9/12/24, 5:20 AM SSH Tunnel Setup Codefresh

SSH Tunnel Setup Codefresh

chatgpt.com/c/66e1e134-d450-8012-a40b-f017e5471a11

Write code to setup tunnel between code fresh pipeline runner step to
connect to rds in aws via bastion host

To set up a tunnel from a Codefresh pipeline runner to an AWS RDS instance via a
bastion host, you can use SSH tunneling. This can be achieved by using the ssh
command to forward traffic through the bastion host to the RDS instance. The following
steps illustrate how to implement this in a Codefresh pipeline.

Assumptions:

You have access to an EC2 instance (bastion host) that can access your RDS
instance.
Your RDS instance is in a private subnet.
You have the SSH key for the bastion host.
The Codefresh pipeline has the SSH key available as a secret.

Steps to configure:
1. Set up SSH key in Codefresh:

Store the SSH private key for the bastion host in Codefresh as a secret (e.g.,
SSH_PRIVATE_KEY).
Add the necessary AWS credentials to the pipeline, either through
environment variables or Codefresh secrets.
2. Create the pipeline step to set up SSH tunneling:

Here's an example of how to configure the tunnel in a Codefresh YAML pipeline:

https://chatgpt.com/c/66e1e134-d450-8012-a40b-f017e5471a11 1/14
9/12/24, 5:20 AM SSH Tunnel Setup Codefresh

yaml

version: "1.0"
steps:
tunnel_to_rds:
title: "Setup SSH Tunnel to RDS"
type: "freestyle"
image: "alpine:latest"
environment:
- BASTION_HOST=ec2-bastion-host.amazonaws.com
- BASTION_USER=ec2-user
- RDS_ENDPOINT=my-rds-instance.aws-region.rds.amazonaws.com
- RDS_PORT=5432 # Change to your RDS port (e.g., MySQL: 3306,
PostgreSQL: 5432)
secrets:
- SSH_PRIVATE_KEY
script:
- apk add --no-cache openssh-client
- echo "$SSH_PRIVATE_KEY" > /root/.ssh/id_rsa
- chmod 600 /root/.ssh/id_rsa
- ssh-keyscan -H "$BASTION_HOST" >> /root/.ssh/known_hosts
- ssh -N -L 5432:$RDS_ENDPOINT:$RDS_PORT $BASTION_USER@$BASTION_HOST
&

# Example step that uses the tunnel

run_query_on_rds:
title: "Run Query on RDS"
type: "freestyle"
image: "postgres:latest" # Or mysql:latest for MySQL
environment:
- PGHOST=localhost
- PGPORT=5432
- PGUSER=mydbuser
- PGPASSWORD=mydbpassword
- PGDATABASE=mydbname
script:
- apk add --no-cache postgresql-client # For PostgreSQL
- psql -c "SELECT 1"

https://chatgpt.com/c/66e1e134-d450-8012-a40b-f017e5471a11 2/14
9/12/24, 5:20 AM SSH Tunnel Setup Codefresh

Explanation:

1. Tunnel to RDS:

In the tunnel_to_rds step, we use the ssh command to create an SSH

tunnel. The command forwards the local port (5432 in this case) to the RDS
endpoint via the bastion host. The & at the end of the command runs the
tunnel in the background, allowing the subsequent step to execute.
The ssh-keyscan command adds the bastion host to the known hosts to
prevent SSH from asking for confirmation during the connection.
2. Run Query on RDS:

In this step, we connect to the local port (5432) where the tunnel is
forwarding traffic to the RDS instance. You can replace the database
commands depending on your database type (e.g., psql for PostgreSQL or
mysql for MySQL).
The environment variables for connecting to the database (PGHOST, PGPORT,
etc.) are configured to point to the local machine (localhost), using the
forwarded port from the previous step.

Notes:

Replace the placeholders such as ec2-bastion-host.amazonaws.com, my-rds-

instance, and mydbuser with your actual values.
Make sure the SSH private key has the appropriate permissions for connecting to
the bastion host.
Ensure that your EC2 instance (bastion host) has the necessary network access
(e.g., security groups, VPC) to reach the RDS instance.

