Fork me on GitHub
#off-topic
<
2021-04-27
>
orestis13:04:05

I need to setup an EC2 instance with Postgres and letsencrypt. It will be accessible from the internet so security wise it’s important to make it easy to apply new patches etc early and often. I would like to have some scripts or another declarative way of setting it up. In the past I was using ansible for this but perhaps I should look at Docker these days?

dharrigan14:04:33

We use Terraform to do this - setup PostgreSQL on RDS and configure the security groups. In addition, it also be configured to use TLS which Amazon take care off.

orestis14:04:45

I can’t use RDS - I need a publicly accessible Postgres instance with a public CA authority. It’s a hassle, needed to setup BI access for some clients.

orestis14:04:07

(It’s proxying to the underlying RDS instance via FDW)

dharrigan14:04:40

our RDS instances are public

dharrigan14:04:44

and Amazon is a public CA

dharrigan14:04:48

but I get you, that doesn't stop you from using terraform to spin up an EC2 instance, configure the security groups, the route53 data etc.., then use ansible (as a final stage action) to setup postgresql and configure the rest.

orestis16:04:56

Don’t you need to use the Amazon provided pem to validate the SSL certificate offered by RDS?

orestis16:04:17

When you connect using SSL, your client can choose whether to verify the certificate chain. If your connection parameters specify sslmode=verify-ca or sslmode=verify-full, then your client requires the RDS CA certificates to be in their trust store or referenced in the connection URL. This requirement is to verify the certificate chain that signs your database certificate.

orestis16:04:08

MS PowerBI tries to verify the certificate chain strictly but I can’t upload the RDS CA in its trust chain so far.

valtteri18:04:31

Have you considered Lightsail? It can launch a server with preconfigured Postgres. It uses CloudFormation under the hood.

orestis06:04:34

Ah no - thank you a will look into it. I was thinking of somehow making a Dockerfile that sets everything up and run it in an EC2 instance or perhaps an Elastic Beanstalk environment. We use the latter for everything else and it’s a known quantity.

marciol13:04:45

Seems that one of the Go core team members is enjoying the History of Clojure paper: https://twitter.com/_rsc/status/1386744954840567810?s=20

👍 11
👌 3
Dimitar Uzunov19:04:39

It is a great read

sova-soars-the-sora23:04:51

Now if only the angular guys would read it