Merge pull request #109 from communitiesuk/FS-3876

FS-3876 - Set up an SG connection to the Redis instance
communitiesuk · Jan 2, 2024 · a9ef6f9 · a9ef6f9
2 parents 0e891cf + eeb424e
commit a9ef6f9
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 0 deletions.
diff --git a/apps/pre-award/copilot/environments/addons/funding-service-magic-links.yml b/apps/pre-award/copilot/environments/addons/funding-service-magic-links.yml
@@ -6,6 +6,17 @@ Parameters:
     Type: String
     Description: The environment name your service, job, or workflow is being deployed to.
 
+Mappings:
+  BastionMap:
+    dev:
+      "SecurityGroup": "sg-0b6c7aabb95bf14a9"
+    test:
+      "SecurityGroup": "sg-0cf75a004dbade7b8"
+    uat:
+      "SecurityGroup": "sg-04017abfef2079894"
+    prod:
+      "SecurityGroup": "sg-08cecea8f9b8a4ec9"
+
 Resources:
   # Subnet group to control where the Redis gets placed
   RedisSubnetGroup:
@@ -23,6 +34,12 @@ Resources:
       VpcId:
         Fn::ImportValue:
           !Sub '${App}-${Env}-VpcId'
+      SecurityGroupIngress:
+        - IpProtocol: tcp
+          FromPort: 6379
+          ToPort: 6379
+          Description: Ingress from Bastion
+          SourceSecurityGroupId: !FindInMap [BastionMap, !Ref Env, 'SecurityGroup']
 
   # Enable ingress from other ECS services created within the environment.
   RedisIngress:

diff --git a/scripts/aws_connect_redis.sh b/scripts/aws_connect_redis.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+
+if [ "$AWS_ACCESS_KEY_ID" == "" -o "$AWS_SECRET_ACCESS_KEY" == "" -o "$AWS_SESSION_TOKEN" == "" ]
+then
+    echo "Log in to AWS and try again."
+    exit 1
+fi
+
+which yq >/dev/null
+if [ $? -ne 0 ]
+then
+    echo "Please install yq - this is needed to interpret the required secret values."
+    exit 1
+fi
+
+BASTION=$(aws ec2 describe-instances --filter Name=tag:Name,Values='*-bastion' --query "Reservations[*].Instances[*].InstanceId" | yq '.[0][0]')
+echo $BASTION
+echo
+echo "Getting secret..."
+ARN=$(aws secretsmanager list-secrets --query "SecretList[?Tags[?Key=='aws:cloudformation:logical-id' && Value=='RedisSecret']].ARN" | yq '.[0]')
+echo
+echo "Getting secret values..."
+VALUE=$(aws secretsmanager get-secret-value --secret-id $ARN --query 'SecretString' | yq '..')
+USERNAME=$(echo "$VALUE" | yq '.username')
+PASSWORD=$(echo "$VALUE" | yq '.password')
+
+aws elasticache describe-cache-clusters --show-cache-node-info | yq '.CacheClusters[].CacheNodes[].Endpoint.Address'
+REDIS=$(aws elasticache describe-cache-clusters --show-cache-node-info | yq '.CacheClusters[].CacheNodes[].Endpoint.Address' | grep funding-service-magic-links | head -1)
+PORT=6379
+echo ${REDIS}
+
+echo
+echo "Setting up connection..."
+echo "aws ssm start-session --target $BASTION --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters host=\"$REDIS\",portNumber=\"$PORT\",localPortNumber=\"$PORT\""
+aws ssm start-session --target $BASTION --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters host="$REDIS",portNumber="$PORT",localPortNumber="$PORT" &
+
+echo "Waiting 5..."
+sleep 5
+echo
+echo "Connecting..."
+
+#echo "redis-cli -h localhost --tls -u '${USERNAME}' -a '${PASSWORD}' -p ${PORT}"
+#redis-cli -h localhost --tls -u "${USERNAME}" -a "${PASSWORD}" -p ${PORT}
+redis-cli "redis://${USERNAME}:${PASSWORD}@localhost:${PORT}" PING
+
+echo "Checking cleanup..."
+PSOUT=$(ps -ft$(tty) | grep session-manager-plugin | grep -v grep | while read a b c;do echo $b;done)
+PSOUT=$(echo $PSOUT | xargs echo) # Remove newlines
+if [ "$PSOUT" != "" ]
+then
+    ps -ft$(tty) | grep session-manager-plugin | grep -v grep | cut -c-100
+    echo Killing $PSOUT
+    for pid in $PSOUT
+    do
+        kill -9 $pid
+    done
+fi