NotificationsYou must be signed in to change notification settings
Fork4
Star75

Commita807e68

committed

Enhances security and clarifies access options

Improves security by emphasizing SSH tunnel access as the default and most secure option.Clarifies configuration for Grafana and internal service port binding.Provides detailed instructions for accessing Grafana via SSH tunnel or direct access.

1 parentb17accf commita807e68Copy full SHA for a807e68

File tree

4 files changed

+108

-28

lines changed

terraform/aws

4 files changed

+108

-28

lines changed

`‎terraform/aws/QUICKSTART.md‎`

Lines changed: 26 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -29,10 +29,15 @@ Uncomment and set all required parameters:`
`29`	`29`	-`instance_type` - EC2 instance type (e.g., t3.medium)
`30`	`30`	-`data_volume_size` - data disk size in GiB
`31`	`31`	-`data_volume_type` /`root_volume_type` - volume types (gp3, st1, sc1)
`32`		--`allowed_ssh_cidr` /`allowed_cidr_blocks` - CIDR blocks for access
	`32`	+-`allowed_ssh_cidr` - CIDR blocks for SSH access (use`["YOUR_IP/32"]`, get IP:`curl ifconfig.me`)
	`33`	+-`allowed_cidr_blocks` - CIDR blocks for Grafana (use`[]` for SSH tunnel only - most secure)
`33`	`34`	-`use_elastic_ip` - allocate Elastic IP (true/false)
`34`	`35`	-`grafana_password` - Grafana admin password
`35`		--`postgres_ai_version` - git branch/tag (optional, defaults to "main")
	`36`	+-`bind_host` - port binding for internal services (use`"127.0.0.1:"`)
	`37`	`+`
	`38`	`+Optional parameters:`
	`39`	+-`grafana_bind_host` - Grafana port binding (defaults to`"127.0.0.1:"` for SSH tunnel)
	`40`	+-`postgres_ai_version` - git branch/tag (defaults to "0.9")
`36`	`41`
`37`	`42`	`##Add monitoring instances`
`38`	`43`
`@@ -70,12 +75,30 @@ terraform output ssh_command`
`70`	`75`
`71`	`76`	`##Access`
`72`	`77`
	`78`	`+###Grafana`
	`79`	`+`
	`80`	+If`allowed_cidr_blocks = []` (SSH tunnel, most secure):
	`81`	`+`
	`82`	+```bash
	`83`	`+# Create SSH tunnel`
	`84`	`+ssh -i~/.ssh/postgres-ai-key.pem -L 3000:localhost:3000 ubuntu@$(terraform output -raw external_ip)`
	`85`	`+`
	`86`	`+# Open browser`
	`87`	`+open http://localhost:3000`
	`88`	`+# Login: monitor / <password from terraform.tfvars>`
	`89`	+```
	`90`	`+`
	`91`	+If`allowed_cidr_blocks = ["YOUR_IP/32"]` (direct access):
	`92`	`+`
`73`	`93`	```bash
`74`	`94`	`# Grafana dashboard`
`75`	`95`	`open$(terraform output -raw grafana_url)`
`76`	`96`	`# Login: monitor / <password from terraform.tfvars>`
	`97`	+```
	`98`	`+`
	`99`	`+###SSH`
`77`	`100`
`78`		`-# SSH`
	`101`	+```bash
`79`	`102`	`ssh -i~/.ssh/postgres-ai-key.pem ubuntu@$(terraform output -raw external_ip)`
`80`	`103`	```
`81`	`104`

