#[Terraform for ONTAP] AWS FSx for ONTAP proxy?

1 messages · Page 1 of 1 (latest)

neat marsh Nov 9, 2023, 1:04 PM

AWS FSx for ONTAP is deployed within an AWS VPC and the management LIFs are only accessible via private IP addresses (and the hostnames for these LIFs are only resolvable via private DNS) from within the VPC. If attempting to use the ONTAP provider from a local machine or from outside of the VPC, there's no means for the underlying REST calls of the ONTAP Provider to reach the management LIFs.

Interested to hear how others may approach this. For now, I'm manually setting up an SSH tunnel with port forwarding through a small EC2 instance within the same VPC as my FSx for ONTAP filesystem:

ssh -i <private_key_file> ec2-user@<instance_hostname> -L 8443:<management_LIF_hostname>:443 -N

Then using the following configuration for the ONTAP provider:

provider "netapp-ontap" {
    # A connection profile defines how to interface with an ONTAP cluster or svm.
    # At least one is required.
    connection_profiles = [
        {
        name = aws_fsx_ontap_file_system.fsxontap01.id
        hostname = "localhost:8443"
        username = "fsxadmin"
        password = var.fsxadmin_password
        validate_certs = false
        }
    ]
}

I've tried looking at using Terraform Provisioners (https://developer.hashicorp.com/terraform/language/resources/provisioners/connection), but they are a bit too clunky for regular use in this scenario. It maybe ideal to add a bastion configuration to the ONTAP provider connection_profiles at some point. Maybe something like:

    connection_profiles = [
        {
        name = aws_fsx_ontap_file_system.fsxontap01.id
        hostname = "localhost:8443"
        username = "fsxadmin"
        password = var.fsxadmin_password
        validate_certs = false
        bastion_hostname: <ec2_instance_hostname>
        bastion_local_port: <local_port_to_forward> # 8443 in my example above
        bastion_user:
        bastion_password:
        bastion_private_key:
        }
    ]

Open to other ideas on how this could be made easier.

neat marsh Nov 9, 2023, 7:32 PM

I thought about using AWS Systems Manager Session Manager, but there's no current support for it in the Terraform AWS Provider: https://github.com/hashicorp/terraform-provider-aws/issues/25110

GitHub

Support for start session in AWS Systems Manager Session Manager · ...

Community Note Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request Please do not leave "+1" or other comme...