bob/gemini-settings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

More sessions

Browse Source
This commit is contained in:
bob walker
2026-02-24 18:03:22 +00:00
parent eb5bd4a929
commit 23cc78aa98
284 changed files with 129543 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
tmp/dalmatian/tool-outputs/read_file_187.txt Normal file
View File

@@ -0,0 +1,98 @@
# Database backups
Automated RDS backups are taken daily within AWS. The time and retention periods vary depending on the configuration.
Manual backups are also possible when required.
As the RDS instances are not publicly available, manual backups must be done via the ECS instances.
Follow the [Shell access to ECS instances](shell-access-to-ecs-instances.md) guide to access one of the ECS instances.
## Manual backup of PostgreSQL databases
The postgres container is available in the ECR, so as long as you have https access to the VPC endpoints, you will be able to access it.
The URI of the postgres container is `<aws-account-number>.dkr.ecr.<aws-region>.amazonaws.com/<infrastructure-environment-name>-postgres`. This can also be found via the [ECR UI](https://console.aws.amazon.com/ecr/repositories).
You will need to run login to ECR's docker to pull the container
```
$(aws ecr get-login --no-include-email --region <aws-region>)
```
Create a directory on the instance to store the database dump:
```
mkdir -p /db-backup
```
To create a postgresql sql dump, run:
```
docker run -i -v /db-backup:/db-backup <postgres-container-uri> /bin/bash -c "pg_dump postgres://<username>:<password>@<rds-endpoint>:5432/<database-name> > /db-backup/<backup-name>.sql"
```
To transfer the backup, follow the [Transferring files to the ECS instances](transferring-files-to-the-ecs-instances.md) guide
## Cross-account S3 replication for SQL backups
SQL backups can be replicated to an S3 bucket in another AWS account for offsite storage or disaster recovery.
### Source Account Configuration
In your `dalmatian.yml`, specify the destination bucket ARN and (optionally) the KMS key ID for the destination bucket:
```yaml
rds:
replication_bucket_destination_arn: "arn:aws:s3:::your-destination-bucket-name"
replication_kms_key_id: "your-destination-kms-key-id"
```
### Destination Account Configuration
The destination account must permit the source account's replication role to write to the bucket and use the KMS key.
#### 1. Destination Bucket Policy
Add a policy to the destination bucket to allow the replication role from the source account:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowReplicationFromDalmatianSource",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<SOURCE_ACCOUNT_ID>:role/<INFRASTRUCTURE_NAME>-<RDS_ID>-sql-backup-replication"
},
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Resource": "arn:aws:s3:::<DESTINATION_BUCKET_NAME>/*"
}
]
}
```
#### 2. Destination KMS Key Policy (Optional)
If the destination bucket uses a Customer Managed Key (CMK) for encryption, the key policy must allow the source replication role to use it:
```json
{
"Sid": "AllowUsageByDalmatianSourceReplicationRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<SOURCE_ACCOUNT_ID>:role/<INFRASTRUCTURE_NAME>-<RDS_ID>-sql-backup-replication"
},
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "*"
}
```