Skip to content

Bastion

Connect to an environment's VPC and RDS instance via the bastion host.

Architecture

Each deployed environment has a bastion host that is always running. The bastion host uses a security group name of pebbl-bastion-sg-ENVIRONMENT where ENVIRONMENT is one of develop, staging, or production.

Prerequisites

  1. A valid SSO session, likely obtained using your pebbl-aws-login command
  2. Session Manager installed; for Mac users: brew install --cask session-manager-plug

Connecting

From the repo root, run one of:

just bastion-develop
just bastion-staging
just bastion-production

The script will find the bastion instance, fetch RDS credentials, install the PostgreSQL client on the host, and start an interactive SSM session. Once connected, run the connection command printed by the script to open a psql session.

SQL queries

The docs/bastion/sql/ directory contains diagnostic queries to run once connected:

Query Purpose
test_audit_history.sql Audit history verification
test_deposit_history.sql Deposit history verification
test_spending_rollups.sql Spending rollup verification