = {
Owner = var.owner
Environment = var.env
}
}
}
resource "aws_security_group" "db-rules" {
name = "rds-sec-grp"
vpc_id = var.rds_vpc_id
tags = {
Name = "rds-sec-grp"
}
ingress {
from_port = "5432"
to_port = "5432"
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_db_instance" "default" {
identifier = "db-instance"
allocated_storage = 10
engine = "postgres"
engine_version = "13.2"
port = 5432
instance_class = "db.t3.medium"
multi_az = false
name = "db_system_${var.env}"
username = var.db_master_username
password = var.db_master_password
publicly_accessible = true
skip_final_snapshot = true
db_subnet_group_name = var.rds_public_subnet_group
vpc_security_group_ids = [aws_security_group.db-rules.id]
tags = {
Name = "db-instance"
}
}
provider "postgresql" {
host = aws_db_instance.default.address
port = aws_db_instance.default.port
database = aws_db_instance.default.name
username = var.db_master_username
password = var.db_master_password
superuser = false
sslmode = "require"
connect_timeout = 15
expected_version = aws_db_instance.default.engine_version
}
resource "postgresql_database" "default" {
name = "db_${var.env}"
owner = var.db_master_username
}
resource "postgresql_role" "readonly" {
name = var.db_readonly_username
password = var.db_readonly_password
login = true
connection_limit = 5
}
resource "postgresql_role" "readwrite" {
name = var.db_readwrite_username
password = var.db_readwrite_password
login = true
connection_limit = 5
}
resource "postgresql_role" "migrator" {
name = var.db_migrator_username
password = var.db_migrator_password
login = true
connection_limit = 5
}
resource "postgresql_schema" "ps" {
name = "ps"
database = postgresql_database.default.name
owner = var.db_master_username
}
resource "postgresql_grant" "revoke_public_schema" {
database = postgresql_database.default.name
role = "public"
schema = "public"
object_type = "schema"
privileges = []
}
resource "postgresql_grant" "readonly_schema" {
database = postgresql_database.default.name
role = postgresql_role.readonly.name
schema = postgresql_schema.ps.name
object_type = "schema"
privileges = ["USAGE"]
depends_on = [
postgresql_grant.revoke_public_schema
]
}
resource "postgresql_grant" "readwrite_schema" {
database = postgresql_database.default.name
role = postgresql_role.readwrite.name
schema = postgresql_schema.ps.name
object_type = "schema"
privileges = ["USAGE"]
depends_on = [
postgresql_grant.readonly_schema
]
}
resource "postgresql_grant" "migrator_schema" {
database = postgresql_database.default.name
role = postgresql_role.migrator.name
schema = postgresql_schema.ps.name
object_type = "schema"
privileges = ["CREATE", "USAGE"]
depends_on = [
postgresql_grant.readwrite_schema
]
}
resource "postgresql_grant" "readonly" {
database = postgresql_database.default.name
role = postgresql_role.readonly.name
schema = postgresql_schema.ps.name
object_type = "table"
privileges = ["SELECT"]
depends_on = [
postgresql_grant.migrator_schema
]
}
resource "postgresql_grant" "readwrite" {
database = postgresql_database.default.name
role = postgresql_role.readwrite.name
schema = postgresql_schema.ps.name
object_type = "table"
privileges = ["SELECT", "INSERT", "UPDATE", "DELETE"]
depends_on = [
postgresql_grant.migrator_schema
]
}
resource "postgresql_grant" "migrator" {
database = postgresql_database.default.name
role = postgresql_role.migrator.name
schema = postgresql_schema.ps.name
object_type = "table"
privileges = ["INSERT"]
depends_on = [
postgresql_grant.migrator_schema
]
}
resource "aws_ecr_repository" "webapi" {
name = "webapi"
image_scanning_configuration {
scan_on_push = true
}
}
resource "aws_ecr_repository" "service" {
name = "pollingservice"
image_scanning_configuration {
scan_on_push = true
}
}
resource "aws_ecr_repository" "migration" {
name = "datamigrations"
image_scanning_configuration {
scan_on_push = true
}
}
对不起,为什么您的数据库应该是公共的?保密有什么不对?我是说应该保密。我必须将其公开,否则Terraform无法连接到实例以在其上创建Postgres资源。问题是,我怎么能像现在这样使用Terraform,但是使用一个私有RDS实例。你能更清楚一点吗?什么例子?你有任何实际的TF代码来演示你的问题吗?你需要一个堡垒服务器。我不能规定应该设置什么类型或如何设置,但这篇维基百科文章是一个很好的起点:。一旦堡垒建立起来,你就可以从那里运行TF来部署你的基础设施。我明白了,TF就是为了这个目的而使用GoCloud的。你试过了吗?