We're trying to enable Data API for our Aurora Serverless Cluster which has been set up to be in our private subnets in our VPC. We've tried enabling it via the console (i.e. Modify > Select Data API > Apply Immediately). There weren't any errors on after submitting, but when we get back to the "Modify" page, the "Data API" checkbox is still unselected.
We have also tried enabling Data API as described on the documentation https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html , but the response still shows us that the HttpEndpointEnabled is still false.
My guess is that this could be related to Private Subnets or Security Groups. Any feedback is appreciated!
$ aws rds modify-db-cluster --db-cluster-identifier our-database --enable-http-endpoint
{
"DBCluster": {
"Capacity": 8,
"MasterUsername": "admin",
"HttpEndpointEnabled": false,
"ReadReplicaIdentifiers": [],
"VpcSecurityGroups": [
{
"Status": "active",
"VpcSecurityGroupId": "sg-0a66b09ade97573f0"
}
],
The database was created with CloudFormation if that matters
Data API is available only for serverless db. Make sure you have selected "serverless" option while creating database.
I had the same problem when I was trying to create aurora-postgresql variant that doesn't have data api option. Then I selected aurora-mysql with serverless option and aws gave me option to enable http endpoint.
Related
AWS has auto-join/auto-enable recording of new resources and accounts in Security Hub, which I am happily using.
I wanted to enable the same kind of setting for AWS Config, which currently require manual setup for all new accounts of my organisation. However, I failed to find anything similar to aforementioned Security Hub feature in Config.
Am I missing it or is it currently not available out-of-box?
#Ido Van Orell I do not think there is a native feature in AWS Config but what you can leverage for this is CloudFormation stacksets.
Create a CloudFormation template that enables AWS Config. Deploy it as stackset with automatic deployment enabled. This should ensure that when a new account joins your org AWS Config is enabled.
If you are using AWS Control Tower by any chance, you also get an event when account is vended which you can run automation on the back off.
{
"detail-type": ["AWS Service Event via CloudTrail"],
"source": ["aws.controltower"],
"detail":
{
"eventName": ["CreateManagedAccount"],
"serviceEventDetails":
{ "createManagedAccountStatus": { "state": ["SUCCEEDED"] } },
},
}
Use AWS Config Aggregator's integration with AWS Organisations to get a single pane of glass view across all accounts and regions for org where Config is enabled. Refer this
I have an AWS Aurora serverless v1 database, it's managed by Terraform, and I specified a static parameter tls_versionand used pending_reboot as the apply_method, then I applied the changes in terraform.
From this page, it says: "For example, suppose that you modify the parameters within a parameter group or associate a different parameter group with your cluster. In these cases, you must reboot the cluster for the changes to take effect. "
My question is: after I applied Terraform, when I checked the parameter group, I didn't see anywhere showing me pending, do I have to reboot the cluster? And if so, how can I reboot the Aurora serverless cluster, because I checked AWS console, couldn't find a reboot button:
But when I check a non-serverless cluster, I can see there is a 'reboot' button for its instance,I'm so confused, what should I do to make the parameter groups to take effect and how can I verify it? Thanks.
You can't manually reboot an Aurora Serverless cluster. When modifying the parameter group, the changes are applied immediately:
For Aurora, when you modify a DB cluster, only changes to the DB cluster identifier, IAM DB authentication, and New master password settings are affected by the Apply immediately setting. All other modifications are applied immediately, regardless of the value of the Apply immediately setting.
Not only that, but tls_version is for provisioned clusters only. Run
aws rds describe-db-cluster-parameters \
--db-cluster-parameter-group-name default.aurora-mysql5.7 |
jq '.Parameters[] | select (.ParameterName=="tls_version")'
{
"ParameterName": "tls_version",
"Description": "The protocols permitted by the server for encrypted connections.",
"Source": "engine-default",
"ApplyType": "static",
"DataType": "list",
"AllowedValues": "TLSv1,TLSv1.1,TLSv1.2",
"IsModifiable": true,
"ApplyMethod": "pending-reboot",
"SupportedEngineModes": [
"provisioned"
]
}
and you can see that it is only applicable for the "provisioned" engine mode.
