AWS RDS DescribeDbInstances-使用IaaC将结果列表限制为仅特定实例 [英] AWS RDS DescribeDbInstances - limit result list only to specific instance using IaaC
问题描述
我正在尝试使用Terraform来提供体系结构,并确保应用程序对周围的事物了解得尽可能少.
I am trying to provision an architecture with Terraform and ensure that applications have as little knowledge about anything going around them as possible.
我的目标是拥有一个使用Amazon SDK的应用程序,询问哪些RDS实例可用,然后再连接到其中一个实例.这样,不需要外部信息(db-instance-identifier或Tag).
My goal is to have an app that uses Amazon's SDK to ask which RDS instances are available for it and then to connect to one of them. This way, no outside information(db-instance-identifier or Tag) is required.
该应用程序将仅描述RDS实例,并且由于Terraform仅将其运行所在的EC2授予了特定RDS权限,因此它只能从describe-db-instances中得到一个结果.然后,通过使用RDS IAM身份验证机制,应用程序将连接到数据库并达到其目的.
The application would just describe the RDS instances, and since EC2 on which it runs would have been given permissions by Terraform only to specific RDS, it would have gotten just one result from the describe-db-instances. Then, by using RDS IAM auth mechanism, the application would connect to the DB and serve its purpose.
尽管从我所见,例如Resource: "*".但是随后,该描述包含了所有RDS实例,而不仅仅是一个EC2应该被允许连接. 该应用程序无法区分应使用实例列表中的哪个n结果.
Though from what I have seen e.g. in this SO question and AWS RDS documentation describe-db-instances is "all or nothing" type of command. IAM Policy given to IAM Role on the EC2 Instance Profile must have Resource: "*". But then, the description contains all the RDS instances, not just the one EC2 should be allowed to connect to. The application has no way to distinguish which of the n results from instances list should it use.
另一方面,当您将describe-db-instances限制为特定资源时,唯一可以成功描述的方法是将db-instance-identifier添加到请求中:
On the other hand, when you limit describe-db-instances to specific resource, then the only way to describe without failure is to add the db-instance-identifier to the request:
aws rds describe-db-instances --db-instance-identifier databasename
但是,应用程序需要从外部"检索db-instance-identifier,这也不能满足我的要求.
But then, the application needs to retrieve the db-instance-identifier from the "outside", and that fails to meet my requirements too.
也许我在推理的某些部分上犯了错误,但是甚至有可能实现吗?
Perhaps I am mistaken in some parts of my reasoning, but is it even possible to achieve?
推荐答案
如果使用相同的Terraform部署来配置RDS实例,则可以执行以下操作:
If the RDS instances are provisioned using the same Terraform deployment, you could do something like the following:
locals {
allowed_rds_nodes = aws_db_instance.foo.*.id
}
这是基本的高级抽象,但是您可以将数据库节点ID的列表传递给负责创建EC2实例的Terraform模块/代码.
This is a basic, high-level abstraction, but you could pass a list of IDs of the DB nodes to the Terraform module/code responsible for creating the EC2 instances.
如果RDS节点已经存在,并且Terraform代码仅负责EC2实例,那就有点棘手了.
If the RDS nodes already exist, and the Terraform code is only responsible for the EC2 instances, that is a bit trickier.
您是正确的,因为(当前)RDS实例唯一有效的查询或过滤机制是基于名称的.您将需要使用数据源,并在您的数据库节点上实施某种基本的命名正则表达式.
You are correct in that the only valid query or filter mechanism for RDS instances(currently) is name-based. You would need to use a data source, and enforce some kind of rudimentary naming regex on your DB nodes.
data "aws_db_instance" "allowed_rds_nodes" {
db_instance_identifier = "some-foo-bar"
}
这篇关于AWS RDS DescribeDbInstances-使用IaaC将结果列表限制为仅特定实例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
