Terraform - aws_rds_proxy 接 RDS PostgreSQL 的 init_query 指令

在 Terraform 的文件 db_proxy_default_target_group 只有提供 MySQL 的使用範例:

resource "aws_db_proxy" "example" {
  name                   = "example"
  debug_logging          = false
  engine_family          = "MYSQL"
  idle_client_timeout    = 1800
  require_tls            = true
  role_arn               = aws_iam_role.example.arn
  vpc_security_group_ids = [aws_security_group.example.id]
  vpc_subnet_ids         = [aws_subnet.example.id]

  auth {
    auth_scheme = "SECRETS"
    description = "example"
    iam_auth    = "DISABLED"
    secret_arn  = aws_secretsmanager_secret.example.arn
  }

  tags = {
    Name = "example"
    Key  = "value"
  }
}

resource "aws_db_proxy_default_target_group" "example" {
  db_proxy_name = aws_db_proxy.example.name

  connection_pool_config {
    connection_borrow_timeout    = 120
    init_query                   = "SET x=1, y=2"
    max_connections_percent      = 100
    max_idle_connections_percent = 50
    session_pinning_filters      = ["EXCLUDE_VARIABLE_SETS"]
  }
}

這邊 init_query 是用 “SET x=1, y=2” 當作 proxy 連上 db 的測通指令, 但是 MySQL 的 SET 指令跟 PostgreSQL 的 SET 指令用法不同, 所以直接把這個範例給 PostgreSQL 用的時候會噴錯誤:

proxy log:
- [INFO] [dbConnection=1140488035] The database connection closed. Reason: An internal error occurred.

db log:
- ERROR: syntax error at or near "=" at character 11
- STATEMENT: SET x=1, y=2

(以上來自 CloudWatch Logs, RDS 跟 RDS Proxy 都有設定送出 log 到這邊)

伸進去 PostgreSQL db 手動執行指令看看:

postgres=> SET x=1, y=2;
ERROR:  syntax error at or near "="
LINE 1: SET x=1, y=2;
                  ^
postgres=> SET x=1;
ERROR:  unrecognized configuration parameter "x"
postgres=>

確認是 SET 指令造成錯誤.

Google 查了幾下也是有一些回報同樣的問題, 解法幾乎都是把 init_query 拿掉, 但是這樣就少了一個 proxy 連入 db 測通 db 要有正常反應的機制.

所以找個指令替代 SET 就解決了:

init_query = "VALUES (1,2)"

AWS - IAM Role with Policy

AWS 的 IAM Role 跟 Policy 有兩種連接方式:
- Role 內嵌 Policy.
- Role 和 Policy 是各自建立, 然後再接起來(attach)用.

以 Policy 編修來說, 前者就只能在 portal 上面 CRUD, 後者在 Policy 本身的 portal 介面還可以看 permission 檢查, 歷次編修版本與控管, 相同的 Policy 還可以接到多個 Role 共用, 後來我也盡量都用後者.

不過後者在 Terraform 的寫作上有需要注意的地方, 一般寫法如下:

resource "aws_iam_policy" "this" {}
resource "aws_iam_role" "this" {}
resource "aws_iam_role_policy_attachment" "this" {
  depends_on = [
    aws_iam_role.this,
    aws_iam_policy.this
  ]
}

在 terraform apply 的時候不成問題, 但是在 terraform destroy 會發生 race condition: Policy 還沒從 Role 拆出來, 上面這個寫法會造成 aws_iam_policy 跟 aws_iam_role 同時進行 destroy, 在刪除 aws_iam_policy 就會噴錯誤訊息, 說 Policy 還接在 Role 上面所以不能被砍掉.

雖然再執行一次 terraform destroy 就過了(錯誤是在砍 aws_iam_policy 的時候噴的, 但同時砍 aws_iam_role 的動作是有被完成), 但是這樣對於砍站跑路就不夠徹底順暢.

簡單解決的方式就是在 aws_iam_role 裡面加一個 depends_on aws_iam_policy:

resource "aws_iam_role" "this" {
  ...

  depends_on = [
    aws_iam_policy.this
  ]
}

這樣子在 destroy 的時候, aws_iam_role 就會先被刪除(無論 Policy 拆出來了沒), 再刪除 aws_iam_policy 就不會卡住了.