`‎terraform/aws/README.md‎`

Lines changed: 66 additions & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -49,19 +49,22 @@ instance_type = "t3.medium"`
`49`	`49`	`data_volume_size = 50`
`50`	`50`	`data_volume_type = "gp3" # gp3 (SSD), st1 (HDD), sc1 (HDD)`
`51`	`51`	`root_volume_type = "gp3"`
`52`		`-allowed_ssh_cidr = ["203.0.113.0/24"]`
`53`		`-allowed_cidr_blocks = ["203.0.113.0/24"]`
	`52`	`+allowed_ssh_cidr = ["YOUR_IP/32"] # Replace with your actual IP address`
	`53`	`+allowed_cidr_blocks = [] # Empty for SSH tunnel only (most secure)`
`54`	`54`	`use_elastic_ip = true`
`55`	`55`	`grafana_password = "YourSecurePassword123!"`
	`56`	`+bind_host = "127.0.0.1:" # Bind internal services to localhost`
`56`	`57`	```
`57`	`58`
`58`	`59`	`###Optional parameters`
`59`	`60`
`60`	`61`	```hcl
`61`	`62`	`# OPTIONAL (have defaults)`
`62`		`-postgres_ai_api_key = "your-api-key" # For uploading reports`
`63`		`-enable_demo_db = false # Demo database (default: true)`
`64`		`-postgres_ai_version = "main" # Git branch/tag (default: "main")`
	`63`	`+postgres_ai_api_key = "your-api-key" # For uploading reports`
	`64`	`+enable_demo_db = false # Demo database (default: false)`
	`65`	`+postgres_ai_version = "0.9" # Git branch/tag (default: "0.9")`
	`66`	`+grafana_bind_host = "127.0.0.1:" # Grafana on localhost only (default, use SSH tunnel)`
	`67`	`+# grafana_bind_host = "" # OR: Grafana accessible from outside`
`65`	`68`
`66`	`69`	`monitoring_instances = [`
`67`	`70`	`{`
`@@ -85,15 +88,17 @@ instance_type = "t3.medium"`
`85`	`88`	`data_volume_size = 100`
`86`	`89`	`data_volume_type = "gp3"`
`87`	`90`	`root_volume_type = "gp3"`
`88`		`-allowed_ssh_cidr = ["203.0.113.0/24"]`
`89`		`-allowed_cidr_blocks = ["203.0.113.0/24"]`
	`91`	`+allowed_ssh_cidr = ["YOUR_IP/32"] # Replace with your actual IP`
	`92`	`+allowed_cidr_blocks = [] # SSH tunnel only (most secure)`
`90`	`93`	`use_elastic_ip = true`
`91`	`94`	`grafana_password = "SecurePassword123!"`
	`95`	`+bind_host = "127.0.0.1:"`
`92`	`96`
`93`	`97`	`# OPTIONAL`
`94`	`98`	`postgres_ai_api_key = "your-api-key"`
`95`	`99`	`enable_demo_db = false`
`96`		`-postgres_ai_version = "v0.9"`
	`100`	`+postgres_ai_version = "0.9"`
	`101`	`+grafana_bind_host = "127.0.0.1:" # Default, SSH tunnel only`
`97`	`102`
`98`	`103`	`monitoring_instances = [`
`99`	`104`	`{`
`@@ -116,6 +121,30 @@ terraform output ssh_command`
`116`	`121`	`ssh -i~/.ssh/postgres-ai-key.pem ubuntu@$(terraform output -raw external_ip)`
`117`	`122`	```
`118`	`123`
	`124`	`+###Grafana access`
	`125`	`+`
	`126`	`+Option 1: SSH tunnel (default, most secure)`
	`127`	`+`
	`128`	+When`allowed_cidr_blocks = []`:
	`129`	`+`
	`130`	+```bash
	`131`	`+# Create SSH tunnel`
	`132`	`+ssh -i~/.ssh/postgres-ai-key.pem -L 3000:localhost:3000 ubuntu@$(terraform output -raw external_ip)`
