57 lines
1.7 KiB
Bash
57 lines
1.7 KiB
Bash
#!/bin/bash
|
|
set -euo pipefail
|
|
|
|
AWS_REGION="ap-southeast-7"
|
|
SSM_PREFIX="/amrez/eop"
|
|
|
|
need() {
|
|
aws ssm get-parameter --with-decryption --region "$AWS_REGION" --name "${SSM_PREFIX}/$1" \
|
|
--query "Parameter.Value" --output text
|
|
}
|
|
|
|
# autossh
|
|
if ! command -v autossh >/dev/null 2>&1; then
|
|
dnf install -y autossh >/dev/null
|
|
fi
|
|
|
|
SSH_USER=$(need "tunnel/ssh_user")
|
|
BASTION_HOST=$(need "tunnel/bastion_host")
|
|
DB_HOST=$(need "tunnel/db_host")
|
|
DB_PORT=$(need "tunnel/db_port")
|
|
LOCAL_PORT=$(need "tunnel/local_port")
|
|
|
|
install -d -m 700 -o root -g root /opt/eop-tunnel
|
|
aws ssm get-parameter --with-decryption --region "$AWS_REGION" \
|
|
--name "${SSM_PREFIX}/tunnel/private_key" --query "Parameter.Value" --output text > /opt/eop-tunnel/id_rsa
|
|
chmod 600 /opt/eop-tunnel/id_rsa
|
|
|
|
cat >/etc/systemd/system/eop-db-tunnel.service <<EOF
|
|
[Unit]
|
|
Description=EOP DB SSH tunnel (LOCAL:${LOCAL_PORT} -> ${DB_HOST}:${DB_PORT} via ${BASTION_HOST})
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
[Service]
|
|
Type=simple
|
|
User=root
|
|
Restart=always
|
|
RestartSec=5
|
|
ExecStartPre=/usr/bin/bash -lc 'ss -lnt | grep -q ":${LOCAL_PORT} " && killall -q -w ssh || true'
|
|
ExecStart=/usr/bin/autossh -M 0 -N \
|
|
-o ServerAliveInterval=30 -o ServerAliveCountMax=3 -o ExitOnFailure=yes -o ExitOnForwardFailure=yes \
|
|
-o StrictHostKeyChecking=no -i /opt/eop-tunnel/id_rsa \
|
|
-L 127.0.0.1:${LOCAL_PORT}:${DB_HOST}:${DB_PORT} ${SSH_USER}@${BASTION_HOST}
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
|
|
systemctl daemon-reload
|
|
systemctl enable --now eop-db-tunnel.service
|
|
|
|
# wait ready
|
|
for i in {1..30}; do
|
|
ss -lnt | grep -q ":${LOCAL_PORT} " && exit 0
|
|
sleep 1
|
|
done
|
|
echo "Tunnel not ready on 127.0.0.1:${LOCAL_PORT}" >&2
|
|
exit 1
|