[ENH] Optional creds via CloudFormation param

[lmeyerov]

Instead of doing the public IP lookup (https://github.com/graphistry/graph-app-kit/blob/master/src/bootstraps/neptune/graphistry.sh#L45), which does not work in some modes, we should support:

1. an optional CloudFormation setting of initial admin's user/password

• ... be sure to skip the IP lookup as it may fail in locked-down accounts

2. when not provided, fallback to lookup

See: #32, #31, #28

[shehabgamin]

@lmeyerov Amazing thanks!

How long can we except for this enhancement to be ready?

I would like to start visualizing my production data but can't due to security concerns

[lmeyerov]

@aminsshahab I'm checking w/ our AWS collaborators for guidance -- assuming not complicated, maybe end-of-week / next?

I think the private subnet thing is:

1. If creds specified, remove INSTANCE ID public IP lookup and its use for default creds:

• graph-app-kit/src/bootstraps/core/graphistry.sh

  Line 23 in 1e93ce1

  source instance-id.sh

• graph-app-kit/src/bootstraps/neptune/graphistry.sh

  Line 35 in e882fb0

  source ./graphistry-service-account.sh

  ->

  graph-app-kit/src/bootstraps/scripts/graphistry-service-account.sh

  Line 20 in 1e93ce1

  export SERVICE_PASS="${INSTANCE_ID}_${RANDOM}"

2. Add optional provisioning of user-specific creds:

• Load param. I didn't see a clear way to do secrets (AWS Secrets Manager) that wasn't an ordeal for everyone involved, so probably just noecho:

  graph-app-kit/src/bootstraps/core/graphistry.yml

  Line 18 in 1e93ce1

  Parameters:

• graph-app-kit/src/bootstraps/scripts/graphistry-service-account.sh

  Line 20 in 1e93ce1

  export SERVICE_PASS="${INSTANCE_ID}_${RANDOM}"

• Ensure the Graphistry boot scripts (graphistry-compose.service, something like that) isn't also doing the INSTANCE thing, and if it is, simply resume after it (expectedly) fails

However, I'm fuzzy on the surrounding public/private VPC stuff. Ex: If we did the above change, and you picked a private VPC... would that be enough.. or is there more needed?

FWIW, are you connecting this w/ Neptune or anything?

[shehabgamin]

@lmeyerov My apologies for the late response.

A VPC is an isolated virtual network within AWS. For an EC2 instance you can decide to choose a public subnet which exposes the instance to the internet, or you can choose to only have a private subnet which only allows the instance to be accessible through your VPC.

Within the cloud-formation stack, you can have the user choose a private subnet or a public subnet. If the user chooses a private subnet then all you would need to do is use the private ip instead of the public ip.

Also, yes I will be using this to connect to Neptune.

[lmeyerov]

Great -- and how would web browsers access your graph-app-kit instance... say via an AWS-friendly VPN that allows access to the private IP, or maybe a public ELB that has access to the private IP?

I'm trying to suss out if there's anything else we should be adding, or it's sufficient to remove to the disallowed instance-id.sh call. Ex: Should we also provide an optional param for doing an ELB hookup of some sort.

[shehabgamin]

@lmeyerov Web browsers can access the instance using a VPN that has access to the VPC, which is the most straight forward way to do it.