AWS RDS DescribeDbInstances - 仅使用 IaaC 将结果列表限制到特定实例 [英] AWS RDS DescribeDbInstances - limit result list only to specific instance using IaaC

问题描述

我正在尝试使用 Terraform 配置架构，并确保应用程序对周围发生的任何事情都尽可能了解.

I am trying to provision an architecture with Terraform and ensure that applications have as little knowledge about anything going around them as possible.

我的目标是有一个应用程序使用亚马逊的 SDK 来询问哪些 RDS 实例可供它使用，然后连接到其中一个.这样，不需要外部信息(db-instance-identifier 或 Tag).

My goal is to have an app that uses Amazon's SDK to ask which RDS instances are available for it and then to connect to one of them. This way, no outside information(db-instance-identifier or Tag) is required.

应用程序只会描述 RDS 实例，并且由于运行它的 EC2 将被 Terraform 授予仅对特定 RDS 的权限，因此它只会从 describe-db-instances 获得一个结果.然后，通过使用 RDS IAM 身份验证机制，应用程序将连接到数据库并为其服务.

The application would just describe the RDS instances, and since EC2 on which it runs would have been given permissions by Terraform only to specific RDS, it would have gotten just one result from the describe-db-instances. Then, by using RDS IAM auth mechanism, the application would connect to the DB and serve its purpose.

虽然从我所看到的情况来看，例如在这个 SO 问题中 和 AWS RDS 文档 describe-db-instances 是全有或全无"类型的命令.为 EC2 实例配置文件上的 IAM 角色提供的 IAM 策略必须具有 Resource: "*".但是，描述包含所有 RDS 实例，而不仅仅是应该允许连接的一个 EC2.应用程序无法区分它应该使用实例列表中的哪个 n 结果.

Though from what I have seen e.g. in this SO question and AWS RDS documentation describe-db-instances is "all or nothing" type of command. IAM Policy given to IAM Role on the EC2 Instance Profile must have Resource: "*". But then, the description contains all the RDS instances, not just the one EC2 should be allowed to connect to. The application has no way to distinguish which of the n results from instances list should it use.

另一方面，当您将 describe-db-instances 限制为特定资源时，唯一可以不失败的描述方法是添加 db-instance-identifier 对请求:

On the other hand, when you limit describe-db-instances to specific resource, then the only way to describe without failure is to add the db-instance-identifier to the request:

aws rds describe-db-instances --db-instance-identifier databasename

但是，应用程序需要从外部"检索 db-instance-identifier，这也无法满足我的要求.

But then, the application needs to retrieve the db-instance-identifier from the "outside", and that fails to meet my requirements too.

也许我的推理在某些方面是错误的，但有可能实现吗?

Perhaps I am mistaken in some parts of my reasoning, but is it even possible to achieve?

推荐答案

如果使用相同的 Terraform 部署配置 RDS 实例，您可以执行以下操作:

If the RDS instances are provisioned using the same Terraform deployment, you could do something like the following:

locals {
  allowed_rds_nodes = aws_db_instance.foo.*.id
}

这是一个基本的高级抽象，但您可以将 DB 节点的 ID 列表传递给负责创建 EC2 实例的 Terraform 模块/代码.

This is a basic, high-level abstraction, but you could pass a list of IDs of the DB nodes to the Terraform module/code responsible for creating the EC2 instances.

如果 RDS 节点已经存在，并且 Terraform 代码只负责 EC2 实例，那就有点棘手了.

If the RDS nodes already exist, and the Terraform code is only responsible for the EC2 instances, that is a bit trickier.

您是正确的，RDS 实例(当前)唯一有效的查询或过滤机制是基于名称的.您需要使用数据源，并在您的数据库节点上执行某种基本的命名正则表达式.

You are correct in that the only valid query or filter mechanism for RDS instances(currently) is name-based. You would need to use a data source, and enforce some kind of rudimentary naming regex on your DB nodes.

data "aws_db_instance" "allowed_rds_nodes" {
  db_instance_identifier = "some-foo-bar"
}

这篇关于AWS RDS DescribeDbInstances - 仅使用 IaaC 将结果列表限制到特定实例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！