You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After helping a customer regain access to a restored copy of their database, @apburnes and I talked about what support for this process within the broker itself would look like. As of now we have the steps documented in our public runbooks, but after doing a bit of research we saw that there are a few API calls that we might be able to make use of within the RDS broker to help facilitate this process:
Ideally, it'd be nice if the available snapshots (and some other metadata, e.g., DB engine, version, and available storage) were visible when getting information of a database service instance (cf service <db-service-instance-name>), and we created a means of supporting the operation, but this would/should bear in mind the Open Service Broker API.
At the very least, it might be possible to construct a script to accomplish what we do manually in the runbook today via aws cli calls in an aws-vault session. Once we have that, we might be able to evaluate if we can take it a step further and expose such functionality to customers directly.
Security considerations
Automating the backup and restore process as it currently exists does not change anything about our current security posture; the script would only be run by platform admins who have access to the system
Adding the capability to see existing snapshots and restoring from them could have security and/or system boundary implications, especially if we consider exposing any of this information and/or functionality to customers.
Implementation sketch
What would automating the existing backup and restore process for RDS look like?
Could we add this support to the broker?
Is there another option or path here, such as automatic backups taken to an S3 bucket that the customer owns and restoring those?
The text was updated successfully, but these errors were encountered:
After helping a customer regain access to a restored copy of their database, @apburnes and I talked about what support for this process within the broker itself would look like. As of now we have the steps documented in our public runbooks, but after doing a bit of research we saw that there are a few API calls that we might be able to make use of within the RDS broker to help facilitate this process:
Ideally, it'd be nice if the available snapshots (and some other metadata, e.g., DB engine, version, and available storage) were visible when getting information of a database service instance (
cf service <db-service-instance-name>), and we created a means of supporting the operation, but this would/should bear in mind the Open Service Broker API.At the very least, it might be possible to construct a script to accomplish what we do manually in the runbook today via
aws clicalls in anaws-vaultsession. Once we have that, we might be able to evaluate if we can take it a step further and expose such functionality to customers directly.Security considerations
Implementation sketch
The text was updated successfully, but these errors were encountered: