Prerequisites

A number of prerequisites must be met before you can set up a secure connection to your RDS instance using a bastion host and port forwarding with AWS Systems Manager (SSM).

• An AWS RDS instance that is configured to accept connections from localhost (when the EC2 instance is used as a bastion to connect).
• An SSM Agent installed and running on the EC2 instance (acting as the bastion host).
• An IAM role associated with your EC2 instance that has the necessary permissions to use AWS Systems Manager (SSM) and access RDS resources.
• A VPC security group and routing configured to connect to the RDS instance.

Steps

Prepare your environment with Terraform

Make sure your EC2 instance has the required IAM role attached with the necessary permissions:

resource "aws_iam_role" "role_acesso_ssm" {
  assume_role_policy    = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"}}],\"Version\":\"2012-10-17\"}"
  managed_policy_arns   = [
    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
    "arn:aws:iam::aws:policy/AmazonS3FullAccess",
    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
  ]
  name                  = "role-acesso-ssm"
}

This role ensures the EC2 instance can perform operations on SSM and connect to the necessary resources.

Enable Port Forwarding with SSM on GitHub Actions

Once your EC2 instance has the necessary IAM roles and SSM agent installed, you’ll set up port forwarding using AWS Systems Manager. Port forwarding allows you to connect to a closed RDS instance through the bastion host without opening its security group.

Start an SSM session to forward the port (e.g., port 5432 for PostgreSQL) from the bastion host to the RDS instance:

INSTANCE_ID=$(aws ec2 describe-instances --filters "Name=tag:Name,Values=my-bastion-host" --query "Reservations[0].Instances[0].InstanceId" --output text)
aws ssm start-session --target $INSTANCE_ID --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters '{"host":["my-rds-instance.rds.amazonaws.com"],"portNumber":["5432"],"localPortNumber":["5432"]}'

This command will establish a secure connection between your EC2 instance and RDS, and allow you to connect to the database locally on your machine via port 5432.

Setting Up Environment Variables

You’ll need environment variables in your GitHub secrets to securely connect to your RDS instance using Prisma. These should include your database credentials, which are best stored in AWS Secrets Manager or as environment variables.

For example:

"postgresql://username:password@localhost:5432/my_database"

Perform Prisma Operations

Now that you have port forwarding in place, you can interact with the closed RDS instance using Prisma from your Dockerfile.

# Generate Prisma Client
RUN pnpm prisma generate

Important Notes

• Security: Ensure your IAM roles and permissions are securely configured to avoid unnecessary exposure to sensitive resources.
• Port Forwarding: If the RDS instance is closed, port forwarding via SSM is a great way to establish a secure tunnel without exposing the database publicly.

Frequently Asked Questions

Q: What is the purpose of a bastion host?

A: A bastion host is a secure, hardened host that serves as a gateway to a network or a cloud infrastructure. In this context, it is used to connect to a closed RDS instance.

Q: What is port forwarding, and how does it work?

A: Port forwarding is a technique that allows you to access a resource on a different machine or network. In this case, it is used to connect to a closed RDS instance through the bastion host.

Q: How do I set up port forwarding with SSM?

A: You can set up port forwarding with SSM using the aws ssm start-session command, which allows you to forward a port from the bastion host to the RDS instance.