然後第一個方式在 Terraform 有個地雷, Role 內嵌 Policy 大概是這樣寫:

resource "aws_iam_role" "this" {
  ...

  inline_policy {
    name = "Role-foobar-Policy"
    ...
  }
}

當不要用 inline_pocily 的時候, 把這段刪除成這樣:

resource "aws_iam_role" "this" {
  ...
}

然後 terraform apply 的時候, diff 並沒有出現 - 掉 inline_policy 這塊的訊息, 實際上 Terraform 真的沒做這個刪除, 在 portal 是還看得到 inline_policy 的存在, 得在這邊手動砍掉才算沒了.

---

AWS IAM 有好幾個拆連接的動作會產生 race condition, 表面上 API 回應 ok, 但是實際上裡面還在慢慢斷開, 沒那麼快拆完...

GCP - copy IAM custom role R from project A to project B

Role ID: projects/A/roles/R

0. gcloud auth login (with enough permission)

1. gcloud iam roles describe R --project=A > R.txt

2. gcloud iam roles create R --project=B --file=R.txt

random password generator - use jot + rs

適用於 BSD OS 與 Mac 環境

jot -r -c 160 / z | \
  grep -e '[a-z]' -e '[A-Z]' -e '[0-9]' | \
  rs -g0 0 64

以上會產生出 160 個 ascii / 到 z 的字元, 只擷取 a-z A-Z 0-9 來用, 集結成每行長度 64 的字串.

如果要放行一些符號的話, 像是底線(_)也在 / 到 z 的範圍內, 就可以在 grep 指令加上 -e _ 擷取來用.


Ascii table (credit: https://c-for-dummies.com/blog/?p=4895)

Terraform - google_redis_instance with auth_enabled is true

在 google_redis_instance 裡面是這樣寫的:

auth_enabled - (Optional) Optional. Indicates whether OSS Redis AUTH is enabled for the instance. If set to "true" AUTH is enabled on the instance. Default value is "false" meaning AUTH is disabled.

auth_string - (Optional) AUTH String set on the instance. This field will only be populated if auth_enabled is true.

redis 還是打開 auth 才安全, 所以當然就這樣設定:

resource "google_redis_instance" "this" {
  ...
  auth_enabled = true
  auth_string  = "023dbce5e060641d09218027704ca4b3"
  ...
}

接著 terraform apply 下去打開 auth...

Error: Value for unconfigurable attribute

  with module.redis.module.redis-general.google_redis_instance.this, on modules/redis/main.tf line 24, in resource "google_redis_instance" "this":
  24:   auth_string  = "023dbce5e060641d09218027704ca4b3"

Can't configure a value for "auth_string": its value will be decided automatically based on the result of applying this configuration.

所以是會自動生成的意思? 那拿掉 auth_string 的設定, 先 terraform apply 上去之後, 再 terraform show 出來看 auth_string 的內容...

# module.redis.module.redis-general.google_redis_instance.this:
resource "google_redis_instance" "this" {
    alternative_location_id  = "us-west1-c"
    auth_enabled             = true
    auth_string              = (sensitive value)
    ...

竟然看不到... oroz

查了一下, 得用 terraform show -json 才看得到, 執行下去會得到一行很長很長的 json, 那就多用 jq 轉一下: terraform show -json | jq .

"resources": [
  {
    "address": "module.redis.module.redis-general.google_redis_instance.this",
    "mode": "managed",
    "type": "google_redis_instance",
    "name": "this",
    "provider_name": "registry.terraform.io/hashicorp/google",
    "schema_version": 0,
    "values": {
      "alternative_location_id": "us-west1-c",
      "auth_enabled": true,
      "auth_string": "ded6f8e9-5c32-4ebb-b0fb-086a444baa7f",
      ...

終於看到啦~

Terraform - provider google version upgrade

起因是為了 resource google_redis_instance 要用到 replica 的功能...

根據 CHANGELOG 文件, provider google 需用 4.17.0 以上版本. (此時最新版是 v4.18.0)

在 versions.tf 裡面原本是這樣設定一個版本來用:

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "3.58.0"
    }
  }

  required_version = "~> 1.0.0"
}

就把 version 改成 ">= 4.17.0"
順便把 required_version 也升級成 "~> 1.1.0" (此時 homebrew terraform 是 v1.1.9)

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = ">= 4.17.0"
    }
  }

  required_version = "~> 1.1.0"
}


--

一般情況下來說, 這樣改完之後再執行 terraform init -upgrade 就會看到原本裝好的 provider google:

- Using previously-installed hashicorp/google v3.58.0

被更新中...

