Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Switch on-off" automation proposal #14

Open
1 of 3 tasks
NivenPrasad opened this issue Jan 13, 2021 · 8 comments
Open
1 of 3 tasks

"Switch on-off" automation proposal #14

NivenPrasad opened this issue Jan 13, 2021 · 8 comments
Labels
documentation Improvements or additions to documentation ideation

Comments

@NivenPrasad
Copy link
Contributor

NivenPrasad commented Jan 13, 2021

Overview

What kind of repetitive thing do you have to do often and what is the benefit of automating it?
some HFLA projects use a bastion host for securing access to private resources (like databases or servers that do not face the public internet).

Running this bastion server all the time costs money, even though it's not always being used. This automation would set a timed or trigger-able action to launch and/or destroy one of these bastion servers when needed.

Ownership of Idea

  • I will be working on this automation myself
  • This is my idea and I need help developing it
  • Free for anyone to work on this idea (@jafow @mattyweb can offer guidance!)

Current State

"As-is" most likely something manual but could be partially automated

Future Development

  • create a github action that

Action Items/Research

Stakeholders

Impact - who benefits and how?
hfla projects using bastion hosts (ballotnav, 311, others?) will save $$ each month on hosting bill

Anticipated outcomes

Resources/Instructions

Language

Platform

Automation triggers (What starts it? What's it responding to?)

  • Time-based (Specify frequency (e.g. 1x/week)
  • Event-based (e.g. someone just created a new GitHub on a repo)
    maybe both?
    perhaps an action could run at 11:59PM PST every night and turn the bastion off.
    then a person could launch it when they needed to

Input required (How much manual or custom input is required?)

a person should be able launch a bastion server by some github action -- an issue? a pr? a label? I dunno!

Output

(What's the desired result? What do we not want to see?)

Project size

@NivenPrasad NivenPrasad added documentation Improvements or additions to documentation ideation labels Jan 13, 2021
@jafow jafow removed their assignment Jan 13, 2021
@jafow
Copy link
Contributor

jafow commented Jan 13, 2021

this is open for grabs I can help guide on it. it might be really fun!

@akibrhast
Copy link
Contributor

Would like to grab this!

@mattyweb
Copy link

mattyweb commented Mar 5, 2021

Adding some background here:

The bastion works great. we use it for secure access to the DB. the client i use (Postico) can be configured to SSH tunnel so it's a seamless process to connect. Occasionally I set up a tunnel from a terminal.

I connect for 2 reasons really.

  1. I'm developing/tuning a new query and want to see how it's going to perform in production on what's now approaching 7 million records.
  2. I just did a release that includes a schema change and I want to run an alembic migration. Sometimes I need to undo and redo the migration.

The challenge is that the bastion as currently configured is in an auto-scaling group so it's designed to make it impossible to turn off. I can manually reconfigure the auto-scaling group but Terraform will change it back on the next push.

The solution is deceptively simple. all that's needed to fix it is to set the min number of instances to 0 instead of 1 in the auto-scaling group. However, since it's a project referenced by a project referenced by a project and there are no variables to control this that's easier said than done...

@akibrhast
Copy link
Contributor

@akibrhast
Copy link
Contributor

More Context Regarding this as mentioned by - @jafow

  • Bastion costs are between 1-5$ month.
  • The bastion runs always because we do not know when someone may want to open a db connection. The goal of this automation is to enable what you describe, on demand connections to db via bastion
  • Doesn't have to be github action but the idea is that someone who needs access can launch this bastion without needing aws knowledge or keys etc
  • There are surely other ways to solve this. Each will have tradeoffs. If you're into research that may be a good place to begin
  • We can allow an automation (eg github actions) to create a bastion without allowing the automation to access the resources the bastion protects
  • A more general problem statement might be, how can I enable secure access to resources in a private vpc (virtual private cloud) from the outside world with the lowest cost, lowest barrier to entry (ie one click and done!)

@akibrhast
Copy link
Contributor

A little bit of googling based on what you last mentioned @jafow . I came upon this

The conclusion of that article is basically they have a button that allows one to scale down to 0 or suspend an ASG

So what you are looking for is

  1. A github trigger of type workflow-dispatch(a manual trigger)
  2. With input 0 or 1
  3. Use ubuntu latest
  4. download aws cli
  5. retrieve relevant aws keys from github secrets
  6. Using aws cli and keys from github secrets
  7. 0 sets the scale of ASG's to 0, turning it off
  8. 1 set's the ASG to it's original initial configuration
  9. done

@akibrhast
Copy link
Contributor

akibrhast commented Mar 12, 2021

After talking to @darpham . It seems like this is about the extent of the workflow file that is going to be needed to control the asg of the server

https://github.com/akibrhast/github-actions-test/blob/master/.github/workflows/bastion_state_manager.yml

image

@akibrhast akibrhast removed their assignment Apr 11, 2021
@akibrhast
Copy link
Contributor

Unassigning myself from this for the moment since I have not heard a response back on this in the last month and not sure where to go from here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation ideation
Projects
Status: Unclaimed/Half-baked Ideas Prioritized Backlog
Development

No branches or pull requests

4 participants