	`133`	`+`
	`134`	`+# Open browser`
	`135`	`+open http://localhost:3000`
	`136`	`+# Login: monitor / <your grafana_password>`
	`137`	+```
	`138`	`+`
	`139`	`+Option 2: Direct access`
	`140`	`+`
	`141`	+When`allowed_cidr_blocks = ["YOUR_IP/32"]`:
	`142`	`+`
	`143`	+```bash
	`144`	`+# Open browser`
	`145`	`+open$(terraform output -raw grafana_url)`
	`146`	+```
	`147`	`+`
`119`	`148`	`###Service management`
`120`	`149`
`121`	`150`	```bash
`@@ -176,14 +205,25 @@ sudo docker-compose up -d`
`176`	`205`
`177`	`206`	`###Recommendations`
`178`	`207`
`179`		`-1.RestrictSSHaccess:`
	`208`	`+1.Most secure setup (SSHtunnel only):`
`180`	`209`	```hcl
`181`		`-allowed_ssh_cidr = ["your.ip.address/32"]`
	`210`	`+allowed_ssh_cidr = ["your.ip.address/32"]`
	`211`	`+allowed_cidr_blocks = [] # No direct Grafana access`
	`212`	`+bind_host = "127.0.0.1:"`
	`213`	`+grafana_bind_host = "127.0.0.1:"`
	`214`	+```
	`215`	`+`
	`216`	`+Access Grafana via SSH tunnel:`
	`217`	+```bash
	`218`	`+ssh -i~/.ssh/key.pem -L 3000:localhost:3000 ubuntu@instance-ip`
`182`	`219`	```
`183`	`220`
`184`		`-2.RestrictGrafana access:`
	`221`	`+2.Production with directGrafana access:`
`185`	`222`	```hcl
`186`		`-allowed_cidr_blocks = ["your.office.ip/24"]`
	`223`	`+allowed_ssh_cidr = ["YOUR_OFFICE_IP/24"] # Replace with your office network`
	`224`	`+allowed_cidr_blocks = ["YOUR_OFFICE_IP/24"] # Replace with your office network`
	`225`	`+bind_host = "127.0.0.1:" # Internal services protected`
	`226`	`+grafana_bind_host = "" # Grafana accessible`
`187`	`227`	```
`188`	`228`
`189`	`229`	`3. Use AWS Systems Manager instead of SSH:`
`@@ -193,6 +233,13 @@ aws ssm start-session --target $(terraform output -raw instance_id)`
`193`	`233`
`194`	`234`	`4. Automate backups with AWS Backup or cron.`
`195`	`235`
	`236`	`+###Port binding configuration`
	`237`	`+`
	`238`	+-`bind_host = "127.0.0.1:"` - Internal services only on localhost (recommended)
	`239`	+-`bind_host = ""` - Internal services on all interfaces
	`240`	+-`grafana_bind_host = "127.0.0.1:"` - Grafana only via SSH tunnel (default)
	`241`	+-`grafana_bind_host = ""` - Grafana accessible from network
	`242`	`+`
`196`	`243`	`##Monitoring`
`197`	`244`
`198`	`245`	`###CloudWatch metrics`
`@@ -231,6 +278,13 @@ ssh ubuntu@your-ip "sudo docker ps -a"`
`231`	`278`	`###No access to Grafana`
`232`	`279`
`233`	`280`	```bash
	`281`	`+# Check if allowed_cidr_blocks is empty (SSH tunnel required)`
	`282`	`+grep allowed_cidr_blocks terraform.tfvars`
	`283`	`+`
	`284`	`+# If empty, use SSH tunnel`
	`285`	`+ssh -i~/.ssh/key.pem -L 3000:localhost:3000 ubuntu@your-ip`
	`286`	`+# Then open http://localhost:3000`
	`287`	`+`
`234`	`288`	`# Check Security Group`
`235`	`289`	`aws ec2 describe-security-groups \`
`236`	`290`	`--group-ids$(terraform output -raw security_group_id)`

