I am working on standing up a CF tunnel
I am working on standing up a CF tunnel to connect to a local postgres DB for development tier. I have
cloudflared running in a docker container and the postgres bitnami contianer running but keep receiving this error when creating my hyperdrive config via Pulumi with v6.1.0:
I can login to the local machine and run the psql connection to connect to the postgres container successfully, I even ran psql using a second container to connect.37 Replies
I dont know where the error is since I can connect locally and via a container on the default docker network and host networks.
To me the error is misleading because it should be a private IP on the local docker network/host network which both connect successfully.
The cloudflare tunnel is up and healthy with the correct ingress rules in the zero trust console which is confirmed by the debug logs from the container. I am really at a loss where to troubleshoot next.
Do you have an Access policy configured in front of the tunnel, and have you confirmed you're able to login through that? That'd be the next thing I'd check
I dont have one defined via Pulumi. That sounds like the missing piece perhaps? I can share my whole config if its easier to understand where I am
I'm afraid I'm not well-up enough on Pulumi to help you through that setup.
Hyperdrive does require an Access policy, and you'd create the "private" config including the Secret and Token for that policy, such that Hyperdrive would use it to auth to your tunnel. Sec, let me find our guide
Ok cool, makes sense. I have this up: https://www.pulumi.com/registry/packages/cloudflare/api-docs/zerotrustaccesspolicy/
pulumi
ZeroTrustAccessPolicy
Documentation for the cloudflare.ZeroTrustAccessPolicy resource with examples, input properties, output properties, lookup functions, and supporting types.
Cloudflare Docs
Connect to a private database using Tunnel · Hyperdrive docs
Hyperdrive can securely connect to your private databases using Cloudflare Tunnel and Cloudflare Access.
I can step through the yaml example here to try and create one.
We have an automagic version that'll do most of this setup for you, in our Dash. If you're going through IAC like this, you'll want
2.1 and the manual creation version for the steps it takesYeah, that guide I was following. when I click through the console it shows an access policy is created with what I already wrote
Ah, interesting, ok.
Let me remove everything and test manually creating the access policy. Maybe whats created is not 100% yet
You can use Access' API to check login attempts from a service account, I'd be willing to bet that's where you're getting bounced, somehow
Ha! just checked the policies attaches to the application and it looks like there are 12 already attached. I bet there is a conflict there.
I deleted the existing access policy that shows up and recreated it in the console via clickops in the hyperdrive screen and immediately saw a connection attempt logged in the
cloudflared container. progress!
looks like the cloudflare.ZeroTrustAccessServiceToken and then cloudflare.ZeroTrustAccessPolicy both need to be created first then used with the cloudflare.HyperdriveConfig?Yep, that's correct
Ahhh ok. That helps a ton to understand better
Still running into issues but hopefully a quick question. I was able to create a successful hyperdrive connection in the browser but it seems it auto creates an application in ZeroTrust. There seems to be a lot of magic happening in the background from the UI.
Can I just create a access application via IAC and would that also create the tokens and policies?
So far I have been reverse engineering the access application and policies from the list API call via curl but I assume there is a better way
The token and policy are separate from the application. They should all be possible to create+attach separately, via IAC. We do that internally with terraform, for the teams that use Hyperdrive
Ok, so I also need an
cloudflare.ZeroTrustAccessApplication on top of the Token and Policy resource? and last would be cloudflare.HyperdriveConig resource?Yeah, it's a lot, there's a reason we wrote up the "magic" dash version, folks were not having a good time doing it manually.
The list is:
* Tunnel
* Access application (does the actual access control for the Tunnel, attached to the Tunnel)
* Policy (permits access to the Application, needs to be attached to it)
* Token (used for services to make auth easier, needs to be attached to the Policy and the Hyperdrive config, comes with a Secret)
* Hyperdrive config (needs the Token and Secret so it can auth to the Access Application)
Yep magic is nice and works well. Ill work on verifying each of the above. Is there an endpoint that lists the logs for zerotrust? I checked the api docs but when calling the endpoint it requires additional fields not listed in the apidocs.
Should just be this one, no?
https://developers.cloudflare.com/api/resources/zero_trust/subresources/access/subresources/logs/
Cloudflare API | Zero Trust › Access › Logs
Interact with Cloudflare's products and services via the Cloudflare API
Yep but I receive back
Did you include an api key in the header? That's very odd
The zone is just whichever domain you're using for the access application
Yep, I set
X-Auth-Key as the global api key and X-Auth-Email as the account email to https://api.cloudflare.com/client/v4/accounts/<redacted>/access/logs/access_requests
I dont see zone listed in the api docsMe either
Well, if that doesn't want to cooperate you can run the tunnel with
loglevel=debug and it'll log each access attempt thereAre the logs under the ZeroTrust portal? I can grab from there. I already have the tunnel in debug but when I run a deploy I get an error (I will rerun again to get the exact one) and do not see the connection attempt, so I am working backwards through the api via curl from the working hyperdrive config
I also have tcpdump running on the cloudflared docker container to log any postgres connections
Thanks for your help AJR! Ill work through the list above first 🙂
Happy to, sorry I can't be more help there!
Good luck, feel free to ping here with more questions if you have em
All good! Sounds like a good blog post once its all worked out and maybe a PR back to your docs walking through the process!
cc @thomasgauvin ,
We're always happy to clarify docs. This is a known-difficult process, and I appreciate you working through it and sharing the feedback.
Hey @AJR, hopefully the last question. From the api docs the
cloudflare.HyperdriveConfig api docs state the accessClientId and accessClientSecret are required if a port is not specified. Where does the accessClientId come from, is it the ZeroTrustServiceToken.id or ZeroTrustServiceToken.clientId?
Same for the accessClientSecret the docs state this is write only, can I just set any string as part of the config?
https://developers.cloudflare.com/api/resources/hyperdrive/models/hyperdrive/#(schema) -> Create Hyperdrive -> AccessProtectedDatabaseBehindCloudflareTunnelCloudflare API | Hyperdrive › Hyperdrive
Interact with Cloudflare's products and services via the Cloudflare API
The
clientId is the one you want. I'm not sure how it gets passed through with something like Pulumi, but the secret is provided here and must be given to the Hyperdrive config for it to work. We encrypt and store that, and present it to Access whenever we make a connection through your tunnel
Ah ok, I call the
getZeroTrustAccessServiceToken and then assign the clientId to a variable for HyperDrive config. Let me see if I can pull the secret from when I create the Service Token or if its a property avaliable.
unrelated, really nice font in that screenshot!Thanks! Berkeley Mono, I love it.
Looks like I finally had success, going to un-deploy and re-deploy to verify the IAC is correct
Nice! Fingers crossed.
Whats the best way to provide feedback for the docs and/or write a how-to guide for anyone else working the same issues?
Feedback for the docs can go here, our team is here often and I've already pinged our PM Thomas in this thread. If you're of a mind to open a PR, the repo for our docs is open-source (https://github.com/cloudflare/cloudflare-docs). Not necessary, of course, but always welcome.
A how-to guide with Pulumi is a bit more of a question, I'm not sure if that's in scope for our docs. I'll let Thomas speak to the best way to publicise that one.
Cool, I am using SST for deployment so maybe thats the right repo https://github.com/sst/sst/pull/5696