Merge pull request #37 from ministryofjustice/snapshot_management

Snapshot management
ministryofjustice · Oct 21, 2019 · abd81d4 · abd81d4
2 parents c2f850c + 681d1a8
commit abd81d4
Show file tree

Hide file tree

Showing 4 changed files with 76 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -64,6 +64,8 @@ Some of the inputs are tags. All infrastructure resources need to be tagged acco
 | database_name | Name of the database |
 | database_username | Database Username |
 | database_password | Database Password |
+| access_key_id | Access key id for RDS snapshot management |
+| secret_access_key | Secret key for RDS snapshot management |
 
 ## Accessing the database
 
@@ -82,6 +84,8 @@ data:
   database_name: ...
   database_password: ...
   database_username: ...
+  access_key_id: ...
+  secret_access_key: ...
   rds_instance_address: cloud-platform-xxxxx.yyyyy.eu-west-2.rds.amazonaws.com
   rds_instance_endpoint: cloud-platform-xxxxx.yyyyy.eu-west-2.rds.amazonaws.com:5432
   rds_instance_port: '5432'
@@ -230,6 +234,23 @@ Please remember to delete the port-forwarding pod when you have finished.
 kubectl delete pod port-forward-pod -n [your namespace]
 ```
 
+### 4. Managing RDS snapshots - backups and restores
+
+An IAM user account is created which allows management of RDS snapshots - allowing snapshot create, delete, copy, restore.
+
+Example usage via AWS CLI:
+
+List snapshots
+```
+aws rds describe-db-snapshots --db-instance-identifier [db-instance-name]
+```
+
+Create snapshot
+```
+aws rds create-db-snapshot --db-instance-identifier [db-instance-name] --db-snapshot-identifier [your-snapshot-name]
+```
+
+
 ## Reading Material
 
 - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html

diff --git a/example/rds.tf b/example/rds.tf
@@ -15,13 +15,14 @@ variable "cluster_state_bucket" {}
  *
  */
 module "example_team_rds" {
-  source                 = "github.com/ministryofjustice/cloud-platform-terraform-rds-instance?ref=4.6"
-  cluster_name           = "${var.cluster_name}"
-  cluster_state_bucket   = "${var.cluster_state_bucket}"
-  team_name              = "example-repo"
-  business-unit          = "example-bu"
-  application            = "exampleapp"
-  is-production          = "false"
+  source               = "github.com/ministryofjustice/cloud-platform-terraform-rds-instance?ref=4.7"
+  cluster_name         = "${var.cluster_name}"
+  cluster_state_bucket = "${var.cluster_state_bucket}"
+  team_name            = "example-repo"
+  business-unit        = "example-bu"
+  application          = "exampleapp"
+  is-production        = "false"
+
   # change the postgres version as you see fit.
   db_engine_version      = "10"
   environment-name       = "development"
@@ -56,6 +57,8 @@ resource "kubernetes_secret" "example_team_rds" {
     database_username     = "${module.example_team_rds.database_username}"
     database_password     = "${module.example_team_rds.database_password}"
     rds_instance_address  = "${module.example_team_rds.rds_instance_address}"
+    access_key_id         = "${module.example_team_rds.access_key_id}"
+    secret_access_key     = "${module.example_team_rds.secret_access_key}"
 
     /* You can replace all of the above with the following, if you prefer to
      * use a single database URL value in your application code:

diff --git a/main.tf b/main.tf
@@ -130,3 +130,38 @@ resource "aws_db_parameter_group" "custom_parameters" {
     apply_method = "${var.apply_method}"
   }
 }
+
+resource "aws_iam_user" "user" {
+  name = "rds-snapshots-user-${random_id.id.hex}"
+  path = "/system/rds-snapshots-user/${var.team_name}/"
+}
+
+resource "aws_iam_access_key" "user" {
+  user = "${aws_iam_user.user.name}"
+}
+
+data "aws_iam_policy_document" "policy" {
+  statement {
+    actions = [
+      "rds:DescribeDBSnapshots",
+      "rds:CopyDBSnapshot",
+      "rds:DeleteDBSnapshot",
+      "rds:DescribeDBSnapshotAttributes",
+      "rds:ModifyDBSnapshot",
+      "rds:CreateDBSnapshot",
+      "rds:RestoreDBInstanceFromDBSnapshot",
+      "rds:ModifyDBSnapshotAttribute",
+    ]
+
+    resources = [
+      "${aws_db_instance.rds.arn}",
+      "arn:aws:rds:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:snapshot:*",
+    ]
+  }
+}
+
+resource "aws_iam_user_policy" "policy" {
+  name   = "rds-snapshots-read-write"
+  policy = "${data.aws_iam_policy_document.policy.json}"
+  user   = "${aws_iam_user.user.name}"
+}
diff --git a/output.tf b/output.tf
@@ -27,3 +27,13 @@ output "database_password" {
   description = "Database Password"
   value       = "${aws_db_instance.rds.password}"
 }
+
+output "access_key_id" {
+  description = "Access key id for RDS IAM user"
+  value       = "${aws_iam_access_key.user.id}"
+}
+
+output "secret_access_key" {
+  description = "Secret key for RDS IAM user"
+  value       = "${aws_iam_access_key.user.secret}"
+}