Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit60c210c

Browse files
committed
Merge branch 'fix/aws-terraform' into 'main'
fix: Security and reliability improvements for AWS Terraform moduleSee merge request postgres-ai/postgres_ai!59
2 parents1cff296 +7413ee4 commit60c210c

File tree

8 files changed

+301
-269
lines changed

8 files changed

+301
-269
lines changed

‎docker-compose.yml‎

Lines changed: 29 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,14 @@ services:
2626
POSTGRES_DB:target_database
2727
POSTGRES_USER:postgres
2828
POSTGRES_PASSWORD:postgres
29-
command:["postgres", "-c", "shared_preload_libraries=pg_stat_statements", "-c", "pg_stat_statements.track=all"]
29+
command:
30+
[
31+
"postgres",
32+
"-c",
33+
"shared_preload_libraries=pg_stat_statements",
34+
"-c",
35+
"pg_stat_statements.track=all",
36+
]
3037
ports:
3138
-"55432:5432"
3239
volumes:
@@ -57,18 +64,24 @@ services:
5764
-./config/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
5865
-prometheus_data:/prometheus
5966
command:
60-
-'--config.file=/etc/prometheus/prometheus.yml'
61-
-'--storage.tsdb.path=/prometheus'
62-
-'--web.console.libraries=/etc/prometheus/console_libraries'
63-
-'--web.console.templates=/etc/prometheus/consoles'
64-
-'--storage.tsdb.retention.time=200h'
65-
-'--web.enable-lifecycle'
67+
-"--config.file=/etc/prometheus/prometheus.yml"
68+
-"--storage.tsdb.path=/prometheus"
69+
-"--web.console.libraries=/etc/prometheus/console_libraries"
70+
-"--web.console.templates=/etc/prometheus/consoles"
71+
-"--storage.tsdb.retention.time=200h"
72+
-"--web.enable-lifecycle"
6673

6774
# PGWatch Instance 1 - Monitoring service (Postgres sink)
6875
pgwatch-postgres:
6976
image:cybertecpostgresql/pgwatch:3
7077
container_name:pgwatch-postgres
71-
command:["--sources=/etc/pgwatch/sources.yml", "--metrics=/etc/pgwatch/metrics.yml", "--sink=postgresql://pgwatch:pgwatchadmin@sink-postgres:5432/measurements", "--web-addr=:8080"]
78+
command:
79+
[
80+
"--sources=/etc/pgwatch/sources.yml",
81+
"--metrics=/etc/pgwatch/metrics.yml",
82+
"--sink=postgresql://pgwatch:pgwatchadmin@sink-postgres:5432/measurements",
83+
"--web-addr=:8080",
84+
]
7285
ports:
7386
-"58080:8080"
7487
depends_on:
@@ -82,7 +95,13 @@ services:
8295
pgwatch-prometheus:
8396
image:cybertecpostgresql/pgwatch:3
8497
container_name:pgwatch-prometheus
85-
command:["--sources=/etc/pgwatch/sources.yml", "--metrics=/etc/pgwatch/metrics.yml", "--sink=prometheus://0.0.0.0:9091/pgwatch", "--web-addr=:8089"]
98+
command:
99+
[
100+
"--sources=/etc/pgwatch/sources.yml",
101+
"--metrics=/etc/pgwatch/metrics.yml",
102+
"--sink=prometheus://0.0.0.0:9091/pgwatch",
103+
"--web-addr=:8089",
104+
]
86105
ports:
87106
-"58089:8089"
88107
-"59091:9091"
@@ -99,7 +118,7 @@ services:
99118
container_name:grafana-with-datasources
100119
environment:
101120
GF_SECURITY_ADMIN_USER:monitor
102-
GF_SECURITY_ADMIN_PASSWORD:${GRAFANA_PASSWORD:-demo}
121+
GF_SECURITY_ADMIN_PASSWORD:${GF_SECURITY_ADMIN_PASSWORD:-demo}
103122
GF_INSTALL_PLUGINS:yesoreyeram-infinity-datasource
104123
ports:
105124
-"3000:3000"

‎terraform/aws/QUICKSTART.md‎

Lines changed: 32 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -22,9 +22,17 @@ cp terraform.tfvars.example terraform.tfvars
2222
vim terraform.tfvars
2323
```
2424

25-
Set required parameters:
25+
Uncomment and set all required parameters:
2626
-`ssh_key_name` - your AWS SSH key name
27-
-`grafana_password` - custom password (optional, defaults to "demo")
27+
-`aws_region` - AWS region
28+
-`environment` - environment name
29+
-`instance_type` - EC2 instance type (e.g., t3.medium)
30+
-`data_volume_size` - data disk size in GiB
31+
-`data_volume_type` /`root_volume_type` - volume types (gp3, st1, sc1)
32+
-`allowed_ssh_cidr` /`allowed_cidr_blocks` - CIDR blocks for access
33+
-`use_elastic_ip` - allocate Elastic IP (true/false)
34+
-`grafana_password` - Grafana admin password
35+
-`postgres_ai_version` - git branch/tag (optional, defaults to "main")
2836

2937
##Add monitoring instances
3038

@@ -45,12 +53,14 @@ monitoring_instances = [
4553
##Deploy
4654

4755
```bash
48-
# Validate
49-
./validate.sh
50-
51-
# Deploy
56+
# Initialize and validate
5257
terraform init
58+
terraform validate
59+
60+
# Review changes
5361
terraform plan
62+
63+
# Deploy
5464
terraform apply
5565

5666
# Get access info
@@ -63,10 +73,10 @@ terraform output ssh_command
6373
```bash
6474
# Grafana dashboard
6575
open$(terraform output -raw grafana_url)
66-
# Login: monitor /demo (or your custom password)
76+
# Login: monitor /<password from terraform.tfvars>
6777

6878
# SSH
69-
ssh -i~/.ssh/postgres-ai-key.pem ubuntu@$(terraform output -rawpublic_ip)
79+
ssh -i~/.ssh/postgres-ai-key.pem ubuntu@$(terraform output -rawexternal_ip)
7080
```
7181

7282
##Operations
@@ -95,3 +105,17 @@ ssh ubuntu@IP "sudo systemctl status postgres-ai"
95105
ssh ubuntu@IP"sudo docker ps"
96106
```
97107

108+
##Security notes
109+
110+
Credentials (passwords, connection strings) are stored in`terraform.tfstate` in plain text. For one-off/dev deployments this is acceptable if you clean up after`terraform destroy`:
111+
112+
```bash
113+
terraform destroy
114+
rm -rf .terraform/ terraform.tfstate*
115+
```
116+
117+
For production deployments, consider:
118+
- Using environment variables:`export TF_VAR_grafana_password=...`
119+
- Remote state with encryption (S3 + encryption)
120+
- Configuring monitoring instances manually after deployment
121+

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp