AWS Systems Manager (SSM) to perform Prisma operations on a closed RDS instance on github actions

Prerequisites

• AWS RDS Instance: Your RDS instance must be configured to accept connections from localhost (when the EC2 instance is used as a bastion to connect).

• SSM Agent: Ensure that your EC2 instance (acting as the bastion host) has the SSM agent installed and running.

• IAM Roles: The IAM role associated with your EC2 instance must have the necessary permissions to use AWS Systems Manager (SSM) and access RDS resources.

• VPC Security Group: Your EC2 instance should have the right security group and routing configured to connect to the RDS instance.

Steps

1. Prepare your environment with terraform

Make sure your EC2 instance has the required IAM role attached with the necessary permissions:

resource "aws_iam_role" "role_acesso_ssm" {
  assume_role_policy    = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"}}],\"Version\":\"2012-10-17\"}"
  managed_policy_arns   = [
    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
    "arn:aws:iam::aws:policy/AmazonS3FullAccess",
    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
  ]
  name                  = "role-acesso-ssm"
}

This role ensures the EC2 instance can perform operations on SSM and connect to the necessary resources.

1. Enable Port Forwarding with SSM on github actions

Once your EC2 instance has the necessary IAM roles and SSM agent installed, you'll set up port forwarding using AWS Systems Manager. Port forwarding allows you to connect to a closed RDS instance through the bastion host without opening its security group.

Start an SSM Session to forward the port (e.g., port 5432 for PostgreSQL) from the bastion host to the RDS instance:

INSTANCE_ID=$(aws ec2 describe-instances --filters "Name=tag:Name,Values=my-bastion-host" --query "Reservations[0].Instances[0].InstanceId" --output text)

aws ssm start-session --target $INSTANCE_ID \
  --document-name AWS-StartPortForwardingSessionToRemoteHost \
  --parameters '{"host":["my-rds-instance.rds.amazonaws.com"],"portNumber":["5432"],"localPortNumber":["5432"]}'

This command will establish a secure connection between your EC2 instance and RDS, and allow you to connect to the database locally on your machine via port 5432.

1. Setting Up Environment Variables

You’ll need environment variables in your github secrets to securely connect to your RDS instance using Prisma. These should include your database credentials, which are best stored in AWS Secrets Manager or as environment variables.

For example:

"postgresql://username:password@localhost:5432/my_database"

1. Perform Prisma Operations

Now that you have port forwarding in place, you can interact with the closed RDS instance using Prisma from your dockerfile.

# Generate Prisma Client
RUN pnpm prisma generate

Important Notes:

• Security: Ensure your IAM roles and permissions are securely configured to avoid unnecessary exposure to sensitive resources. Port Forwarding: If the RDS instance is closed, port forwarding via SSM is a great way to establish a secure tunnel without exposing the database publicly.