This setup should allow your Codefresh pipeline to connect to the AWS RDS instance
via the bastion host using an SSH tunnel.

How create same above with aws systems manager

To create the same tunneling setup between a Codefresh pipeline runner and an AWS
RDS instance using AWS Systems Manager (SSM), you can use AWS SSM’s Session
Manager to establish a secure tunnel without needing direct SSH access. This has
several advantages over using a bastion host directly, such as removing the need to
manage SSH keys.

Here’s how you can set this up:

https://chatgpt.com/c/66e1e134-d450-8012-a40b-f017e5471a11 3/14
9/12/24, 5:20 AM SSH Tunnel Setup Codefresh

Assumptions:

You have an EC2 instance acting as a bastion host or a jump host with an SSM
agent installed.
The EC2 instance is configured with an IAM role that has the necessary
permissions for AWS Systems Manager (SSM).
The RDS instance is in a private subnet and accessible from the EC2 instance.
You have the AWS CLI installed in the Codefresh pipeline to interact with AWS
SSM.
AWS credentials are available in the pipeline (through environment variables or
Codefresh secrets).

Steps to configure:

1. IAM Role for EC2:

Ensure the EC2 instance has an IAM role that includes the following
permissions to interact with SSM:

json

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession",
"ssm:TerminateSession",
"ssm:DescribeSessions",
"ssm:SendCommand",
"ssm:GetCommandInvocation"
],
"Resource": "*"
}
]
}

https://chatgpt.com/c/66e1e134-d450-8012-a40b-f017e5471a11 4/14
9/12/24, 5:20 AM SSH Tunnel Setup Codefresh

2. Configure the EC2 instance for SSM:

Ensure the EC2 instance has the SSM agent installed. Most modern Amazon
Linux 2, Ubuntu, and Windows AMIs already have the SSM agent pre-
installed. If not, you can install it manually:

bash

sudo yum install -y amazon-ssm-agent

sudo systemctl start amazon-ssm-agent
sudo systemctl enable amazon-ssm-agent

3. Create the Codefresh pipeline step:

Use the AWS CLI to start a port forwarding session via AWS SSM in your
pipeline.

Here’s how you can configure the pipeline YAML for this setup:

https://chatgpt.com/c/66e1e134-d450-8012-a40b-f017e5471a11 5/14
9/12/24, 5:20 AM SSH Tunnel Setup Codefresh

yaml

version: "1.0"
steps:
setup_ssm_tunnel:
title: "Setup SSM Tunnel to RDS"
type: "freestyle"
image: "amazonlinux:latest"
environment:
- RDS_ENDPOINT=my-rds-instance.aws-region.rds.amazonaws.com
- RDS_PORT=5432 # Change this to your RDS port (e.g., MySQL: 3306,
PostgreSQL: 5432)
- LOCAL_PORT=5432 # Port for the local tunnel
- INSTANCE_ID=i-xxxxxxxxxxxxxxx # The ID of your EC2 instance
acting as the bastion
secrets:
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AWS_DEFAULT_REGION
script:
# Install required tools
- yum install -y amazon-ssm-agent
- yum install -y aws-cli

# Start SSM session and create port forwarding

- nohup aws ssm start-session \
--target "$INSTANCE_ID" \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters '{"host":["'$RDS_ENDPOINT'"],"portNumber":
["'$RDS_PORT'"],"localPortNumber":["'$LOCAL_PORT'"]}' &

# Example step that uses the tunnel

run_query_on_rds:
title: "Run Query on RDS"
type: "freestyle"
image: "postgres:latest" # Or mysql:latest for MySQL
environment:
- PGHOST=localhost
- PGPORT=5432
- PGUSER=mydbuser
- PGPASSWORD=mydbpassword
- PGDATABASE=mydbname
script:
- apk add --no-cache postgresql-client # For PostgreSQL
- psql -c "SELECT 1"

https://chatgpt.com/c/66e1e134-d450-8012-a40b-f017e5471a11 6/14
9/12/24, 5:20 AM SSH Tunnel Setup Codefresh

Explanation:
1. SSM Port Forwarding:

In the setup_ssm_tunnel step, the AWS CLI is used to start an SSM session
that forwards traffic from a local port (5432 in this case) to the RDS instance
via the EC2 instance acting as a bastion.
The command aws ssm start-session with the AWS-
StartPortForwardingSessionToRemoteHost document sets up this tunnel.
It forwards the local port on the runner to the specified RDS instance through
the EC2 instance ($INSTANCE_ID).
The nohup command is used to run the session in the background, allowing
subsequent steps to run.
2. Run Query on RDS:

In the second step (run_query_on_rds), we connect to the RDS instance

through the established tunnel. The connection is made to localhost on port
5432, which forwards traffic to the RDS endpoint.

