From 1a8b9475f1c1980eba44de42a22edb2dffbb4221 Mon Sep 17 00:00:00 2001 From: Biswajit Babu Date: Thu, 3 Aug 2023 16:46:15 -0500 Subject: [PATCH 01/25] Adding composition for aws aurora db Adding composition for aws aurora db --- .../upbound-aws-provider/aurora/aurora.yaml | 564 ++++++++++++++++++ .../aurora/definition.yaml | 187 ++++++ .../aurora/kustomization.yaml | 5 + .../aurora-postgresql.yaml | 58 ++ 4 files changed, 814 insertions(+) create mode 100644 compositions/upbound-aws-provider/aurora/aurora.yaml create mode 100644 compositions/upbound-aws-provider/aurora/definition.yaml create mode 100644 compositions/upbound-aws-provider/aurora/kustomization.yaml create mode 100644 examples/upbound-aws-provider/composite-resources/aurora-postgresql.yaml diff --git a/compositions/upbound-aws-provider/aurora/aurora.yaml b/compositions/upbound-aws-provider/aurora/aurora.yaml new file mode 100644 index 00000000..ab9ac24b --- /dev/null +++ b/compositions/upbound-aws-provider/aurora/aurora.yaml @@ -0,0 +1,564 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: xrelationaldatabases.db.awsblueprint.io + labels: + awsblueprints.io/provider: aws + awsblueprints.io/environment: dev + cluster.awsblueprints.io/configuration: standard +spec: + writeConnectionSecretsToNamespace: crossplane-system + compositeTypeRef: + apiVersion: db.awsblueprint.io/v1alpha1 + kind: XRelationalDatabase + patchSets: + - name: common-fields + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.providerConfigName + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.region + toFieldPath: spec.forProvider.region + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.tags + toFieldPath: spec.forProvider.tags + policy: + mergeOptions: + appendSlice: true + resources: + - name: aurora-cluster-subnetgroup + connectionDetails: + - type: FromFieldPath + name: subnetGroupArn + fromFieldPath: status.atProvider.arn + - type: FromFieldPath + name: subnetGroupName + fromFieldPath: status.atProvider.id + base: + apiVersion: rds.aws.upbound.io/v1beta1 + kind: SubnetGroup + metadata: + name: aurora-cluster-sng + spec: + forProvider: + description: "aurora subnet group" + tags: + namespace: team-a + environment: dev + application: my-app + patches: + - type: PatchSet + patchSetName: common-fields + - fromFieldPath: spec.networkConfig.subnetIds + toFieldPath: spec.forProvider.subnetIds + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.arn + toFieldPath: status.subnetGroupArn + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.id + toFieldPath: status.subnetGroupName + - name: aurora-cluster-sg + connectionDetails: + - type: FromFieldPath + name: securityGroupArn + fromFieldPath: status.atProvider.arn + - type: FromFieldPath + name: securityGroupId + fromFieldPath: status.atProvider.id + - type: FromFieldPath + name: securityGroupName + fromFieldPath: status.atProvider.securityGroupName + base: + apiVersion: ec2.aws.upbound.io/v1beta1 + kind: SecurityGroup + metadata: + name: aurora-cluster-sg + labels: + sg-selector: aurora-cluster-sg-label + spec: + forProvider: + description: "aurora cluster security group" + patches: + - type: PatchSet + patchSetName: common-fields + - fromFieldPath: spec.networkConfig.vpcId + toFieldPath: spec.forProvider.vpcId + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.id + toFieldPath: status.securityGroupId + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.arn + toFieldPath: status.securityGroupArn + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.name + toFieldPath: status.securityGroupName + - name: aurora-cluster-sg-self-rule + base: + apiVersion: ec2.aws.upbound.io/v1beta1 + kind: SecurityGroupRule + metadata: + name: aurora-cluster-sg-self-rule + spec: + forProvider: + fromPort: 5432 + protocol: tcp + self: true + toPort: 5432 + type: ingress + securityGroupIdSelector: + matchLabels: + sg-selector: aurora-cluster-sg-label + patches: + - type: PatchSet + patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: status.securityGroupId + toFieldPath: spec.forProvider.securityGroupId + - name: aurora-cluster-sg-app-rule + base: + apiVersion: ec2.aws.upbound.io/v1beta1 + kind: SecurityGroupRule + metadata: + name: aurora-cluster-sg-app-rule + spec: + forProvider: + fromPort: 5432 + protocol: tcp + cidrBlocks: + - 10.0.0.0/8 + toPort: 5432 + type: ingress + securityGroupIdSelector: + matchLabels: + sg-selector: aurora-cluster-sg-label + patches: + - type: PatchSet + patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: status.securityGroupId + toFieldPath: spec.forProvider.securityGroupId + - name: aurora-cluster-sg-egress-rule + base: + apiVersion: ec2.aws.upbound.io/v1beta1 + kind: SecurityGroupRule + metadata: + name: aurora-cluster-sg-egress-rule + spec: + forProvider: + fromPort: 5432 + protocol: tcp + toPort: 5432 + type: egress + securityGroupIdSelector: + matchLabels: + sg-selector: aurora-cluster-sg-label + patches: + - type: PatchSet + patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: status.securityGroupId + toFieldPath: spec.forProvider.securityGroupId + - type: FromCompositeFieldPath + fromFieldPath: status.securityGroupId + toFieldPath: spec.forProvider.sourceSecurityGroupId + - name: rds-cluster-para-group + connectionDetails: + - type: FromFieldPath + name: clusterParameterGroupArn + fromFieldPath: status.atProvider.arn + - type: FromFieldPath + name: clusterParameterGroupName + fromFieldPath: status.atProvider.id + base: + apiVersion: rds.aws.upbound.io/v1beta1 + kind: ClusterParameterGroup + metadata: + name: aurora-cluster-parameter-group + spec: + forProvider: + description: Aurora cluster parameter group + family: aurora-postgresql15 + parameter: + - name: rds.force_ssl + value: "1" + patches: + - type: PatchSet + patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.parameterGroupFamily + toFieldPath: spec.forProvider.family + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.arn + toFieldPath: status.clusterParameterGroupArn + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.id + toFieldPath: status.clusterParameterGroupName + - name: aurora-cluster + connectionDetails: + - type: FromFieldPath + name: clusterIdentifier + fromFieldPath: status.atProvider.id + - type: FromFieldPath + name: clusterArn + fromFieldPath: status.atProvider.arn + - type: FromFieldPath + name: clusterReaderEndpoint + fromFieldPath: status.atProvider.readerEndpoint + - type: FromFieldPath + name: clusterEndpoint + fromFieldPath: status.atProvider.endpoint + - type: FromFieldPath + name: clusterMasterSecretArn + fromFieldPath: status.atProvider.masterUserSecret.secretArn + base: + apiVersion: rds.aws.upbound.io/v1beta1 + kind: Cluster + spec: + forProvider: + # DEFAULT VALUES + engine: aurora-postgresql + engineVersion: "15.2" + manageMasterUserPassword: true + masterUsername: root + skipFinalSnapshot: false + storageEncrypted: true + enableHttpEndpoint: false + copyTagsToSnapshot: true + enabledCloudwatchLogsExports: + - "postgresql" + # CONFIGURABLE VALUES + databaseName: aurorapgsql + storageType: "aurora-iopt1" + availabilityZones: + - us-east-1a + - us-east-1b + finalSnapshotIdentifier: "to-be-patched" + backupRetentionPeriod: 7 + preferredBackupWindow: 02:00-03:00 + preferredMaintenanceWindow: sun:04:00-sun:05:00 + # DYNAMICALLY PASSED