I have developed the application using Java and I also used the Amazon PostgreSQL database for data management. I hosted the application in Elastic beanstalk. Now, Someone suggested me to use the Amazon CloudFormation. So I created the Infrastructure code in JSON Format that also include Amazon RDS but I have some doubts.
When I use CloudFormation then that will automatically creates the new DB instance for my application but I specified another DB instance name in Java code then how it will communicate?
Please help me to clarify the doubts.
Thanks in advance...
You can configure DB URL in outputs section of CFN so that you get the required URL
CFN outputs
To get endpoint url for your AWS::RDS::DBInstance is returned using Return values:
Endpoint.Address The connection endpoint for the database. For example: mystack-mydb-1apw1j4phylrk.cg034hpkmmjt.us-east-2.rds.amazonaws.com
Endpoint.Port The port number on which the database accepts connections. For example: 3306
To get the Endpoint.Address out of your stack, you have to add Outputs section to your template. En example would be:
"Outputs": {
"DBEndpoint": {
"Description": "Endpoint for my RDS Instance",
"Value": {
"Fn::GetAtt" : [ "MyDB", "Endpoint.Address" ]}
}
}
}
Then using AWS SDK for Java you can query the Outputs of your CFN Stack to use in your Java application.
I'm trying to associate an IAM role with by DB Instance as documented here:
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.Authorizing.IAM.AddRoleToDBCluster.html
I can do it via the UI and see if via:
aws rds describe-db-instances --db-instance-identifier=myInstanceName
...
"AssociatedRoles": [
{
"RoleArn": "arn:aws:iam::123456789123:role/myRoleName",
"FeatureName": "s3Import",
"Status": "ACTIVE"
}
]
...
However I cannot find any reference of how to set this via cloud formation.
I tried setting AssociatedRoles but it fails saying:
Encountered unsupported property AssociatedRoles
I think you can't do it with CloudFormation (unless, of course, you build a custom resource, but if you don't know how to do it already it will be an overkill).
I'm quite bad at using AWS but I'm trying to automate the set up of an ECS cluster with private DNS names in route53, using the new service discovery mechanism. I am able to click my way through the AWS UI to accomplish a DNS entry showing up in a private hosted zone but I cannot figure out the JSON parameters to add to the json for the command below to accomplish the same thing.
aws ecs create-service --cli-input-json file://aws/createService.json
and below is the approximate contents of the createService.json
referenced above
"cluster": "clustername",
"serviceName": "servicename",
"taskDefinition": "taskname",
"desiredCount": 1,
// here is where I'm guessing there should be some DNS config referencing some
// namespace or similar that I cannot figure out...
"networkConfiguration": {
"awsvpcConfiguration": {
"subnets": [
"subnet-11111111"
],
"securityGroups": [
"sg-111111111"
],
"assignPublicIp": "DISABLED"
}
}
I'd be grateful for any ideas since my googling skills apparently aren't good enough for this problem as it seems. Many thanks!
To automatically have an ECS service register instances into a servicediscovery service you can use the serviceRegistries attribute. Add the following to the ECS service definition json:
{
...
"serviceRegistries": [
{
"registryArn": "arn:aws:servicediscovery:region:aws_account_id:service/srv-utcrh6wavdkggqtk"
}
]
}
The attribute contains a list of autodiscovery services that should be updated by ECS when it creates or destroys a task as part of the service. Each registry is referenced using the ARN of the autodiscovery service.
To get the Arn use the AWS cli command aws servicediscovery list-services
Strangely the documentation of the ECS service definition does not contain information about this attribute. However this tutorial about service discovery does.
As it turns out there is no support in ecs create service for adding it to the service registry, i.e. the route53 private hosted zone. Instead I had to use aws servicediscovery create-service and then servicediscovery register-instance to finally get an entry in my private hosted zone.
This became a quite complicated solution so I'll instead give Terraform a shot at it since I found they recently added support for ECS service discovery and see where that takes me...