Required AWS Permissions for Codefresh Runner:

Make sure the runner has the appropriate AWS credentials that include access to
Systems Manager (ssm), and the EC2 instance role must allow port forwarding.

IAM Role for the EC2 Instance:

The EC2 instance role must have permissions to start and terminate SSM sessions.
Example policy:

https://chatgpt.com/c/66e1e134-d450-8012-a40b-f017e5471a11 7/14
9/12/24, 5:20 AM SSH Tunnel Setup Codefresh

json

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession",
"ssm:DescribeSessions",
"ssm:TerminateSession"
],
"Resource": "*"
}
]
}

Notes:
Replace placeholders like my-rds-instance, i-xxxxxxxxxxxxxxx, mydbuser, and
mydbpassword with your actual values.
Ensure that your EC2 instance has access to the RDS instance through the
correct security group and VPC settings.

By using AWS SSM, you eliminate the need to manage SSH keys and can rely on
secure IAM-based access to manage the tunnel from the EC2 instance to the RDS
instance.

What if it’s opensearch cluster in aws instead of rds

If you're using an Amazon OpenSearch Service (formerly known as Amazon

Elasticsearch Service) cluster instead of an RDS instance, the setup for tunneling
through AWS Systems Manager (SSM) is quite similar. The main difference is that you
will need to adjust the port and query steps accordingly to work with OpenSearch
instead of a database.

Here’s how you can modify the setup to tunnel to an Amazon OpenSearch Service
cluster using an EC2 instance and SSM.

https://chatgpt.com/c/66e1e134-d450-8012-a40b-f017e5471a11 8/14
9/12/24, 5:20 AM SSH Tunnel Setup Codefresh

Steps to Configure:
1. IAM Role for EC2:

Ensure the EC2 instance (bastion host) has an IAM role that allows
interaction with AWS Systems Manager (SSM). It needs permissions similar
to the ones provided for the RDS setup:

json

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession",
"ssm:TerminateSession",
"ssm:DescribeSessions",
"ssm:SendCommand",
"ssm:GetCommandInvocation"
],
"Resource": "*"
}
]
}

2. Create the Codefresh Pipeline:

In this setup, you'll use port 9200, which is the default for OpenSearch, and
modify the steps to interact with OpenSearch using tools like curl or other
OpenSearch clients.

Here's an example Codefresh pipeline YAML for tunneling to an Amazon OpenSearch

cluster via an EC2 instance using SSM:

https://chatgpt.com/c/66e1e134-d450-8012-a40b-f017e5471a11 9/14
9/12/24, 5:20 AM SSH Tunnel Setup Codefresh

yaml

version: "1.0"
steps:
setup_ssm_tunnel:
title: "Setup SSM Tunnel to OpenSearch"
type: "freestyle"
image: "amazonlinux:latest"
environment:
- OPENSEARCH_ENDPOINT=my-opensearch-cluster.us-east-
1.es.amazonaws.com
- OPENSEARCH_PORT=9200 # Default port for OpenSearch
- LOCAL_PORT=9200 # Port for the local tunnel
- INSTANCE_ID=i-xxxxxxxxxxxxxxx # The ID of your EC2 instance
acting as the bastion
secrets:
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AWS_DEFAULT_REGION
script:
# Install required tools
- yum install -y amazon-ssm-agent
- yum install -y aws-cli

# Start SSM session and create port forwarding

- nohup aws ssm start-session \
--target "$INSTANCE_ID" \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters '{"host":["'$OPENSEARCH_ENDPOINT'"],"portNumber":
["'$OPENSEARCH_PORT'"],"localPortNumber":["'$LOCAL_PORT'"]}' &