VALUES + dbClusterParameterGroupName: default.aurora-postgresql15 + vpcSecurityGroupIDs: [] + vpcSecurityGroupIDSelector: + matchControllerRef: true + dbSubnetGroupNameSelector: + matchControllerRef: true + patches: + - type: PatchSet + patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.databaseName + toFieldPath: spec.forProvider.databaseName + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.engineVersion + toFieldPath: spec.forProvider.engineVersion + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.storageType + toFieldPath: spec.forProvider.storageType + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.allocatedStorage + toFieldPath: spec.forProvider.allocatedStorage + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.availabilityZones + toFieldPath: spec.forProvider.availabilityZones + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.finalDBSnapshotIdentifier + toFieldPath: spec.forProvider.finalDBSnapshotIdentifier + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.backupRetentionPeriod + toFieldPath: spec.forProvider.backupRetentionPeriod + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.enabledCloudwatchLogsExports + toFieldPath: spec.forProvider.enabledCloudwatchLogsExports + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.preferredBackupWindow + toFieldPath: spec.forProvider.preferredBackupWindow + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.preferredMaintenanceWindow + toFieldPath: spec.forProvider.preferredMaintenanceWindow + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.applyImmediately + toFieldPath: spec.forProvider.applyImmediately + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.snapshotIdentifier + toFieldPath: spec.forProvider.snapshotIdentifier + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.finalSnapshotIdentifier + toFieldPath: spec.forProvider.finalSnapshotIdentifier + - type: FromCompositeFieldPath + fromFieldPath: status.clusterParameterGroupName + toFieldPath: spec.forProvider.dbClusterParameterGroupName + - type: FromCompositeFieldPath + fromFieldPath: status.securityGroupId + toFieldPath: spec.forProvider.vpcSecurityGroupIds[0] + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.id + toFieldPath: status.clusterIdentifier + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.arn + toFieldPath: status.clusterArn + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.readerEndpoint + toFieldPath: status.clusterReaderEndpoint + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.endpoint + toFieldPath: status.clusterEndpoint + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.masterUserSecret[0].secretArn + toFieldPath: status.clusterMasterSecretArn + - name: aurora-cluster-instance-01 + base: + apiVersion: rds.aws.upbound.io/v1beta1 + kind: ClusterInstance + spec: + forProvider: + # DEFAULT VALUES + promotionTier: 0 + publiclyAccessible: false + autoMinorVersionUpgrade: true + copyTagsToSnapshot: true + dbSubnetGroupNameSelector: + matchControllerRef: true + engine: aurora-postgresql + performanceInsightsEnabled: true + # CONFIGURABLE VALUES + engineVersion: "15.2" + instanceClass: db.r6g.large + monitoringInterval: 5 + performanceInsightsRetentionPeriod: 7 + # DYNAMICALLY PASSED VALUES + clusterIdentifierSelector: + matchControllerRef: true + patches: + - type: PatchSet + patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.engineVersion + toFieldPath: spec.forProvider.engineVersion + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.clusterInstanceClass + toFieldPath: spec.forProvider.instanceClass + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.monitoringRoleArn + toFieldPath: spec.forProvider.monitoringRoleArn + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.monitoringInterval + toFieldPath: spec.forProvider.monitoringInterval + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.applyImmediately + toFieldPath: spec.forProvider.applyImmediately + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.performanceInsightsRetentionPeriod + toFieldPath: spec.forProvider.performanceInsightsRetentionPeriod + - type: FromCompositeFieldPath + fromFieldPath: status.clusterIdentifier + toFieldPath: spec.forProvider.clusterIdentifier + - name: aurora-cluster-instance-02 + base: + apiVersion: rds.aws.upbound.io/v1beta1 + kind: ClusterInstance + spec: + forProvider: + # DEFAULT VALUES + promotionTier: 1 + publiclyAccessible: false + autoMinorVersionUpgrade: true + copyTagsToSnapshot: true + dbSubnetGroupNameSelector: + matchControllerRef: true + engine: aurora-postgresql + performanceInsightsEnabled: true + # CONFIGURABLE VALUES + engineVersion: "15.2" + instanceClass: db.r6g.large + monitoringInterval: 5 + performanceInsightsRetentionPeriod: 7 + # DYNAMICALLY PASSED VALUES + clusterIdentifierSelector: + matchControllerRef: true + patches: + - type: PatchSet + patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.engineVersion + toFieldPath: spec.forProvider.engineVersion + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.clusterInstanceClass + toFieldPath: spec.forProvider.instanceClass + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.monitoringRoleArn + toFieldPath: spec.forProvider.monitoringRoleArn + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.monitoringInterval + toFieldPath: spec.forProvider.monitoringInterval + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.applyImmediately + toFieldPath: spec.forProvider.applyImmediately + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.performanceInsightsRetentionPeriod + toFieldPath: spec.forProvider.performanceInsightsRetentionPeriod + - type: FromCompositeFieldPath + fromFieldPath: status.clusterIdentifier + toFieldPath: spec.forProvider.clusterIdentifier + - name: aurora-cluster-instance-03 + base: + apiVersion: rds.aws.upbound.io/v1beta1 + kind: ClusterInstance + spec: + forProvider: + # DEFAULT VALUES + promotionTier: 2 + publiclyAccessible: false + autoMinorVersionUpgrade: true + copyTagsToSnapshot: true + dbSubnetGroupNameSelector: + matchControllerRef: true + engine: aurora-postgresql + performanceInsightsEnabled: true + # CONFIGURABLE VALUES + engineVersion: "15.2" + instanceClass: db.r6g.large + monitoringInterval: 5 + performanceInsightsRetentionPeriod: 7 + # DYNAMICALLY PASSED VALUES + clusterIdentifierSelector: + matchControllerRef: true + patches: + - type: PatchSet + patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.engineVersion + toFieldPath: spec.forProvider.engineVersion + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.clusterInstanceClass + toFieldPath: spec.forProvider.instanceClass + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.monitoringRoleArn + toFieldPath: spec.forProvider.monitoringRoleArn + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.monitoringInterval + toFieldPath: spec.forProvider.monitoringInterval + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.applyImmediately + toFieldPath: spec.forProvider.applyImmediately + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.performanceInsightsRetentionPeriod + toFieldPath: spec.forProvider.performanceInsightsRetentionPeriod + - type: FromCompositeFieldPath + fromFieldPath: status.clusterIdentifier + toFieldPath: spec.forProvider.clusterIdentifier + - name: aurora-cluster-proxy + connectionDetails: + - type: FromFieldPath + name: proxyArn + fromFieldPath: status.atProvider.arn + - type: FromFieldPath + name: proxyEndpoint + fromFieldPath: status.atProvider.endpoint + base: + apiVersion: rds.aws.upbound.io/v1beta1 + kind: Proxy + metadata: + name: aurora-proxy + spec: + forProvider: + # DEFAULT VALUES + auth: + - authScheme: SECRETS + description: "auth for aurora proxy" + iamAuth: REQUIRED + engineFamily: POSTGRESQL + requireTls: true + # CONFIGURABLE VALUES + debugLogging: true + idleClientTimeout: 1800 + # DYNAMICALLY PASSED VALUES + vpcSecurityGroupIds: [] + vpcSecurityGroupIDSelector: + matchControllerRef: true + tags: + cluster: test-cluster + namespace: team-a + environment: dev + application: my-app + bu: test + patches: + - type: PatchSet + patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: spec.proxyConfig.debugLogging + toFieldPath: spec.forProvider.debugLogging\ + - type: FromCompositeFieldPath + fromFieldPath: spec.proxyConfig.idleClientTimeout + toFieldPath: spec.forProvider.idleClientTimeout + - type: FromCompositeFieldPath + fromFieldPath: spec.proxyConfig.proxyRoleArn + toFieldPath: spec.forProvider.roleArn + - fromFieldPath: spec.networkConfig.subnetIds + toFieldPath: spec.forProvider.vpcSubnetIds + - type: FromCompositeFieldPath + fromFieldPath: status.clusterMasterSecretArn + toFieldPath: spec.forProvider.auth[0].secretArn + - type: FromCompositeFieldPath + fromFieldPath: status.securityGroupId + toFieldPath: spec.forProvider.vpcSecurityGroupIds[0] + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.arn + toFieldPath: status.proxyArn + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.endpoint + toFieldPath: status.proxyEndpoint + - name: aurora-cluster-proxy-default-tg + base: + apiVersion: rds.aws.upbound.io/v1beta1 + kind: ProxyDefaultTargetGroup + metadata: + name: aurora-proxy-default-tg + spec: + forProvider: + connectionPoolConfig: + - connectionBorrowTimeout: 10 + maxConnectionsPercent: 50 + maxIdleConnectionsPercent: 50 + dbProxyNameSelector: + matchControllerRef: true + patches: + - type: PatchSet + patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: spec.proxyConfig.connectionBorrowTimeout + toFieldPath: spec.forProvider.connectionPoolConfig[0].connectionBorrowTimeout + - type: FromCompositeFieldPath + fromFieldPath: spec.proxyConfig.maxConnectionsPercent + toFieldPath: spec.forProvider.connectionPoolConfig[0].maxConnectionsPercent + - type: FromCompositeFieldPath + fromFieldPath: spec.proxyConfig.maxIdleConnectionsPercent + toFieldPath: spec.forProvider.connectionPoolConfig[0].maxIdleConnectionsPercent + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.name + toFieldPath: status.defaultProxyTgName + - name: aurora-cluster-proxy-target + base: + apiVersion: rds.aws.upbound.io/v1beta1 + kind: ProxyTarget + metadata: + name: aurora-proxy-target + spec: + forProvider: + dbClusterIdentifier: proxy-db-sg + dbProxyNameSelector: + matchControllerRef: true + targetGroupName: default + patches: + - type: PatchSet + patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: status.defaultProxyTgName + toFieldPath: spec.forProvider.targetGroupName + - type: FromCompositeFieldPath + fromFieldPath: status.clusterIdentifier + toFieldPath: spec.forProvider.dbClusterIdentifier \ No newline at end of file diff --git a/compositions/upbound-aws-provider/aurora/definition.yaml b/compositions/upbound-aws-provider/aurora/definition.yaml new file mode 100644 index 00000000..b0d9af7d --- /dev/null +++ b/compositions/upbound-aws-provider/aurora/definition.yaml @@ -0,0 +1,187 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: CompositeResourceDefinition +metadata: + name: xrelationaldatabases.db.awsblueprint.io +spec: + group: db.awsblueprint.io + names: + kind: XRelationalDatabase + plural: xrelationaldatabases + claimNames: + kind: RelationalDatabase + plural: relationaldatabases + connectionSecretKeys: + - subnetGroupArn + - subnetGroupName + - securityGroupId + - securityGroupArn + - securityGroupName + - clusterParameterGroupName + - clusterParameterGroupArn + - clusterIdentifier + - clusterArn + - clusterReaderEndpoint + - clusterEndpoint + - clusterMasterSecretArn + - proxyArn + - proxyEndpoint + - defaultProxyTgName + - targetGroupName + versions: + - name: v1alpha1 + served: true + referenceable: true + schema: + openAPIV3Schema: + description: RelationalDatabase is the Schema for the Aurora database + API. Provides a Aurora Cluster. + properties: + spec: + type: object + description: "Aurora Cluster with Proxy Specification" + properties: + networkConfig: + description: parameter for Aurora network configuration + type: object + properties: + subnetIds: + type: array + items: + type: string + minItems: 1 + vpcId: + type: string + resourceConfig: + description: parameter for Aurora general configuration + resource. + type: object + properties: + providerConfigName: + type: string + region: + type: string + deletionPolicy: + description: Defaults to Delete + enum: + - Delete + - Orphan + type: string + parameterGroupFamily: + description: Parameter group family name. + type: string + databaseName: + description: name of the aurora database + type: string + engineVersion: + description: engine version + type: string + storageType: + type: string + availabilityZones: + type: array + items: + type: string + finalDBSnapshotIdentifier: + type: string + backupRetentionPeriod: + type: integer + preferredBackupWindow: + type: string + preferredMaintenanceWindow: + type: string + clusterInstanceClass: + type: string + monitoringRoleArn: + type: string + monitoringInterval: + type: integer + performanceInsightsRetentionPeriod: + type: integer + enabledCloudwatchLogsExports: + type: array + items: + type: string + applyImmediately: + type: boolean + snapshotIdentifier: + type: string + finalSnapshotIdentifier: + type: string + tags: + additionalProperties: + type: string + description: Key-value map of resource tags. + type: object + required: + - providerConfigName + - region + proxyConfig: + description: parameter for Aurora Proxy configuration + type: object + properties: + debugLogging: + description: Parameter to set whether the proxy includes detailed + information about SQL statements in its logs. + type: boolean + idleClientTimeout: + description: Parameter to set the number of seconds that a connection + to the proxy can be inactive before the proxy disconnects it. + type: number + proxyRoleArn: + description: Role Arn for the database proxy. + type: string + secretArn: + description: Arn of the db credential secret. + type: string + connectionBorrowTimeout: + description: The number of seconds for a proxy to wait for a connection + to become available in the connection pool. + type: number + maxIdleConnectionsPercent: + description: Controls how actively the proxy closes idle database + connections in the connection pool. + type: number + maxConnectionsPercent: + description: The maximum size of the connection pool for each target + in a target group. + type: number + initQuery: + description: One or more SQL statements for the proxy to run when + opening each new database connection. + type: string + status: + properties: + subnetGroupArn: + type: string + subnetGroupName: + type: string + securityGroupId: + type: string + securityGroupArn: + type: string + securityGroupName: + type: string + clusterParameterGroupName: + type: string + clusterParameterGroupArn: + type: string + clusterIdentifier: + type: string + clusterArn: + type: string + clusterReaderEndpoint: + type: string + clusterEndpoint: + type: string + clusterMasterSecretArn: + type: string + proxyArn: + type: string + proxyEndpoint: + type: string + defaultProxyTgName: + type: string + targetGroupName: + type: string + type: object + type: object diff --git a/compositions/upbound-aws-provider/aurora/kustomization.yaml b/compositions/upbound-aws-provider/aurora/kustomization.yaml new file mode 100644 index 00000000..7f2577d1 --- /dev/null +++ b/compositions/upbound-aws-provider/aurora/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- definition.yaml +- aurora.yaml \ No newline at end of file diff --git a/examples/upbound-aws-provider/composite-resources/aurora-postgresql.yaml b/examples/upbound-aws-provider/composite-resources/aurora-postgresql.yaml new file mode 100644 index 00000000..d9a8352d --- /dev/null +++ b/examples/upbound-aws-provider/composite-resources/aurora-postgresql.yaml @@ -0,0 +1,58 @@ +apiVersion: db.awsblueprint.io/v1alpha1 +kind: RelationalDatabase +metadata: + name: test-aurora-postgresql-db + namespace: default +spec: + compositionSelector: + matchLabels: + awsblueprints.io/provider: aws + awsblueprints.io/environment: dev + cluster.awsblueprints.io/configuration: standard + networkConfig: + # the below ids needs to be updated before use. + vpcId: vpc-123455 + subnetIds: + - "subnet-123455" + - "subnet-123455" + - "subnet-123455" + resourceConfig: + providerConfigName: provider-config-irsa + region: us-east-1 + deletionPolicy: Delete + parameterGroupFamily: aurora-postgresql15 + # Cluster Parameters + databaseName: "auroraclusterwithproxy" + engineVersion: "15.2" + storageType: aurora-iopt1 + availabilityZones: + - "us-east-1a" + - "us-east-1b" + - "us-east-1c" + backupRetentionPeriod: 7 + preferredBackupWindow: "02:00-03:00" + preferredMaintenanceWindow: "sun:04:00-sun:05:00" + # Cluster Instance parameter + clusterInstanceClass: db.r6g.xlarge + # monitoringRoleArn needs to provided for RDS + # to create and send log to Cloudwatch. + monitoringRoleArn: arn:aws:iam::12345678901:role/name-of-the-rds-role + monitoringInterval: 10 + performanceInsightsRetentionPeriod: 7 + # The below applyImmediately parameter is required for any immediate upgrade + # Or else it can be ommited. + applyImmediately: true + finalSnapshotIdentifier: "aurora-cluster-final-snapshot-v1" + tags: + cluster: aurora-cluster + namespace: team-a + environment: dev + application: my-app + proxyConfig: + debugLogging: true + idleClientTimeout: 3600 + # role for aurora proxy to get the secrets from secret manager + proxyRoleArn: arn:aws:iam::12345678901:role/name-of-the-proxy-role + connectionBorrowTimeout: 11 + maxConnectionsPercent: 55 + maxIdleConnectionsPercent: 40 From dd2daa0303b0aa2ebc8b87f6be53aa371736dc20 Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Tue, 15 Aug 2023 18:02:14 -0500 Subject: [PATCH 02/25] Updating connection secrets --- .../upbound-aws-provider/aurora/aurora.yaml | 35 +++++++++++++------ .../aurora/definition.yaml | 27 +++++--------- .../aurora-postgresql.yaml | 6 ++-- 3 files changed, 36 insertions(+), 32 deletions(-) diff --git a/compositions/upbound-aws-provider/aurora/aurora.yaml b/compositions/upbound-aws-provider/aurora/aurora.yaml index ab9ac24b..430eb46b 100644 --- a/compositions/upbound-aws-provider/aurora/aurora.yaml +++ b/compositions/upbound-aws-provider/aurora/aurora.yaml @@ -1,7 +1,7 @@ apiVersion: apiextensions.crossplane.io/v1 kind: Composition metadata: - name: xrelationaldatabases.db.awsblueprint.io + name: xauroras.db.awsblueprint.io labels: awsblueprints.io/provider: aws awsblueprints.io/environment: dev @@ -10,7 +10,7 @@ spec: writeConnectionSecretsToNamespace: crossplane-system compositeTypeRef: apiVersion: db.awsblueprint.io/v1alpha1 - kind: XRelationalDatabase + kind: XAurora patchSets: - name: common-fields patches: @@ -199,12 +199,6 @@ spec: toFieldPath: status.clusterParameterGroupName - name: aurora-cluster connectionDetails: - - type: FromFieldPath - name: clusterIdentifier - fromFieldPath: status.atProvider.id - - type: FromFieldPath - name: clusterArn - fromFieldPath: status.atProvider.arn - type: FromFieldPath name: clusterReaderEndpoint fromFieldPath: status.atProvider.readerEndpoint @@ -214,6 +208,9 @@ spec: - type: FromFieldPath name: clusterMasterSecretArn fromFieldPath: status.atProvider.masterUserSecret.secretArn + - type: FromFieldPath + name: clusterUsername + fromFieldPath: status.atProvider.masterUsername base: apiVersion: rds.aws.upbound.io/v1beta1 kind: Cluster @@ -310,6 +307,17 @@ spec: - type: ToCompositeFieldPath fromFieldPath: status.atProvider.masterUserSecret[0].secretArn toFieldPath: status.clusterMasterSecretArn + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.masterUsername + toFieldPath: status.clusterUsername + - fromFieldPath: metadata.labels[crossplane.io/claim-namespace] + toFieldPath: spec.writeConnectionSecretToRef.namespace + - fromFieldPath: metadata.name + toFieldPath: spec.writeConnectionSecretToRef.name + transforms: + - type: string + string: + fmt: "%s-cluster-secret" - name: aurora-cluster-instance-01 base: apiVersion: rds.aws.upbound.io/v1beta1 @@ -453,9 +461,6 @@ spec: toFieldPath: spec.forProvider.clusterIdentifier - name: aurora-cluster-proxy connectionDetails: - - type: FromFieldPath - name: proxyArn - fromFieldPath: status.atProvider.arn - type: FromFieldPath name: proxyEndpoint fromFieldPath: status.atProvider.endpoint @@ -512,6 +517,14 @@ spec: - type: ToCompositeFieldPath fromFieldPath: status.atProvider.endpoint toFieldPath: status.proxyEndpoint + - fromFieldPath: metadata.labels[crossplane.io/claim-namespace] + toFieldPath: spec.writeConnectionSecretToRef.namespace + - fromFieldPath: metadata.name + toFieldPath: spec.writeConnectionSecretToRef.name + transforms: + - type: string + string: + fmt: "%s-proxy-endpoint-secret" - name: aurora-cluster-proxy-default-tg base: apiVersion: rds.aws.upbound.io/v1beta1 diff --git a/compositions/upbound-aws-provider/aurora/definition.yaml b/compositions/upbound-aws-provider/aurora/definition.yaml index b0d9af7d..6e19c463 100644 --- a/compositions/upbound-aws-provider/aurora/definition.yaml +++ b/compositions/upbound-aws-provider/aurora/definition.yaml @@ -1,32 +1,21 @@ apiVersion: apiextensions.crossplane.io/v1 kind: CompositeResourceDefinition metadata: - name: xrelationaldatabases.db.awsblueprint.io + name: xauroras.db.awsblueprint.io spec: group: db.awsblueprint.io names: - kind: XRelationalDatabase - plural: xrelationaldatabases + kind: XAurora + plural: xauroras claimNames: - kind: RelationalDatabase - plural: relationaldatabases + kind: Aurora + plural: auroras connectionSecretKeys: - - subnetGroupArn - - subnetGroupName - - securityGroupId - - securityGroupArn - - securityGroupName - - clusterParameterGroupName - - clusterParameterGroupArn - - clusterIdentifier - - clusterArn - clusterReaderEndpoint - clusterEndpoint + - clusterUsername - clusterMasterSecretArn - - proxyArn - proxyEndpoint - - defaultProxyTgName - - targetGroupName versions: - name: v1alpha1 served: true @@ -175,6 +164,8 @@ spec: type: string clusterMasterSecretArn: type: string + clusterUsername: + type: string proxyArn: type: string proxyEndpoint: @@ -184,4 +175,4 @@ spec: targetGroupName: type: string type: object - type: object + type: object \ No newline at end of file diff --git a/examples/upbound-aws-provider/composite-resources/aurora-postgresql.yaml b/examples/upbound-aws-provider/composite-resources/aurora-postgresql.yaml index d9a8352d..33e58c27 100644 --- a/examples/upbound-aws-provider/composite-resources/aurora-postgresql.yaml +++ b/examples/upbound-aws-provider/composite-resources/aurora-postgresql.yaml @@ -1,8 +1,8 @@ apiVersion: db.awsblueprint.io/v1alpha1 -kind: RelationalDatabase +kind: Aurora metadata: - name: test-aurora-postgresql-db - namespace: default + name: test-aurora-postgresql-cluster + namespace: team-a spec: compositionSelector: matchLabels: From 1a2bf1ab650473167596c1f6e3b81b121aa2b695 Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Fri, 18 Aug 2023 16:23:00 -0500 Subject: [PATCH 03/25] Added default based on cluster behaviour --- .../upbound-aws-provider/aurora/aurora.yaml | 212 ++++++++---------- .../aurora/definition.yaml | 74 +++++- .../aurora-postgresql.yaml | 55 +++-- 3 files changed, 189 insertions(+), 152 deletions(-) diff --git a/compositions/upbound-aws-provider/aurora/aurora.yaml b/compositions/upbound-aws-provider/aurora/aurora.yaml index 430eb46b..fd93726f 100644 --- a/compositions/upbound-aws-provider/aurora/aurora.yaml +++ b/compositions/upbound-aws-provider/aurora/aurora.yaml @@ -31,13 +31,6 @@ spec: appendSlice: true resources: - name: aurora-cluster-subnetgroup - connectionDetails: - - type: FromFieldPath - name: subnetGroupArn - fromFieldPath: status.atProvider.arn - - type: FromFieldPath - name: subnetGroupName - fromFieldPath: status.atProvider.id base: apiVersion: rds.aws.upbound.io/v1beta1 kind: SubnetGroup @@ -47,9 +40,9 @@ spec: forProvider: description: "aurora subnet group" tags: - namespace: team-a environment: dev application: my-app + bu: test patches: - type: PatchSet patchSetName: common-fields @@ -62,16 +55,6 @@ spec: fromFieldPath: status.atProvider.id toFieldPath: status.subnetGroupName - name: aurora-cluster-sg - connectionDetails: - - type: FromFieldPath - name: securityGroupArn - fromFieldPath: status.atProvider.arn - - type: FromFieldPath - name: securityGroupId - fromFieldPath: status.atProvider.id - - type: FromFieldPath - name: securityGroupName - fromFieldPath: status.atProvider.securityGroupName base: apiVersion: ec2.aws.upbound.io/v1beta1 kind: SecurityGroup @@ -104,10 +87,8 @@ spec: name: aurora-cluster-sg-self-rule spec: forProvider: - fromPort: 5432 protocol: tcp self: true - toPort: 5432 type: ingress securityGroupIdSelector: matchLabels: @@ -115,9 +96,15 @@ spec: patches: - type: PatchSet patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: spec.networkConfig.allowedPort + toFieldPath: spec.forProvider.fromPort + - type: FromCompositeFieldPath + fromFieldPath: spec.networkConfig.allowedPort + toFieldPath: spec.forProvider.toPort - type: FromCompositeFieldPath fromFieldPath: status.securityGroupId - toFieldPath: spec.forProvider.securityGroupId + toFieldPath: spec.forProvider.securityGroupId - name: aurora-cluster-sg-app-rule base: apiVersion: ec2.aws.upbound.io/v1beta1 @@ -126,11 +113,7 @@ spec: name: aurora-cluster-sg-app-rule spec: forProvider: - fromPort: 5432 protocol: tcp - cidrBlocks: - - 10.0.0.0/8 - toPort: 5432 type: ingress securityGroupIdSelector: matchLabels: @@ -138,6 +121,18 @@ spec: patches: - type: PatchSet patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: spec.networkConfig.allowedPort + toFieldPath: spec.forProvider.fromPort + - type: FromCompositeFieldPath + fromFieldPath: spec.networkConfig.allowedPort + toFieldPath: spec.forProvider.toPort + - type: FromCompositeFieldPath + fromFieldPath: spec.networkConfig.allowedCidrBlocks + toFieldPath: spec.forProvider.cidrBlocks + - type: FromCompositeFieldPath + fromFieldPath: spec.networkConfig.allowedSecurityGroupId + toFieldPath: spec.forProvider.sourceSecurityGroupId - type: FromCompositeFieldPath fromFieldPath: status.securityGroupId toFieldPath: spec.forProvider.securityGroupId @@ -149,9 +144,7 @@ spec: name: aurora-cluster-sg-egress-rule spec: forProvider: - fromPort: 5432 protocol: tcp - toPort: 5432 type: egress securityGroupIdSelector: matchLabels: @@ -159,20 +152,19 @@ spec: patches: - type: PatchSet patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: spec.networkConfig.allowedPort + toFieldPath: spec.forProvider.fromPort + - type: FromCompositeFieldPath + fromFieldPath: spec.networkConfig.allowedPort + toFieldPath: spec.forProvider.toPort - type: FromCompositeFieldPath fromFieldPath: status.securityGroupId toFieldPath: spec.forProvider.securityGroupId - type: FromCompositeFieldPath fromFieldPath: status.securityGroupId - toFieldPath: spec.forProvider.sourceSecurityGroupId + toFieldPath: spec.forProvider.sourceSecurityGroupId - name: rds-cluster-para-group - connectionDetails: - - type: FromFieldPath - name: clusterParameterGroupArn - fromFieldPath: status.atProvider.arn - - type: FromFieldPath - name: clusterParameterGroupName - fromFieldPath: status.atProvider.id base: apiVersion: rds.aws.upbound.io/v1beta1 kind: ClusterParameterGroup @@ -199,60 +191,58 @@ spec: toFieldPath: status.clusterParameterGroupName - name: aurora-cluster connectionDetails: - - type: FromFieldPath - name: clusterReaderEndpoint - fromFieldPath: status.atProvider.readerEndpoint - - type: FromFieldPath - name: clusterEndpoint - fromFieldPath: status.atProvider.endpoint - - type: FromFieldPath - name: clusterMasterSecretArn - fromFieldPath: status.atProvider.masterUserSecret.secretArn - - type: FromFieldPath - name: clusterUsername - fromFieldPath: status.atProvider.masterUsername + - type: FromFieldPath + name: clusterUsername + fromFieldPath: status.atProvider.masterUsername base: apiVersion: rds.aws.upbound.io/v1beta1 kind: Cluster spec: forProvider: - # DEFAULT VALUES + writeConnectionSecretToRef: + namespace: crossplane-system engine: aurora-postgresql engineVersion: "15.2" manageMasterUserPassword: true - masterUsername: root - skipFinalSnapshot: false + masterUsername: adminuser + skipFinalSnapshot: true storageEncrypted: true enableHttpEndpoint: false copyTagsToSnapshot: true - enabledCloudwatchLogsExports: - - "postgresql" - # CONFIGURABLE VALUES - databaseName: aurorapgsql + databaseName: auroradb storageType: "aurora-iopt1" - availabilityZones: - - us-east-1a - - us-east-1b - finalSnapshotIdentifier: "to-be-patched" + finalSnapshotIdentifier: "aurora-cluster-final-snapshot" backupRetentionPeriod: 7 preferredBackupWindow: 02:00-03:00 preferredMaintenanceWindow: sun:04:00-sun:05:00 - # DYNAMICALLY PASSED VALUES dbClusterParameterGroupName: default.aurora-postgresql15 vpcSecurityGroupIDs: [] vpcSecurityGroupIDSelector: matchControllerRef: true dbSubnetGroupNameSelector: - matchControllerRef: true + matchControllerRef: true + tags: + environment: dev + application: my-app + bu: bu-name patches: - type: PatchSet patchSetName: common-fields - type: FromCompositeFieldPath fromFieldPath: spec.resourceConfig.databaseName toFieldPath: spec.forProvider.databaseName + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.engine + toFieldPath: spec.forProvider.engine - type: FromCompositeFieldPath fromFieldPath: spec.resourceConfig.engineVersion toFieldPath: spec.forProvider.engineVersion + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.masterUsername + toFieldPath: spec.forProvider.masterUsername + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.skipFinalSnapshot + toFieldPath: spec.forProvider.skipFinalSnapshot - type: FromCompositeFieldPath fromFieldPath: spec.resourceConfig.storageType toFieldPath: spec.forProvider.storageType @@ -262,9 +252,6 @@ spec: - type: FromCompositeFieldPath fromFieldPath: spec.resourceConfig.availabilityZones toFieldPath: spec.forProvider.availabilityZones - - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.finalDBSnapshotIdentifier - toFieldPath: spec.forProvider.finalDBSnapshotIdentifier - type: FromCompositeFieldPath fromFieldPath: spec.resourceConfig.backupRetentionPeriod toFieldPath: spec.forProvider.backupRetentionPeriod @@ -310,46 +297,39 @@ spec: - type: ToCompositeFieldPath fromFieldPath: status.atProvider.masterUsername toFieldPath: status.clusterUsername - - fromFieldPath: metadata.labels[crossplane.io/claim-namespace] - toFieldPath: spec.writeConnectionSecretToRef.namespace - - fromFieldPath: metadata.name - toFieldPath: spec.writeConnectionSecretToRef.name - transforms: - - type: string - string: - fmt: "%s-cluster-secret" - name: aurora-cluster-instance-01 base: apiVersion: rds.aws.upbound.io/v1beta1 kind: ClusterInstance spec: forProvider: - # DEFAULT VALUES promotionTier: 0 + engine: aurora-postgresql + engineVersion: "15.2" + instanceClass: db.r6g.large publiclyAccessible: false autoMinorVersionUpgrade: true copyTagsToSnapshot: true + performanceInsightsEnabled: true dbSubnetGroupNameSelector: matchControllerRef: true - engine: aurora-postgresql - performanceInsightsEnabled: true - # CONFIGURABLE VALUES - engineVersion: "15.2" - instanceClass: db.r6g.large - monitoringInterval: 5 - performanceInsightsRetentionPeriod: 7 - # DYNAMICALLY PASSED VALUES clusterIdentifierSelector: matchControllerRef: true patches: - type: PatchSet patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.engine + toFieldPath: spec.forProvider.engine - type: FromCompositeFieldPath fromFieldPath: spec.resourceConfig.engineVersion toFieldPath: spec.forProvider.engineVersion - type: FromCompositeFieldPath fromFieldPath: spec.resourceConfig.clusterInstanceClass toFieldPath: spec.forProvider.instanceClass + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.performanceInsightsEnabled + toFieldPath: spec.forProvider.performanceInsightsEnabled - type: FromCompositeFieldPath fromFieldPath: spec.resourceConfig.monitoringRoleArn toFieldPath: spec.forProvider.monitoringRoleArn @@ -371,32 +351,33 @@ spec: kind: ClusterInstance spec: forProvider: - # DEFAULT VALUES promotionTier: 1 + engine: aurora-postgresql + engineVersion: "15.2" + instanceClass: db.r6g.large publiclyAccessible: false autoMinorVersionUpgrade: true copyTagsToSnapshot: true + performanceInsightsEnabled: true dbSubnetGroupNameSelector: matchControllerRef: true - engine: aurora-postgresql - performanceInsightsEnabled: true - # CONFIGURABLE VALUES - engineVersion: "15.2" - instanceClass: db.r6g.large - monitoringInterval: 5 - performanceInsightsRetentionPeriod: 7 - # DYNAMICALLY PASSED VALUES clusterIdentifierSelector: matchControllerRef: true patches: - type: PatchSet patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.engine + toFieldPath: spec.forProvider.engine - type: FromCompositeFieldPath fromFieldPath: spec.resourceConfig.engineVersion toFieldPath: spec.forProvider.engineVersion - type: FromCompositeFieldPath fromFieldPath: spec.resourceConfig.clusterInstanceClass toFieldPath: spec.forProvider.instanceClass + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.performanceInsightsEnabled + toFieldPath: spec.forProvider.performanceInsightsEnabled - type: FromCompositeFieldPath fromFieldPath: spec.resourceConfig.monitoringRoleArn toFieldPath: spec.forProvider.monitoringRoleArn @@ -418,32 +399,33 @@ spec: kind: ClusterInstance spec: forProvider: - # DEFAULT VALUES promotionTier: 2 + engine: aurora-postgresql + engineVersion: "15.2" + instanceClass: db.r6g.large publiclyAccessible: false autoMinorVersionUpgrade: true copyTagsToSnapshot: true + performanceInsightsEnabled: true dbSubnetGroupNameSelector: matchControllerRef: true - engine: aurora-postgresql - performanceInsightsEnabled: true - # CONFIGURABLE VALUES - engineVersion: "15.2" - instanceClass: db.r6g.large - monitoringInterval: 5 - performanceInsightsRetentionPeriod: 7 - # DYNAMICALLY PASSED VALUES clusterIdentifierSelector: matchControllerRef: true patches: - type: PatchSet patchSetName: common-fields + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.engine + toFieldPath: spec.forProvider.engine - type: FromCompositeFieldPath fromFieldPath: spec.resourceConfig.engineVersion toFieldPath: spec.forProvider.engineVersion - type: FromCompositeFieldPath fromFieldPath: spec.resourceConfig.clusterInstanceClass toFieldPath: spec.forProvider.instanceClass + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.performanceInsightsEnabled + toFieldPath: spec.forProvider.performanceInsightsEnabled - type: FromCompositeFieldPath fromFieldPath: spec.resourceConfig.monitoringRoleArn toFieldPath: spec.forProvider.monitoringRoleArn @@ -458,7 +440,7 @@ spec: toFieldPath: spec.forProvider.performanceInsightsRetentionPeriod - type: FromCompositeFieldPath fromFieldPath: status.clusterIdentifier - toFieldPath: spec.forProvider.clusterIdentifier + toFieldPath: spec.forProvider.clusterIdentifier - name: aurora-cluster-proxy connectionDetails: - type: FromFieldPath @@ -471,23 +453,20 @@ spec: name: aurora-proxy spec: forProvider: - # DEFAULT VALUES + writeConnectionSecretToRef: + namespace: crossplane-system auth: - - authScheme: SECRETS - description: "auth for aurora proxy" - iamAuth: REQUIRED + - authScheme: SECRETS + description: "auth for aurora proxy" + iamAuth: REQUIRED engineFamily: POSTGRESQL requireTls: true - # CONFIGURABLE VALUES debugLogging: true idleClientTimeout: 1800 - # DYNAMICALLY PASSED VALUES vpcSecurityGroupIds: [] vpcSecurityGroupIDSelector: matchControllerRef: true tags: - cluster: test-cluster - namespace: team-a environment: dev application: my-app bu: test @@ -496,7 +475,7 @@ spec: patchSetName: common-fields - type: FromCompositeFieldPath fromFieldPath: spec.proxyConfig.debugLogging - toFieldPath: spec.forProvider.debugLogging\ + toFieldPath: spec.forProvider.debugLogging - type: FromCompositeFieldPath fromFieldPath: spec.proxyConfig.idleClientTimeout toFieldPath: spec.forProvider.idleClientTimeout @@ -508,6 +487,9 @@ spec: - type: FromCompositeFieldPath fromFieldPath: status.clusterMasterSecretArn toFieldPath: spec.forProvider.auth[0].secretArn + - type: FromCompositeFieldPath + fromFieldPath: spec.proxyConfig.iamAuth + toFieldPath: spec.forProvider.auth[0].iamAuth - type: FromCompositeFieldPath fromFieldPath: status.securityGroupId toFieldPath: spec.forProvider.vpcSecurityGroupIds[0] @@ -517,14 +499,6 @@ spec: - type: ToCompositeFieldPath fromFieldPath: status.atProvider.endpoint toFieldPath: status.proxyEndpoint - - fromFieldPath: metadata.labels[crossplane.io/claim-namespace] - toFieldPath: spec.writeConnectionSecretToRef.namespace - - fromFieldPath: metadata.name - toFieldPath: spec.writeConnectionSecretToRef.name - transforms: - - type: string - string: - fmt: "%s-proxy-endpoint-secret" - name: aurora-cluster-proxy-default-tg base: apiVersion: rds.aws.upbound.io/v1beta1 @@ -534,9 +508,9 @@ spec: spec: forProvider: connectionPoolConfig: - - connectionBorrowTimeout: 10 - maxConnectionsPercent: 50 - maxIdleConnectionsPercent: 50 + - connectionBorrowTimeout: 10 + maxConnectionsPercent: 50 + maxIdleConnectionsPercent: 50 dbProxyNameSelector: matchControllerRef: true patches: diff --git a/compositions/upbound-aws-provider/aurora/definition.yaml b/compositions/upbound-aws-provider/aurora/definition.yaml index 6e19c463..822fa269 100644 --- a/compositions/upbound-aws-provider/aurora/definition.yaml +++ b/compositions/upbound-aws-provider/aurora/definition.yaml @@ -11,10 +11,7 @@ spec: kind: Aurora plural: auroras connectionSecretKeys: - - clusterReaderEndpoint - - clusterEndpoint - clusterUsername - - clusterMasterSecretArn - proxyEndpoint versions: - name: v1alpha1 @@ -40,6 +37,19 @@ spec: minItems: 1 vpcId: type: string + allowedPort: + type: number + default: 5432 + allowedCidrBlocks: + type: array + items: + type: string + minItems: 1 + allowedSecurityGroupId: + type: string + required: + - subnetIds + - vpcId resourceConfig: description: parameter for Aurora general configuration resource. @@ -55,17 +65,33 @@ spec: - Delete - Orphan type: string + default: Delete parameterGroupFamily: description: Parameter group family name. type: string + default: aurora-postgresql15 databaseName: description: name of the aurora database type: string + engine: + description: engine type + type: string + default: aurora-postgresql engineVersion: description: engine version type: string + default: "15.2" + masterUsername: + description: cluster user name + type: string + default: adminuser + skipFinalSnapshot: + description: Whether a final DB snapshot is created before the DB cluster is deleted + type: boolean + default: true storageType: type: string + default: aurora-iopt1 availabilityZones: type: array items: @@ -74,24 +100,35 @@ spec: type: string backupRetentionPeriod: type: integer + default: 7 preferredBackupWindow: type: string + default: "02:00-03:00" preferredMaintenanceWindow: - type: string + type: string + default: "sun:04:00-sun:05:00" clusterInstanceClass: - type: string + type: string + default: db.r6g.large + performanceInsightsEnabled: + description: Specifies whether Performance Insights is enabled or not. + type: boolean + default: true monitoringRoleArn: type: string monitoringInterval: type: integer + default: 60 performanceInsightsRetentionPeriod: type: integer + default: 7 enabledCloudwatchLogsExports: type: array items: type: string applyImmediately: type: boolean + default: true snapshotIdentifier: type: string finalSnapshotIdentifier: @@ -104,40 +141,55 @@ spec: required: - providerConfigName - region + - monitoringRoleArn proxyConfig: description: parameter for Aurora Proxy configuration type: object properties: + iamAuth: + enum: + - REQUIRED + - DISABLED + type: string + default: REQUIRED + description: Whether to require or disallow IAM authentication for connections. debugLogging: description: Parameter to set whether the proxy includes detailed information about SQL statements in its logs. type: boolean + default: true idleClientTimeout: description: Parameter to set the number of seconds that a connection to the proxy can be inactive before the proxy disconnects it. - type: number + type: number + default: 3600 proxyRoleArn: description: Role Arn for the database proxy. type: string - secretArn: - description: Arn of the db credential secret. - type: string + # secretArn: + # description: Arn of the db credential secret. + # type: string connectionBorrowTimeout: description: The number of seconds for a proxy to wait for a connection to become available in the connection pool. type: number + default: 120 maxIdleConnectionsPercent: description: Controls how actively the proxy closes idle database connections in the connection pool. type: number + default: 50 maxConnectionsPercent: description: The maximum size of the connection pool for each target in a target group. type: number + default: 50 initQuery: description: One or more SQL statements for the proxy to run when opening each new database connection. - type: string + type: string + required: + - proxyRoleArn status: properties: subnetGroupArn: @@ -175,4 +227,4 @@ spec: targetGroupName: type: string type: object - type: object \ No newline at end of file + type: object diff --git a/examples/upbound-aws-provider/composite-resources/aurora-postgresql.yaml b/examples/upbound-aws-provider/composite-resources/aurora-postgresql.yaml index 33e58c27..4d561001 100644 --- a/examples/upbound-aws-provider/composite-resources/aurora-postgresql.yaml +++ b/examples/upbound-aws-provider/composite-resources/aurora-postgresql.yaml @@ -4,6 +4,8 @@ metadata: name: test-aurora-postgresql-cluster namespace: team-a spec: + writeConnectionSecretToRef: + name: aurora-cluster-secrets compositionSelector: matchLabels: awsblueprints.io/provider: aws @@ -16,43 +18,52 @@ spec: - "subnet-123455" - "subnet-123455" - "subnet-123455" + # either the app CIDR or the SG id has to be provided for ingress traffic rule + allowedCidrBlocks: + - 10.0.0.0/8 + # allowedSecurityGroupId: sg-0dd0ff1bsgd345 resourceConfig: - providerConfigName: provider-config-irsa + # Required Fields for Cluster + providerConfigName: aws-provider-config region: us-east-1 + monitoringRoleArn: arn:aws:iam::12345678901:role/name-of-the-rds-role + # Below parameters have default set up in definition + # This can be patched to a different value based on req. deletionPolicy: Delete + databaseName: aurorapgsqldb parameterGroupFamily: aurora-postgresql15 - # Cluster Parameters - databaseName: "auroraclusterwithproxy" + engine: aurora-postgresql + masterUsername: adminuser engineVersion: "15.2" storageType: aurora-iopt1 - availabilityZones: - - "us-east-1a" - - "us-east-1b" - - "us-east-1c" backupRetentionPeriod: 7 preferredBackupWindow: "02:00-03:00" preferredMaintenanceWindow: "sun:04:00-sun:05:00" - # Cluster Instance parameter - clusterInstanceClass: db.r6g.xlarge - # monitoringRoleArn needs to provided for RDS - # to create and send log to Cloudwatch. - monitoringRoleArn: arn:aws:iam::12345678901:role/name-of-the-rds-role - monitoringInterval: 10 - performanceInsightsRetentionPeriod: 7 - # The below applyImmediately parameter is required for any immediate upgrade - # Or else it can be ommited. + clusterInstanceClass: db.r6g.large applyImmediately: true - finalSnapshotIdentifier: "aurora-cluster-final-snapshot-v1" + skipFinalSnapshot: false + # provide finalSnapshotIdentifier if skipFinalSnapshot is false + finalSnapshotIdentifier: "aurora-cluster-final-snapshot" + performanceInsightsEnabled: true + performanceInsightsRetentionPeriod: 7 + monitoringInterval: 60 + #Optional Field + enabledCloudwatchLogsExports: + - "postgresql" tags: cluster: aurora-cluster namespace: team-a environment: dev application: my-app proxyConfig: + # Required Fields for proxy + # Role for aurora proxy to get the secrets from secret