98 lines
3.2 KiB
Plaintext
98 lines
3.2 KiB
Plaintext
# Database backups
|
|
|
|
Automated RDS backups are taken daily within AWS. The time and retention periods vary depending on the configuration.
|
|
|
|
Manual backups are also possible when required.
|
|
|
|
As the RDS instances are not publicly available, manual backups must be done via the ECS instances.
|
|
|
|
Follow the [Shell access to ECS instances](shell-access-to-ecs-instances.md) guide to access one of the ECS instances.
|
|
|
|
## Manual backup of PostgreSQL databases
|
|
|
|
The postgres container is available in the ECR, so as long as you have https access to the VPC endpoints, you will be able to access it.
|
|
|
|
The URI of the postgres container is `<aws-account-number>.dkr.ecr.<aws-region>.amazonaws.com/<infrastructure-environment-name>-postgres`. This can also be found via the [ECR UI](https://console.aws.amazon.com/ecr/repositories).
|
|
|
|
You will need to run login to ECR's docker to pull the container
|
|
|
|
```
|
|
$(aws ecr get-login --no-include-email --region <aws-region>)
|
|
```
|
|
|
|
Create a directory on the instance to store the database dump:
|
|
|
|
```
|
|
mkdir -p /db-backup
|
|
```
|
|
|
|
To create a postgresql sql dump, run:
|
|
|
|
```
|
|
docker run -i -v /db-backup:/db-backup <postgres-container-uri> /bin/bash -c "pg_dump postgres://<username>:<password>@<rds-endpoint>:5432/<database-name> > /db-backup/<backup-name>.sql"
|
|
```
|
|
|
|
To transfer the backup, follow the [Transferring files to the ECS instances](transferring-files-to-the-ecs-instances.md) guide
|
|
|
|
## Cross-account S3 replication for SQL backups
|
|
|
|
SQL backups can be replicated to an S3 bucket in another AWS account for offsite storage or disaster recovery.
|
|
|
|
### Source Account Configuration
|
|
|
|
In your `dalmatian.yml`, specify the destination bucket ARN and (optionally) the KMS key ID for the destination bucket:
|
|
|
|
```yaml
|
|
rds:
|
|
replication_bucket_destination_arn: "arn:aws:s3:::your-destination-bucket-name"
|
|
replication_kms_key_id: "your-destination-kms-key-id"
|
|
```
|
|
|
|
### Destination Account Configuration
|
|
|
|
The destination account must permit the source account's replication role to write to the bucket and use the KMS key.
|
|
|
|
#### 1. Destination Bucket Policy
|
|
|
|
Add a policy to the destination bucket to allow the replication role from the source account:
|
|
|
|
```json
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "AllowReplicationFromDalmatianSource",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"AWS": "arn:aws:iam::<SOURCE_ACCOUNT_ID>:role/<INFRASTRUCTURE_NAME>-<RDS_ID>-sql-backup-replication"
|
|
},
|
|
"Action": [
|
|
"s3:ReplicateObject",
|
|
"s3:ReplicateDelete",
|
|
"s3:ReplicateTags",
|
|
"s3:ObjectOwnerOverrideToBucketOwner"
|
|
],
|
|
"Resource": "arn:aws:s3:::<DESTINATION_BUCKET_NAME>/*"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
#### 2. Destination KMS Key Policy (Optional)
|
|
|
|
If the destination bucket uses a Customer Managed Key (CMK) for encryption, the key policy must allow the source replication role to use it:
|
|
|
|
```json
|
|
{
|
|
"Sid": "AllowUsageByDalmatianSourceReplicationRole",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"AWS": "arn:aws:iam::<SOURCE_ACCOUNT_ID>:role/<INFRASTRUCTURE_NAME>-<RDS_ID>-sql-backup-replication"
|
|
},
|
|
"Action": [
|
|
"kms:Encrypt",
|
|
"kms:GenerateDataKey"
|
|
],
|
|
"Resource": "*"
|
|
}
|
|
``` |