S3 backups #125
S3 backups #125
Conversation
…d separately if needed
maxinelasp
requested review from
bourque,
sdhoyt,
greglucas,
tech3371,
bryan-harter,
laspsandoval and
GFMoraga
|
Tests failed because it checks the number of roles and I didn't update it. I will fix now. |
|
Here is what I see as potential solutions to not knowing the Role name:
Thoughts? |
|
|
||
| For replication to work, you also need to deploy SdsDataManager and create | ||
| the source bucket and replication role. Then, you need to manually update | ||
| the role_arn variable with the replication role created. |
There was a problem hiding this comment.
I saw a question on your PR comment about how to add dependency. In CDK, there is a way to create a resource only after its dependent resources are created. For example, something like
backup_bucket.node.add_dependency(sds_data_manager)
backup_bucket.node.add_dependency(source_bucket)
backup_bucket.node.add_depencency(replication_role)
What this does is, it makes sure all the source for the backup_bucket is created before it creates backup_bucket. I hope this helps.
There was a problem hiding this comment.
I can look into this, but I don't think it will work, because the sds_data_manager is created in a different account. When deploying the backup bucket, it won't be able to see the sds_data_manager in the dev account.
There was a problem hiding this comment.
I think there is way to add this dependency at very high level like in app.py but we can look at it post SIT-2.
| super().__init__(scope, construct_id, env=env, **kwargs) | ||
|
|
||
| # FOR NOW: Deploy other stack, update this name with the created role. | ||
| role_arn = ( |
There was a problem hiding this comment.
To get role_arn, I think you can use this from_role_name() from this link: https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_iam/Role.html#aws_cdk.aws_iam.Role.from_role_name.
Above returns an IRole. Then get role_arn from it?
Eg.
iam_role_by_look_up = iam.Role.from_role_name(self, 'roleLookup', role_name=role_name)
role_arn = iam_role_by_look_up.role_arn
I think that's the syntax. I haven't tested it.
There was a problem hiding this comment.
Unfortunately, that still requires the role name, which is the piece of information I don't know.
There was a problem hiding this comment.
Ah, I see. Because it lives in different account?
There was a problem hiding this comment.
Yes, the role is in a different account (dev) while this IAM role is in the backup account.
That method actually also requires the role to be in the same account, so even if I did know the name it wouldn't work.
| ) | ||
|
|
||
| # This is the S3 bucket used by upload_api_lambda | ||
| backup_bucket = s3.Bucket( |
There was a problem hiding this comment.
Is this creating bucket again or is it creating same bucket in the backup account or region? If second case, should we add something to its name that it's a backup bucket?
There was a problem hiding this comment.
It is creating a new bucket in the backup account. This does result in the name being sds-data-[initial]-backup, due to the way the sds-id is created. Is that sufficient, or would you like me to change the name of the bucket to something else? Maybe sds-backup-[initial]-backup?
There was a problem hiding this comment.
I see. We could add comment saying that this part is creating backup bucket in a different account to minimize confusion because they look exactly same when we look at it first. :)
or add suffix backup. You know how sds_id is set to dev or prod. Will sds_id be set to backup for backup account? If that's the case, then we are good.
A question. If we keep same exact bucket name convention for both source account and backup account, will it not give "bucket name is not unique" error?
There was a problem hiding this comment.
ignore my comments. You already do this!
There was a problem hiding this comment.
Yes, the sds_id is set to backup for the backup account, so all the deployed resources have "backup" in the name! Does that all make sense?
app_template_dev.py
Outdated
| if not s3_source_account: | ||
| raise KeyError( | ||
| "No source account is set for the backup deploy." | ||
| "Please define the CDK_SOURCE_ACCOUNT environment variable." |
There was a problem hiding this comment.
should this be CDK_S3_BACKUPS_SOURCE_ACCOUNT instead?
There was a problem hiding this comment.
Yes! Thanks for the catch, I changed the name
| @@ -9,6 +9,9 @@ | |||
| This app is designed to be the dev and production deployment app. | |||
| It defaults to a dev deployment via a default `env` value in cdk.json. | |||
| To deploy to prod, specify `--context env=prod`. | |||
| To deploy to the backup account (only deploys required backup stacks), | |||
| specify `--context env=backup`. | |||
|
|
|||
There was a problem hiding this comment.
It's not related to your PR but wanted to mention that at one point, we need to update this app.py to match app_template_dev.py. Also, I don't know when we use app.py vs app_template_dev.py. I will create ticket for this task.
There was a problem hiding this comment.
I wasn't clear what parts of app.py needed to be updated to match with app_template_dev.py so I left it as is. I'm happy to copy over app_template_dev.py and remove all the initial specific stuff if that's preferable!
There was a problem hiding this comment.
me too. I created a ticket for this #127
…n bucket, Adding documentation
* added snapshot code, upgraded cdk, upgraded opensearch * added snapshot unit tests * fixed opensearch stack unit test for new OS version * updated doc strings * spelled out opensearch (os) snapshot variables * fixed unit test * added documentation for manual opensearch permissions setup * fixed ruff issues, removed aws4auth from requirements.txt * fixed formatting issues * fixed lambda reqs issue * fixed snapshot bucket name and unit test
|
I tried it out and it worked great! I uploaded three files, and saw them replicate into another account. I delete the files on the primary account, and saw they still stayed put in the backup account. My only comment is that there's a lot of manual steps. It's probably unavoidable, but it would be nice if they were somehow integrated into the code. |
Change Summary
Per ticket #107, create the CDK system for automatically backing up all files in the S3 data bucket.
Overview
This system is designed to be run in two accounts, although you can run both steps in the same account. You change the
CONTEXTvariable in the personal app template to change the context to deploy to - the backup account is set to "backup". If you are deploying to the backup account, you then have to change your profile to the backup account credentials.Also required is setting the "CDK_S3_BACKUPS_SOURCE_ACCOUNT" environment variable to specify what account your source bucket is set up in.
There are two manual steps that I haven't yet figured out.
If you'd like to test cross-account replication, you can use my data bucket in the backup account (
sds-data-mh-backup). Or, you can deploy both pieces to the same account and they should work.There aren't any dependencies across the new backup bucket stack and the sds-data-manager stack so they can be deployed separately. However, this does mean I make some manual assumptions. I would be open to passing some information back and forth to reduce those dependencies if people have any ideas
New Dependencies
None
New Files
Updated Files
Testing
Skipped testing for now to get this up to review. I would expect this to just check the permissions on each role. I think checking the actual backups themselves are for integration testing - is that necessary at this point? What do people think?