- Installing hashicorp/google v4.18.0...
- Installed hashicorp/google v4.18.0 (signed by HashiCorp)

之後的 terraform init 動作就看到都是 v4.18.0

- Using previously-installed hashicorp/google v4.18.0


然後因為 provider 跨了大版本, 遇到 state file 格式變動, 還要再執行 terraform refresh 更新一遍.

--

但是實際上...

Initializing provider plugins...
- Finding hashicorp/google versions matching ">= 2.12.0, >= 3.45.0, < 4.0.0, >= 4.17.0"...

然後 terraform init -upgrade 就抓不到能用的升級版本.

後來發現是在某個 resource 裡面有設定 version = "~> 3.0", 莫名其妙多出上面的 < 4.0.0 的條件卡關.
直接把這個改成 version = "~> 4.0" 跟著升級上去, terraform init -upgrade 版本條件就變成:

Initializing provider plugins...
- Finding hashicorp/google-beta versions matching ">= 3.45.0, < 5.0.0"...

就有抓到可用版本(v4.18.0)升級上去了.

GCP - Cloud CDN for external site

Scenario
https://www.foobar.com
- external site, not in Google Cloud.

Requirement
set another hostname for origin server access
- for example, web.foobar.com ip = www.foobar.com ip

Steps

0. In the beginning of Cloud CDN, click "ADD ORIGIN".


1. After reading preparation, and click "Continue".


2. www.foobar.com is an external site, so check "Use an external backend".


3. Click "Load balancer" list, and click "Create a load balancer".


4. In "New Classic HTTP(S) load balancer" form, start at Backend configuration.


5. Click "Backend services & backend buckets" list, and click "CREATE A BACKEND SERVICE".


6. In "Create backend service" form, basic area.


7. In "Create backend service" form, "Backends" area.


8. In "Create backend service" form, "Cloud CDN" area.


9. In basic area, input "Name" and "Description", "Backend type" select "Internet network endpoint group / External backends".


10. After selecting "Backend type", "Protocol" select "HTTPS".


11. In "Backends" area, click "Internet network endpoint group" list, and click "CREATE INTERNET NETWORK ENDPOINT GROUP".


12. In "Create a network endpoint group" form.


13. Input "Name", "Network endpoint group type" select "Network endpoint group (Internet)", "Default port" input "443",
  "Fully qualified domain name" input "web.foobar.com", and click "Create".


14. After clicking "Create", "www-foobar-com" in the Network endpoint group list.


15. "Network endpoint group details" of "www-foobar-com".


16. Back to the "Backends" area, input "foobar" at "Filter" and shows "www-foobar-com", click it.


17. After clicking "www-foobar-com", it showed at "Internet network endpoint group".


18. In "Cloud CDN" form, check "Enable Cloud CDN" and change default settings, then click "CREATE".


19. After creating "Backend configuration" successful, back to "New Classic HTTP(S) load balancer" form.
  Check "www-foobar-com" in "Backend services & backend buckets" list, then click "OK".



20. After clicking "OK", "www-foobar-com" is listed below.


21. Skip "Host and path rules" form, because of using CDN to cache whole site.


22. In "New Classic HTTP(S) load balancer" form, "Frontend configuration" area.


23. Input "Name", "Protocol" select "HTTPS (include HTTP/2)", shows "Certificate" list below, cilck "CREATE A NEW CERTIFICATE".


24. In "Create a Certificate" form.


25. Input "Name", check "Create Google-managed certificate", input "Domains" then click "CREATE".


26. Back to "Frontend configuration" form. Click "IP address" list, and click "CREATE IP ADDRESS”.


27. In "Reserved a new static IP address" form. Input "Name", and click "RESERVE".


28. Back to "Frontend configuration" form.


29. In the bottom of "Frontend configuration" form, click "ADDITIONAL CERTIFICATES" to expand form.
  Check "Enable HTTP to HTTPS redirect”, and click “DONE”.


30. Complete "Frontend configuration" form.


31. Click "Review and finalize" to confirm, and click “CREATE”.


32. There are two new load balancers. "HTTPS" is for supporting service, and "HTTP" is for redirecting connections to "HTTPS".


33. Reload "Cloud CDN", there is a new CDN listed. Click "www-foobar-com" under "Associated load balancers".


34. IP:Port of www-foobar-com is detailed. Set this IP address to www.foobar.com in DNS service.




Remove CDN settings:

1. Network services - Cloud CDN
2. Network services - Load balancing (remove with backend and certification)
3. VPC Network - IP addresses