I have a RDS database running in an AWS account. I'd like to copy it to another account to use as a base for a new deployment of the application. I use the CLI like so:
aws rds create-db-cluster-snapshot \
--db-cluster-snapshot-identifier snapid \
--db-cluster-identifier rdsid
This command succeeds (and if I log in into the AWS console, I can see the new snapshot). But when I try to modify its attributes using
aws rds modify-db-snapshot-attribute \
--db-snapshot-identifier snapid \
--attribute-name restore \
--values-to-add '["other_account_id"]'
Then I get the following error:
An error occurred (DBSnapshotNotFound) when calling the ModifyDBSnapshotAttribute operation: DBSnapshot not found: snapid
If I can share the snapshot, I could then create a new instance in the other account using this snapshot.
Is there a better way to share a RDS instance cross-accounts ?
You have mixed up API calls a bit. You should use one of the matching command pairs as shown below.
Aurora DB Cluster API
create-db-cluster-snapshot - Creates a snapshot of an Aurora DB cluster.
modify-db-cluster-snapshot-attribute - Adds an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot.
RDS DB API
create-db-snapshot - Creates a database snapshot.
modify-db-snapshot-attribute - Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.
Related
I have an oracle rds instance that I had an S3_integration iam role for, I removed it using terraform, but it was never deleted on the instance itself it seems.
Now I am unable to change, delete or add any s3_integration roles to the instance.
Attempting to use terraform or the UI to change the name, or delete it have been unsuccessful, has anyone had this happen? How can this be fixed? I cannot find any information about why the role is invalid, and attempting to upload a dump using rdsadmin_s3_tasks.upload_to_s3 command shows me this error "[ERROR] The DB instance doesn't have credentials to access the specified Amazon S3 bucket. To grant access, add the S3_INTEGRATION role to the DB instance."
I've rebooted the database but it has no effect.
Solved by removing the iam role using the aws cli, the UI didn't have the role but it could be found by describing the aws instances.
It was then removed using:
aws rds remove-role-from-db-instance \
--db-instance-identifier db_name \
--role-arn arn:aws:iam::xxxxxx:role/rds-s3-datadump-role \
--feature-name S3_INTEGRATION
I used Terraform to bring up an AWS RDS SQL Server DB with deletion_protection set to true. Now, I am trying to delete the database and hence I tried to first run {terraform apply} with deletion_protection set to false, and I got the following error:
Error: error deleting Database Instance "awsworkerdb-green": InvalidParameterCombination: Cannot delete protected DB Instance, please disable deletion protection and try again.
status code: 400, request id: 7e787deb-af03-4016-9baa-471ab9c0ae1c
Then I tried to directly do {terraform destroy} using the same TF code with deletion_protection set to false, I got the following error:
Error: error deleting Database Instance "awsworkerdb-green": InvalidParameterCombination: Cannot delete protected DB Instance, please disable deletion protection and try again.
status code: 400, request id: 9a95ef70-8738-4a31-b0cd-cf10ef05bdec
How does one go about deleting this database instance using terraform?
This would be two distinct API invocations, and therefore two consecutive Terraform executions with two different config modifications:
Modify deletion_protection to be false in your config, and apply your changes to the RDS instance.
Remove the RDS from the config and apply, or destroy the RDS resource directly. Either action will delete the RDS instance.
You can't. You have to do it manually using AWS console or AWS CLI with modify-db-instance. The entire point of deletion protection is so that the rds instance is not easy to delete, and you have to explicitly modify it for that.
From cli use below
aws rds modify-db-instance --db-instance-identifier <DB_IDENTIFIER> --region <DB_REGION> --no-deletion-protection --apply-immediately
I am trying to create an Aurora DB cluster with 1 writer / reader node.
It does not appear that Ansible currently supports Cluster creation for Aurora, so I am creating this using the AWS CLI.
#NOTE - Currently, Ansible does not support creating an RDS cluster in the official documentation. This may change in the future.
