Add permissions and terminator for rds global cluster

mattclay · Aug 1, 2023 · 1b17602 · 1b17602
1 parent 3e3591b
commit 1b17602
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 2 deletions.
diff --git a/aws/policy/data-services.yaml b/aws/policy/data-services.yaml
@@ -15,7 +15,7 @@ Statement:
       - glue:DeleteConnection
       - glue:UpdateConnection
       - glue:GetConnections
-      - rds:DescribeDB*
+      - rds:Describe*
       - rds:List*
     Resource: "*"
   - Sid: AllowGlobalResourceRestrictedActionsWhichIncurNoFees
@@ -76,6 +76,7 @@ Statement:
       - rds:CreateDBClusterParameterGroup
       - rds:CreateDBSubnetGroup
       - rds:DeleteDBCluster
+      - rds:DeleteGlobalCluster
       - rds:DeleteDBParameterGroup
       - rds:DeleteDBClusterParameterGroup
       - rds:DeleteDBSubnetGroup
@@ -99,7 +100,6 @@ Statement:
       - rds:ModifyDBClusterParameterGroup
       - rds:ModifyDBSubnetGroup
       - rds:RemoveTagsFromResource
-      - rds:DescribeOptionGroups
       - rds:CreateOptionGroup
       - rds:ModifyOptionGroup
       - rds:DeleteOptionGroup
@@ -129,6 +129,7 @@ Statement:
       - 'arn:aws:redshift:{{ aws_region }}:{{ aws_account_id }}:subnetgroup:*'
       - 'arn:aws:rds:{{ aws_region }}:{{ aws_account_id }}:subgrp:*'
       - 'arn:aws:rds:{{ aws_region }}:{{ aws_account_id }}:cluster:*'
+      - 'arn:aws:rds:{{ aws_region }}:{{ aws_account_id }}:global-cluster:*'
       - 'arn:aws:rds:{{ aws_region }}:{{ aws_account_id }}:db:*'
       - 'arn:aws:rds:{{ aws_region }}:{{ aws_account_id }}:pg:*'
       - 'arn:aws:rds:{{ aws_region }}:{{ aws_account_id }}:cluster-pg:*'
@@ -185,3 +186,8 @@ Statement:
       - kafka:UpdateConfiguration
       - kafka:UpdateMonitoring
     Resource: "*"
+  - Sid: Global RDS
+    Effect: Allow
+    Action:
+      - rds:CreateGlobalCluster
+    Resource: "*"
diff --git a/aws/terminator/data_services.py b/aws/terminator/data_services.py
@@ -393,3 +393,33 @@ def age_limit(self):
 
     def terminate(self):
         self.client.delete_cluster(ClusterArn=self.id)
+
+
+class RdsGlobalCluster(DbTerminator):
+    @staticmethod
+    def create(credentials):
+        return Terminator._create(credentials, RdsDbCluster, 'rds', lambda client: client.describe_global_clusters()['GlobalClusters'])
+
+    @property
+    def id(self):
+        return self.instance['GlobalClusterArn']
+
+    @property
+    def name(self):
+        return self.instance['GlobalClusterIdentifier']
+
+    @property
+    def age_limit(self):
+        return datetime.timedelta(minutes=60)
+
+    @property
+    def members(self):
+        return self.instance['GlobalClusterMembers']
+
+    def terminate(self):
+        # The primary and secondary clusters must already be detached or destroyed first.
+        for db in self.members:
+            self.client.remove_from_global_cluster(GlobalClusterIdentifier=self.id, DbClusterIdentifier=[db['DBClusterArn']
+
+        self.client.modify_global_cluster(GlobalClusterIdentifier=self.name, DeletionProtection=False)
+        self.client.delete_global_cluster(GlobalClusterIdentifier=self.name)