无法公开 AWS Aurora Postgres RDS

Question

我正在尝试启动一个 Aurora Postgres 集群，但我似乎无法通过 Internet 提供它。我正在使用 Terraform 对基础架构进行编码。

我创建了一个安全组以允许外部访问，并且它附加到集群使用的 VPC 子网。不过，我似乎无法从本地机器访问端点。

我不知道我错过了什么。

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = ">=3.11.0"

  name = "vpc-auroradb-${var.environment}"
  cidr = var.vpc_cidr_block

  azs              = var.availability_zones
  private_subnets  = var.vpc_private_subnets
  public_subnets   = var.vpc_public_subnets
  database_subnets = var.vpc_database_subnets

  enable_nat_gateway   = true
  enable_dns_hostnames = true
  enable_dns_support   = true
  create_igw           = true
  create_database_internet_gateway_route = true
  create_database_nat_gateway_route = true
  create_database_subnet_group = true
  create_database_subnet_route_table = true
}

module "aurora_cluster" {
  source  = "terraform-aws-modules/rds-aurora/aws"
  version = ">=6.1.3"

  name           = "bambi-${var.environment}"
  engine         = "aurora-postgresql"
  engine_version = "12.8"
  instance_class = "db.t4g.large"
  publicly_accessible = true
  instances = {
    1 = {
        identifier = "bambi-1"
    }
    2 = {
      identifier = "bambi-2"
    }
  }

  autoscaling_enabled      = true
  autoscaling_min_capacity = 2
  autoscaling_max_capacity = 3

  vpc_id                 = module.vpc.vpc_id
  db_subnet_group_name   = module.vpc.database_subnet_group_name
  create_db_subnet_group = false
  create_security_group = false

  iam_database_authentication_enabled = true

  storage_encrypted   = true
  apply_immediately   = true
  monitoring_interval = 30

  db_parameter_group_name         = aws_db_parameter_group.parameter_group.id
  db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.parameter_group.id

  vpc_security_group_ids = [aws_security_group.sg_public.id]

  enabled_cloudwatch_logs_exports = ["postgresql"]
}

resource "aws_security_group" "sg_public" {
  vpc_id = module.vpc.vpc_id

  ingress {
    from_port   = 5432
    to_port     = 5432
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"] # Allowing traffic in from all sources
  }

  egress {
    from_port   = 0             # Allowing any incoming port
    to_port     = 0             # Allowing any outgoing port
    protocol    = "-1"          # Allowing any outgoing protocol 
    cidr_blocks = ["0.0.0.0/0"] # Allowing traffic out to all IP addresses
  }
}

Answer 1

从使用的 VPC 模块的documentation 中，为了对数据库具有公共访问权限，您需要以下内容：

create_database_subnet_group           = true
create_database_subnet_route_table     = true
create_database_internet_gateway_route = true

enable_dns_hostnames = true
enable_dns_support   = true

create_database_nat_gateway_route 不应该是真的。如果我们看一下github上的模块代码：

resource "aws_route" "database_internet_gateway" {
  count = var.create_vpc && var.create_igw && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && false == var.create_database_nat_gateway_route ? 1 : 0

  route_table_id         = aws_route_table.database[0].id
  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = aws_internet_gateway.this[0].id

  timeouts {
    create = "5m"
  }
}

我们可以看到互联网网关路由的count 将是0。这意味着不会为数据库子网创建允许公共 Internet 访问的路由。

另一方面，将create_database_internet_gateway_route 设置为true 也会阻止通过 NAT 网关的访问，因为路由表不会有正确的路由。

resource "aws_route" "database_nat_gateway" {
  count = var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && false == var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? var.single_nat_gateway ? 1 : length(var.database_subnets) : 0

  route_table_id         = element(aws_route_table.database.*.id, count.index)
  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id         = element(aws_nat_gateway.this.*.id, count.index)

  timeouts {
    create = "5m"
  }
}

基本上你通过将两个变量都设置为 true 来阻止所有流量。