- name: Create the DB cluster
command: >
aws rds create-db-cluster
--db-cluster-identifier production-db
--engine aurora-mysql
--db-subnet-group-name webserver-connections
--vpc-security-group-ids sg-dja17283
--storage-encrypted
--db-cluster-parameter-group-name my-parameter-group
--master-username "my_username"
--master-user-password "My_Password"
--backup-retention-period 7
when: aurora_cluster == ''
- name: Create instances inside of cluster
rds_instance:
engine: aurora
engine_version: "5.7.mysql_aurora.2.07.2"
db_instance_identifier: ansible-test-aurora-db-instance
instance_type: db.t2.small
cluster_id: production-db
multi_az: yes
storage_encrypted: yes
# backup_retention_period: 7
tags:
Environment: "Production"
This returns -
"msg": "Unable to create DB instance: An error occurred (InvalidParameterCombination) when calling the CreateDBInstance operation: Cannot find version 5.7.mysql_aurora.2.07.2 for aurora",
If I set the engine to be aurora-mysql, I see the following -
"msg": "Unable to create DB instance: An error occurred (InvalidParameterCombination) when calling the CreateDBInstance operation: VPC Multi-AZ DB Instances are not available for engine: aurora-mysql"
When uncommenting backup retention period (it is defined both in the initial cluster creation CLI call, as well as the play), I see the following -
"msg": "Unable to create DB instance: An error occurred (InvalidParameterCombination) when calling the CreateDBInstance operation: The requested DB Instance will be a member of a DB Cluster. Set backup retention period for the DB Cluster.
Is it possible to use Ansible to create an Aurora-Mysql Multi-AZ RDS cluster? From reading the documentation, it doesn't appear to be supported yet.
Is it possible to use Ansible to manage the DB instances inside of a cluster, such as the reader / writer nodes in a multi-az aurora-mysql deployment? If so, how can I do this? All of my testing has returned similar results as above.
Thanks.
I'm not sure if Ansible supports Aurora yet or not, but all those error messages are valid.
You need to change engine to aurora-mysql, and remove multi-az or set it to false since multi-az is not an available Aurora feature.
Multi-az creates a 2nd "backup" instance of an RDS server in another availability zone. Since Aurora is a cluster instead of a single instance system, you would just create a second instance yourself instead of specifying multi-az.
I'm fairly new to AWS. I'm setting up an EC2 instance (an Ubuntu 18.04 LAMP server).
I've installed the aws CLI on the instance, so I can automate EBS snapshots for backup.
I've also created an IAM role with the needed permissions to run aws ec2 create-snapshot, and I've assigned this role to my EC2 instance.
My question: is there any need to run aws configure on the EC2 instance, in order to set the AWS Access Key ID and AWS Secret Access Key? I'm still wrapping my head around AWS IAM roles – but (since the EC2 instance has a role), it sounds like the instance will acquire the needed keys from IAM automagically. Therefore, I assume that there's never any need to run aws configure. (In fact, it seems like this would be counterproductive, since the keys set via aws configure would override the keys acquired automatically via the role.)
Is all of that accurate?
No, the AWS CLI will progress through a list of credential providers. The instance metadata service will eventually be reached, even if you have not configured the AWS cli:
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#config-settings-and-precedence
And yes, if you add keys to the AWSCLI config file, they will be used with higher priority than those obtained from the instance metadata service.
I need to create a read replica in a VPC of an RDS instance outside of the VPC
The instructions read ( http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html )-
To create a read replica from a source MySQL DB instance:
In the Destination DB Subnet Group box, specify a DB subnet group associated with a VPC if you want the read replica to be created in that VPC. Leave the box empty if you want the read replica to be created outside of any VPC. The VPC and DB subnet group must exist in the destination region. Within a given region, all read replicas created from the same source DB instance must be either:
Unfortunately this box doesn't show up in the gui
Using the CLI I get the following message:
A client error (DBSubnetGroupNotAllowedFault) occurred when calling the CreateDBInstanceReadReplica operation: DbSubnetGroupName should not be specified for read replicas that are created in the same region as the master
Is there something else I should be doing?
Can you post your CLI commands as well? It looks like you are making the CreateDBInstanceReplica request from the source region itself. You should be making the request from the target region.
For example, if you have an instance in us-east-1 and you want a new replica in us-west-2, then:
aws rds create-db-instance-read-replica \
--db-instance-identifier DBInstanceIdentifier \
--region us-west-2 \
--source-db-instance-identifier arn:aws:rds:us-east-1:123456789012:db:my-mysql-instance \
--source-region us-east-1 \
--kms-key-id my-us-east-1-key
Note that the CLI request is explicitly made for us-west-2, but source instance is us-east-1.