# Redshift

## Requirements

| Name                | Description                                                                                                                                              |
| ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Teleskope Role      | Attach Redshift read and/or write permissions to the Teleskope IAM role you created                                                                      |
| Database Admin User | Create a read and/or write database user for each Redshift cluster you'd like us to scan                                                                 |
| Network Access      | If your Redshift clusters are in private subnets and you do not want to peer VPCs, create a bastion host for us to use to access your Redshift clusters. |

{% stepper %}
{% step %}

## Grant Teleskope IAM Access to Redshift

Attach the AmazonRedshiftDataFullAccess and AmazonRedshiftReadOnlyAccess to the Teleskope role you created.

## Terraform

```
resource "aws_iam_role_policy_attachment" "redshift_read_policy" {
  role       = "TeleskopeRole"
  policy_arn = "arn:aws:iam::aws:policy/AmazonRedshiftReadOnlyAccess"
}

resource "aws_iam_role_policy_attachment" "redshift_data_policy" {
  role       = "TeleskopeRole"
  policy_arn = "arn:aws:iam::aws:policy/AmazonRedshiftDataFullAccess"
}

# Optional: required if using Redshift IAM database authentication (no stored password).
data "aws_caller_identity" "current" {}

resource "aws_iam_policy" "redshift_iam_auth" {
  name = "teleskope-redshift-iam-auth"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "RedshiftIamAuth"
        Effect = "Allow"
        Action = [
          "redshift:GetClusterCredentials",
          "redshift:GetClusterCredentialsWithIAM"
        ]
        Resource = [
          "arn:aws:redshift:${var.aws_region}:${data.aws_caller_identity.current.account_id}:cluster:${var.redshift_cluster_identifier}",
          "arn:aws:redshift:${var.aws_region}:${data.aws_caller_identity.current.account_id}:dbuser:${var.redshift_cluster_identifier}/teleskope"
        ]
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "redshift_iam_auth" {
  role       = "TeleskopeRole"
  policy_arn = aws_iam_policy.redshift_iam_auth.arn
}
```

{% endstep %}

{% step %}

## Teleskope Database User

For each Redshift cluster you would like to scan using Teleskope, you will need to create a database user, and grant that user read permissions.

### Create Database User

**If using username and password:**

```sql
CREATE USER teleskope WITH PASSWORD  '****PASSWORD****'
```

**If using IAM Authentication:**

```sql
CREATE USER teleskope WITH SYSLOG ACCESS UNRESTRICTED;
```

* Then **associate the IAM role to the Redshift cluster** using:

  ```powershell
  aws redshift associate-iam-roles \
    --cluster-identifier my-redshift-cluster \
    --iam-role-arn arn:aws:iam::<account-id>:role/TeleskopeRole
  ```

### Grant Read Access

```sql
GRANT SELECT ON svv_all_schemas TO teleskope_ro;
GRANT SELECT ON svv_table_info TO teleskope_ro;
GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog


-- Grant select to each Redshift schema
GRANT USAGE ON SCHEMA {schema} TO teleskope;
GRANT SELECT ON ALL TABLES IN SCHEMA {schema} TO teleskope;
```

### Grant Write Access

For each redshift schema:

```sql
GRANT UPDATE, DELETE ON ALL TABLES IN SCHEMA {schema} TO teleskope;
```

{% endstep %}

{% step %}

## Enroll in Teleskope UI

To enroll your Redshift cluster:

1. Navigate to **Settings**-> **Connector Settings** -> **AWS** -> **Redshift**
2. Click the radial button next to each cluster, **Edit,** and enter:
   1. If using **username/password**, the username and password of the cluster
   2. If using **IAM Auth**, the username (leave password field blank)
      {% endstep %}
      {% endstepper %}

## SSH Tunnel (Optional)

1. Launch an EC2 instance in a public subnet to serve as the SHH tunnel Bastion Host.
   1. The public key for the key-pair parameter will be provided by Teleskope: teleskope-bastion-key.
   2. Place the public key in `~/.ssh/authorized_keys` .<br>

      ```bash
      echo "<TELESKOPE_PUBLIC_KEY>" >> ~/.ssh/authorized_keys
      ```
   3. Update the permissions on the file and directory.<br>

      ```bash
      chmod 700 ~/.ssh
      chmod 600 ~/.ssh/authorized_keys
      ```
   4. Designate Teleskope AWS account access within your security group(s). IP addresses will be provided by Teleskope.
   5. Assign an Elastic IP (EIP) to the bastion host.
2. Adjust route tables and security groups as needed to provide access to the Redshift cluster through the bastion host.
3. Provide Teleskope with the bastion username, and the bastion elastic IP.