`‎terraform/aws/terraform.tfvars.example‎`

Lines changed: 15 additions & 13 deletions

Original file line number	Diff line number	Diff line change
`@@ -26,35 +26,37 @@`
`26`	`26`	`# Grafana admin password`
`27`	`27`	`# grafana_password = "YourSecurePassword123!"`
`28`	`28`
`29`		`-# CIDR blocks for SSH access (restrict to your IP in production)`
	`29`	`+# CIDR blocks for SSH access`
	`30`	`+# Get your IP: curl ifconfig.me`
`30`	`31`	`# allowed_ssh_cidr = [`
`31`		`-# "0.0.0.0/0" # WARNING: Allows access from anywhere`
`32`		`-# # "203.0.113.0/24"#Replace withyour office/VPN IP`
	`32`	`+# "0.0.0.0/0"# WARNING: Allows access from anywhere - NOT RECOMMENDED`
	`33`	`+# # "1.2.3.4/32" # RECOMMENDED:Replace withYOUR actual IP address`
`33`	`34`	`# ]`
`34`	`35`
`35`		`-# CIDR blocks for Grafana access (restrict to your IP in production)`
	`36`	`+# CIDR blocks for Grafana access`
`36`	`37`	`# allowed_cidr_blocks = [`
`37`		`-# "0.0.0.0/0" # WARNING: Allows access from anywhere`
`38`		`-# # "203.0.113.0/24" # Replace withyour office/VPN IP`
	`38`	`+# "0.0.0.0/0"# WARNING: Allows access from anywhere - NOT RECOMMENDED`
	`39`	`+# # "1.2.3.4/32"# Replace withYOUR actual IP (or leave empty [] for SSH tunnel)`
`39`	`40`	`# ]`
`40`	`41`
`41`	`42`	`# Allocate Elastic IP for stable address`
`42`	`43`	`# use_elastic_ip = true`
`43`	`44`
	`45`	`+# Port binding configuration`
	`46`	`+# bind_host = "127.0.0.1:" # Bind internal services to localhost only (most secure, recommended)`
	`47`	`+# bind_host = "" # OR: Bind to all interfaces (needed if accessing services remotely)`
	`48`	`+`
	`49`	`+# grafana_bind_host = "127.0.0.1:" # Grafana only via SSH tunnel (default, most secure)`
	`50`	`+# grafana_bind_host = "" # OR: Grafana accessible from outside (controlled by Security Group)`
	`51`	`+`
	`52`	`+`
`44`	`53`
`45`	`54`	`# OPTIONAL PARAMETERS`
`46`	`55`	`# -------------------------`
`47`	`56`
`48`	`57`	`# postgres_ai version (optional, defaults to actual)`
`49`	`58`	`# postgres_ai_version = "0.9" # branch or specific tag like "0.9"`
`50`	`59`
`51`		`-# Port binding configuration (required)`
`52`		`-# bind_host = "127.0.0.1:" # Bind internal services to localhost only (most secure)`
`53`		`-# bind_host = "" # Bind to all interfaces (needed if accessing services remotely)`
`54`		`-`
`55`		`-# grafana_bind_host = "" # Grafana accessible from outside (controlled by Security Group)`
`56`		`-# grafana_bind_host = "127.0.0.1:" # Grafana only via SSH tunnel`
`57`		`-`
`58`	`60`	`# PostgreSQL instances to monitor (optional, can be empty for initial setup)`
`59`	`61`	`# monitoring_instances = [`
`60`	`62`	`# {`

`‎terraform/aws/variables.tf‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -93,5 +93,6 @@ variable "bind_host" {`
`93`	`93`	`variable"grafana_bind_host" {`
`94`	`94`	`description="Bind host for Grafana port (127.0.0.1: for localhost only, empty for all interfaces)"`
`95`	`95`	`type=string`
	`96`	`+default="127.0.0.1:"`
`96`	`97`	`}`
`97`	`98`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commita807e68

File tree

4 files changed

4 files changed

`‎terraform/aws/QUICKSTART.md‎`

`‎terraform/aws/README.md‎`

`‎terraform/aws/terraform.tfvars.example‎`

`‎terraform/aws/variables.tf‎`

0 commit comments