# Example step to interact with OpenSearch

query_opensearch:
title: "Query OpenSearch"
type: "freestyle"
image: "curlimages/curl:latest"
environment:
- OPENSEARCH_USER=admin # OpenSearch user if using basic auth
- OPENSEARCH_PASSWORD=adminpassword
script:
# Query OpenSearch API
- curl -u $OPENSEARCH_USER:$OPENSEARCH_PASSWORD \
http://localhost:9200/_cluster/health?pretty

https://chatgpt.com/c/66e1e134-d450-8012-a40b-f017e5471a11 10/14
9/12/24, 5:20 AM SSH Tunnel Setup Codefresh

Explanation:
1. SSM Port Forwarding:

In the setup_ssm_tunnel step, the AWS CLI is used to start an SSM session
that forwards traffic from a local port (9200 by default) to the OpenSearch
cluster endpoint via the EC2 instance.
The command aws ssm start-session is used with the AWS-
StartPortForwardingSessionToRemoteHost document to establish the
tunnel. It forwards the local port on the runner to the OpenSearch cluster
through the EC2 instance.
2. Query OpenSearch:

In the query_opensearch step, we use curl to make an HTTP request to the

OpenSearch cluster through the established tunnel.
The request is made to localhost:9200, which forwards the request to the
OpenSearch endpoint via the EC2 instance.
Basic authentication is used here with the environment variables
OPENSEARCH_USER and OPENSEARCH_PASSWORD. You can also modify this to
use more secure authentication methods, such as IAM roles or tokens.

https://chatgpt.com/c/66e1e134-d450-8012-a40b-f017e5471a11 11/14
9/12/24, 5:20 AM SSH Tunnel Setup Codefresh

Additional Authentication Notes:

IAM-based access: If your OpenSearch cluster uses IAM-based authentication
(common with Amazon OpenSearch), you'll need to modify the query step to use
the AWS SigV4 signing process for API requests. Tools like aws-cli or the AWS
SDK for Python (boto3) can help sign the requests properly.

For example, using aws-cli with SigV4:

yaml

query_opensearch:
title: "Query OpenSearch with IAM"
type: "freestyle"
image: "amazonlinux:latest"
environment:
- OPENSEARCH_ENDPOINT=my-opensearch-cluster.us-east-
1.es.amazonaws.com
secrets:
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AWS_DEFAULT_REGION
script:
- yum install -y aws-cli

# Make signed HTTP request to OpenSearch cluster

- aws es describe-elasticsearch-domain --domain-name my-
opensearch-cluster

VPC-based access: Ensure that your EC2 instance and OpenSearch cluster are
in the same VPC or have the necessary VPC peering and security groups to allow
traffic between them.

Required AWS Permissions for the Codefresh Runner:

Ensure the runner has the necessary AWS credentials with permissions to start SSM
sessions and interact with OpenSearch. This includes access to the ssm and es
services.

https://chatgpt.com/c/66e1e134-d450-8012-a40b-f017e5471a11 12/14
9/12/24, 5:20 AM SSH Tunnel Setup Codefresh

Example IAM Policy for OpenSearch (for Codefresh Runner):

json

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession",
"ssm:DescribeSessions",
"ssm:TerminateSession"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"es:ESHttpGet",
"es:ESHttpPost"
],
"Resource": "*"
}
]
}

Final Notes:
Replace placeholders like my-opensearch-cluster, i-xxxxxxxxxxxxxxx,
OPENSEARCH_USER, and OPENSEARCH_PASSWORD with your actual values.
Depending on your OpenSearch authentication setup (IAM, basic auth, or VPC
access), you might need to adjust the query step to accommodate your specific
security configuration.

This setup should allow your Codefresh pipeline to connect securely to an Amazon
OpenSearch cluster via an EC2 instance using SSM port forwarding.

ChatGPT can make mistakes. Check important info.

https://chatgpt.com/c/66e1e134-d450-8012-a40b-f017e5471a11 13/14
9/12/24, 5:20 AM SSH Tunnel Setup Codefresh

https://chatgpt.com/c/66e1e134-d450-8012-a40b-f017e5471a11 14/14