From 8cf8f6382a9847c255443ae4f3e6df07bc1e8a0c Mon Sep 17 00:00:00 2001 From: John Preston Date: Thu, 5 Nov 2020 23:23:21 +0000 Subject: [PATCH 1/3] Defaulting to encrypted --- ecs_composex/rds/rds_db_template.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ecs_composex/rds/rds_db_template.py b/ecs_composex/rds/rds_db_template.py index 2f9d0b897..c55df1aac 100644 --- a/ecs_composex/rds/rds_db_template.py +++ b/ecs_composex/rds/rds_db_template.py @@ -128,6 +128,7 @@ def add_instance(template, db): instance = DBInstance( DATABASE_T, template=template, + DeletionPolicy="Snapshot", Engine=Ref(DB_ENGINE_NAME), EngineVersion=Ref(DB_ENGINE_VERSION), StorageType=If( @@ -171,6 +172,7 @@ def add_instance(template, db): [GetAtt(db.db_sg, "GroupId")], ), Tags=Tags(SecretName=Ref(db.db_secret), Name=db.logical_name), + StorageEncrypted=True, ) return instance @@ -186,6 +188,7 @@ def add_cluster(template, db): cluster = DBCluster( CLUSTER_T, template=template, + DeletionPolicy="Snapshot", Condition=rds_conditions.USE_CLUSTER_CON_T, DBSubnetGroupName=If( rds_conditions.DBS_SUBNET_GROUP_CON_T, @@ -217,6 +220,7 @@ def add_cluster(template, db): DBClusterParameterGroupName=Ref(CLUSTER_PARAMETER_GROUP_T), VpcSecurityGroupIds=[Ref(db.db_sg)], Tags=Tags(SecretName=Ref(db.db_secret), Name=db.logical_name), + StorageEncrypted=True, ) return cluster From 4765f21e85812d1eb7b01e1f03d3208c04934cdf Mon Sep 17 00:00:00 2001 From: John Preston Date: Thu, 19 Nov 2020 08:31:39 +0000 Subject: [PATCH 2/3] A little bit of cleanup --- ecs_composex/acm/acm_stack.py | 1 - ecs_composex/docdb/docdb_stack.py | 4 +++- ecs_composex/ecs/ecs_scaling.py | 3 --- ecs_composex/rds/rds_stack.py | 11 +++-------- 4 files changed, 6 insertions(+), 13 deletions(-) diff --git a/ecs_composex/acm/acm_stack.py b/ecs_composex/acm/acm_stack.py index 635e675d9..001c30455 100644 --- a/ecs_composex/acm/acm_stack.py +++ b/ecs_composex/acm/acm_stack.py @@ -198,4 +198,3 @@ def init_acm_certs(settings, dns_settings, root_stack): mappings = create_acm_mappings(lookup_resources, settings) if mappings: root_stack.stack_template.add_mapping(MOD_KEY, mappings) - print(mappings) diff --git a/ecs_composex/docdb/docdb_stack.py b/ecs_composex/docdb/docdb_stack.py index 30e85e468..e3784c730 100644 --- a/ecs_composex/docdb/docdb_stack.py +++ b/ecs_composex/docdb/docdb_stack.py @@ -51,7 +51,9 @@ def __init__(self, name, definition, settings): self.arn_attr = DOCDB_SECRET def init_outputs(self): - print(self.arn_attr, type(self.arn_attr)) + """ + Method to init the DocDB output attributes + """ self.output_properties = { DOCDB_NAME.title: (self.logical_name, self.cfn_resource, Ref, None), DOCDB_PORT.title: ( diff --git a/ecs_composex/ecs/ecs_scaling.py b/ecs_composex/ecs/ecs_scaling.py index da49da048..bd36df534 100644 --- a/ecs_composex/ecs/ecs_scaling.py +++ b/ecs_composex/ecs/ecs_scaling.py @@ -283,9 +283,6 @@ def merge_family_services_scaling(services): x_scaling_configs = [] for service in services: handle_defined_x_aws_autoscaling(x_scaling_configs, service) - - print(x_scaling_configs) - valid_keys = [ ("range", str, handle_range), ("target_scaling", dict, handle_target_scaling), diff --git a/ecs_composex/rds/rds_stack.py b/ecs_composex/rds/rds_stack.py index dd5ee2925..34db646ef 100644 --- a/ecs_composex/rds/rds_stack.py +++ b/ecs_composex/rds/rds_stack.py @@ -66,7 +66,9 @@ def __init__(self, name, definition, settings): self.arn_attr = Parameter(DB_SECRET_T, Type="String") def init_outputs(self): - print(self.db_secret) + """ + Method to init the RDS Output attributes + """ self.output_properties = { DB_NAME.title: (self.logical_name, self.cfn_resource, Ref, None), DB_ENDPOINT_PORT: ( @@ -89,13 +91,6 @@ def init_outputs(self): ), } - def uses_aurora(self): - if not self.lookup and self.properties[DB_ENGINE_NAME.title].startswith( - "aurora" - ): - return True - return False - class XStack(ComposeXStack): """ From 3d777516f58d42c928f5b577e312b8942ff39e8b Mon Sep 17 00:00:00 2001 From: John Preston Date: Thu, 19 Nov 2020 10:00:19 +0000 Subject: [PATCH 3/3] Slight rewrite of the RDS docs seemed appropriate --- ecs_composex/rds/README.rst | 56 ++++++++++++++++++++++++------------- 1 file changed, 36 insertions(+), 20 deletions(-) diff --git a/ecs_composex/rds/README.rst b/ecs_composex/rds/README.rst index e9688af0a..daf8332cb 100644 --- a/ecs_composex/rds/README.rst +++ b/ecs_composex/rds/README.rst @@ -4,33 +4,30 @@ AWS RDS ======= -This package is here to create all the CFN templates necessary to create RDS instances and allow microservices -to access the databases. +AWS RDS is one of the most amazing and feature rich service on AWS. Which also means that it is one of the possibly +most complex to get right. AWS has done an amazing job at making RDS easy to consume but still requires a lot of +settings to come together. -Assumptions -=========== +With AWS Aurora, and global databases etc, it becomes something that could be very complicated to describe in only a few +lines. -RDS is far more complex to configure and allow access to from microservices than pure IAM (at least at this time, using -IAM based auth might have performances impact on your applications, so we are going to consider usual DB credentials -are in use). +Our objective with this module is to make some of the most common usage of AWS RDS, with a push for RDS Aurora, easy +for developers and cloud engineers to define in a very simple way common RDS deployment patterns. -The engine -========== +Defaults +=========== -The engine & engine version are going to be used to determine if you are trying to create an Aurora Cluster in RDS -or a normal traditional DB. You have nothing more to do. +Credentials +----------- -Security groups configuration -============================= +Aurora and traditional RDS Databases support both Username/Password generic authentication. Due to the wide adoption of +that authentication mechanism, all RDS Dbs will come with a username/password, auto generated and stored in AWS Secrets Manager. -Per database, is created one Security Group for the DB itself and another that will be assigned to all microservices -which have been registered to have access to the database. However, keep in mind the `SG Account limitations`_ which apply, -by default, 5 Security Groups max per ENI. Given we are in *awsvpc* networking mode, each microservice running (container) -has its own ENI. +.. hint:: -Credentials -=========== + We do plan to allow a tick button to enable Aurora authentication with IAM, however have not received a Feature Request + for it. AWS Secrets Manager integrates very nicely to AWS RDS. This has no intention to implement the rotation system at this point in time, however, it will generate the password for the database and expose it securely to the microservices which @@ -41,8 +38,27 @@ can via environment variables fetch * DB Password * DB Port +Simple Properties +================== + +AWS Aurora and RDS Instances both can accept 20+ Properties, with complex syntax on both of these. The objective with +ComposeX is to keep things very simple. Therefore, in the attempt of making it easier, you can today simply define only +two properties to get yourself up and running + +* Engine +* EngineVersion + +Security groups configuration +============================= + +Per database, is created one Security Group for the DB itself and another that will be assigned to all microservices +which have been registered to have access to the database. However, keep in mind the `SG Account limitations`_ which apply, +by default, 5 Security Groups max per ENI. Given we are in *awsvpc* networking mode, each microservice running (container) +has its own ENI. + + .. _`SG Account limitations`: https://aws.amazon.com/premiumsupport/knowledge-center/increase-security-group-rule-limit/ .. note:: - See :ref:`rds_syntax_reference` + See :ref:`rds_syntax_reference` to start deploying (or re-use!) your services and connect them to RDS.