From da1379784c4d8cf22927e39fef7f8ef6c0e807c0 Mon Sep 17 00:00:00 2001 From: Robert Kibble Date: Tue, 2 Jan 2024 13:10:18 +0000 Subject: [PATCH 1/3] FS-3876 - Set up an SG connection to the Redis instance --- .../addons/funding-service-magic-links.yml | 17 ++++++ scripts/aws_connect_redis.sh | 55 +++++++++++++++++++ 2 files changed, 72 insertions(+) create mode 100755 scripts/aws_connect_redis.sh diff --git a/apps/pre-award/copilot/environments/addons/funding-service-magic-links.yml b/apps/pre-award/copilot/environments/addons/funding-service-magic-links.yml index 75dbc511..617c1bf2 100644 --- a/apps/pre-award/copilot/environments/addons/funding-service-magic-links.yml +++ b/apps/pre-award/copilot/environments/addons/funding-service-magic-links.yml @@ -6,6 +6,17 @@ Parameters: Type: String Description: The environment name your service, job, or workflow is being deployed to. +Mappings: + BastionMap: + dev: + "SecurityGroup": "sg-0b6c7aabb95bf14a9" + test: + "SecurityGroup": "sg-0cf75a004dbade7b8" + uat: + "SecurityGroup": "sg-04017abfef2079894" + prod: + "SecurityGroup": "sg-08cecea8f9b8a4ec9" + Resources: # Subnet group to control where the Redis gets placed RedisSubnetGroup: @@ -23,6 +34,12 @@ Resources: VpcId: Fn::ImportValue: !Sub '${App}-${Env}-VpcId' + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 6379 + ToPort: 6379 + Description: Ingress from Bastion + SourceSecurityGroupId: !FindInMap [BastionMap, !Ref Env, 'SecurityGroup'] # Enable ingress from other ECS services created within the environment. RedisIngress: diff --git a/scripts/aws_connect_redis.sh b/scripts/aws_connect_redis.sh new file mode 100755 index 00000000..a9ee146d --- /dev/null +++ b/scripts/aws_connect_redis.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +if [ "$AWS_ACCESS_KEY_ID" == "" -o "$AWS_SECRET_ACCESS_KEY" == "" -o "$AWS_SESSION_TOKEN" == "" ] +then + echo "Log in to AWS and try again." + exit 1 +fi + +which yq >/dev/null +if [ $? -ne 0 ] +then + echo "Please install yq - this is needed to interpret the required secret values." + exit 1 +fi + +BASTION=$(aws ec2 describe-instances --filter Name=tag:Name,Values='*-bastion' --query "Reservations[*].Instances[*].InstanceId" | yq '.[0][0]') +echo $BASTION +echo +echo "Getting secret..." +ARN=$(aws secretsmanager list-secrets --query "SecretList[?Tags[?Key=='aws:cloudformation:logical-id' && Value=='RedisSecret']].ARN" | yq '.[0]') +echo +echo "Getting secret values..." +VALUE=$(aws secretsmanager get-secret-value --secret-id $ARN --query 'SecretString' | yq '..') +USERNAME=$(echo "$VALUE" | yq '.username') +PASSWORD=$(echo "$VALUE" | yq '.password') + +aws elasticache describe-cache-clusters --show-cache-node-info | yq '.CacheClusters[].CacheNodes[].Endpoint.Address' +REDIS=$(aws elasticache describe-cache-clusters --show-cache-node-info | yq '.CacheClusters[].CacheNodes[].Endpoint.Address' | grep funding-service-magic-links | head -1) +PORT=6739 +echo ${REDIS} + +echo +echo "Setting up connection..." +echo "aws ssm start-session --target $BASTION --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters host=\"$REDIS\",portNumber=\"$PORT\",localPortNumber=\"$PORT\"" +aws ssm start-session --target $BASTION --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters host="$REDIS",portNumber="$PORT",localPortNumber="$PORT" & + +echo "Waiting 5..." +sleep 5 +echo +echo "Connecting..." + +redis-cli -h localhost --tls -a "${PASSWORD}" -p ${PORT} + +echo "Checking cleanup..." +PSOUT=$(ps -ft$(tty) | grep session-manager-plugin | grep -v grep | while read a b c;do echo $b;done) +PSOUT=$(echo $PSOUT | xargs echo) # Remove newlines +if [ "$PSOUT" != "" ] +then + ps -ft$(tty) | grep session-manager-plugin | grep -v grep | cut -c-100 + echo Killing $PSOUT + for pid in $PSOUT + do + kill -9 $pid + done +fi From ee82daf6f2c28fe183601440e6a7bf4acce25cfa Mon Sep 17 00:00:00 2001 From: Robert Kibble Date: Tue, 2 Jan 2024 14:28:42 +0000 Subject: [PATCH 2/3] 6379 --- scripts/aws_connect_redis.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/aws_connect_redis.sh b/scripts/aws_connect_redis.sh index a9ee146d..678f717f 100755 --- a/scripts/aws_connect_redis.sh +++ b/scripts/aws_connect_redis.sh @@ -26,7 +26,7 @@ PASSWORD=$(echo "$VALUE" | yq '.password') aws elasticache describe-cache-clusters --show-cache-node-info | yq '.CacheClusters[].CacheNodes[].Endpoint.Address' REDIS=$(aws elasticache describe-cache-clusters --show-cache-node-info | yq '.CacheClusters[].CacheNodes[].Endpoint.Address' | grep funding-service-magic-links | head -1) -PORT=6739 +PORT=6379 echo ${REDIS} echo From eeb424e8843c87e910c52e23ee38b6367ba964a0 Mon Sep 17 00:00:00 2001 From: Robert Kibble Date: Tue, 2 Jan 2024 14:37:29 +0000 Subject: [PATCH 3/3] Experiment with commands --- scripts/aws_connect_redis.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/aws_connect_redis.sh b/scripts/aws_connect_redis.sh index 678f717f..e8f6a641 100755 --- a/scripts/aws_connect_redis.sh +++ b/scripts/aws_connect_redis.sh @@ -39,7 +39,9 @@ sleep 5 echo echo "Connecting..." -redis-cli -h localhost --tls -a "${PASSWORD}" -p ${PORT} +#echo "redis-cli -h localhost --tls -u '${USERNAME}' -a '${PASSWORD}' -p ${PORT}" +#redis-cli -h localhost --tls -u "${USERNAME}" -a "${PASSWORD}" -p ${PORT} +redis-cli "redis://${USERNAME}:${PASSWORD}@localhost:${PORT}" PING echo "Checking cleanup..." PSOUT=$(ps -ft$(tty) | grep session-manager-plugin | grep -v grep | while read a b c;do echo $b;done)