manager + proxyRoleArn: arn:aws:iam::12345678901:role/name-of-the-proxy-role + # Below parameters have default set up in definition + iamAuth: REQUIRED debugLogging: true + # Recommendation ::this needs to be updated based on the instance size idleClientTimeout: 3600 - # role for aurora proxy to get the secrets from secret manager - proxyRoleArn: arn:aws:iam::12345678901:role/name-of-the-proxy-role - connectionBorrowTimeout: 11 - maxConnectionsPercent: 55 - maxIdleConnectionsPercent: 40 + connectionBorrowTimeout: 120 + maxConnectionsPercent: 50 + maxIdleConnectionsPercent: 50 From 2e6dc17fc4dfcf3bb072e93769110349afe32bbc Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Tue, 5 Sep 2023 18:52:14 -0500 Subject: [PATCH 04/25] Added the readme for aurora --- .../database-examples/aurora/README.md | 228 ++++++++++++++++++ .../aurora}/aurora-postgresql.yaml | 0 2 files changed, 228 insertions(+) create mode 100644 examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md rename examples/upbound-aws-provider/composite-resources/{ => database-examples/aurora}/aurora-postgresql.yaml (100%) diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md new file mode 100644 index 00000000..87d279df --- /dev/null +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -0,0 +1,228 @@ +# Steps to to deploy aurora rds cluster +This example deploys an aurora postgresql database cluster when applied the claim. Below are the steps to execute to +create a cluster and connect the cluster from a pod with an psql client. + +## Pre-requisites + - [Upbound AWS Provider Crossplane Blueprint Examples](../../README.md) + + +### create 2 role, one for RDS Monitoring and one for RDS Proxy + +Create an IAM role and attach policy to the role (This role is required for aurora to perform monitoring) + ```shell + aws iam create-role --role-name aurora-monitoring \ + --assume-role-policy-document '{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": + { + "Service": "monitoring.rds.amazonaws.com" + }, + "Action": "sts:AssumeRole" + + } + ] + }' + (Attach the IAM role with AmazonRDSEnhancedMonitoringRole policy.) + + aws iam attach-role-policy --role-name aurora-monitoring \ + --policy-arn arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole + ``` + + Create an 2nd IAM role and attach policy to the role (This role is required for aurora proxy to fetch db secrets from secret manager ) + + ```shell + aws iam create-role --role-name rds-proxy \ + --assume-role-policy-document '{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": + { + "Service": "rds.amazonaws.com" + }, + "Action": "sts:AssumeRole" + + } + ] + }' + + aws iam put-role-policy --role-name rds-proxy \ + --policy-name rds-proxy-policy \ + --policy-document '{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "getsm", + "Effect": "Allow", + "Action": "secretsmanager:GetSecretValue", + "Resource": "*" + }, + { + "Sid": "kmsdecrypt", + "Effect": "Allow", + "Action": "kms:Decrypt", + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com" + } + } + } + ] + }' + + ``` + ### Provide value to the claim before applying. + + 1. Open the claim and substitute the above 2 role arn with monitoringRoleArn and proxyRoleArn respectively. + 2. Make sure to go over the claim and substitute other field variable which has been mentioned e.g CIDR block + + Assuming that we have already applied the XRD and composition , if we run the below we can see a similar output as below + ### Verify your XRDS and composition + + Verify the XRDs + ```shell + kubectl get xrds + + Expected output + + NAME ESTABLISHED OFFERED AGE + xauroras.db.awsblueprint.io True True 5m + + ``` + + Verify the Compositions + + ```shell + + kubectl get compositions + + Expected output. Note: the output might contain more compositions but these are the ones uses by the claim in the next step + + NAME XR-KIND XR-APIVERSION AGE + xauroras.db.awsblueprint.io XAurora db.awsblueprint.io/v1alpha1 5m + + ``` + + if we have about same kind of output as above we can apply th claim: ( We are using a namespace as team-a in this example, if you want to change , please go ahead and create and update the same in the claim) + + ```shell + cd ../composite-resources/database-examples/aurora + k apply -f aurora-postgresql.yaml + + ``` + We can check the execution of claim by following command: + + ```shell + + k get Aurora -n team-a + k describe Aurora -n team-a + + ``` + (It should take about 15-20 min to provision the Aurora RDS cluster.) + + Below is the default behaviour of the resource which will be provisioned through the claim, just to mention all this default behaviour can be overridden through patching . + + 1. It will create a 3 node cluster with 1 writer and 2 reader endpoint spread across 3 Azs by default. + 2. It will also create a proxy to connect to the aurora cluster. + 3. The management of database credential is done through the secret manager. + 4. The security group has 2 rules , one to allow the app to connect to the proxy and one within the security group + where the proxy can connect to the database (Make sure you have provided the correct the CIDR at the claim which is the allow CIDR on the security group from app.) + 5. The Aurora DB has been configured with logging and monitoring. + ``` + ### Steps to check the connectivity from a pod + +Create an policy to allow the pod to connect to the Aurora Database + + ```shell + aws iam create-role --role-name aurora-monitoring \ + --assume-role-policy-document '{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + Action": [ + "rds-db:connect" + ], + "Resource": [ + "arn:aws:rds-db:${REGION_NAME}>:${ACCOUNT_NUMBER}:dbuser:*/*" + ] + } + ] + }' + ``` + + Create a service account passing the above policy arn + + ```shell + eksctl create iamserviceaccount \ + --name rds-access \ + --namespace team-a \ + --cluster ${CLUSTER_NAME} \ + --attach-policy-arn ${POLICY_ARN} \ + --approve \ + -override-existing-serviceaccounts + ``` + Generate a DB token which can be used for password when asked + + ```shell + + PROXY_TERGET-ENDPOINT=k get secrets aurora-cluster-secrets -n team-a -o json | jq -r .data.proxyEndpoint | base64 --decode + CLUSTER_USER_NAME=k get secrets aurora-cluster-secrets -n team-a -o json | jq -r .data.clusterUsername | base64 --decode + + aws rds generate-db-auth-token \ + --hostname ${PROXY_TERGET-ENDPOINT} \ + --port 5432 \ + --region us-east-1 \ + --username ${CLUSTER_USER_NAME} + ``` + create the pod with pgsql client: + + ```shell + pod.yaml + ========= + apiVersion: v1 + kind: Pod + metadata: + name: postgres-client + namespace: team-a + spec: + serviceAccountName: rds-access + containers: + - name: postgreclient + image: postgres:latest + command: ["sleep"] + args: ["3600"] # Sleep for 1 hour (3600 seconds) + envFrom: + - secretRef: + name: aurora-cluster-secrets + volumes: + - name: secret-volume + secret: + secretName: aurora-cluster-secrets # This secret name can be changed in the claim + ``` + + Exec into the pod + + ```shell + + k exec -it postgres-client -n team-a -- sh + + ``` + + create a DB connection and provide the token which you generate earlier for password. + + ```shell + + psql -h ${PROXY_TERGET-ENDPOINT} -U ${CLUSTER_USER_NAME} -d aurorapgsqldb -W + + Note : we are providing the name of the database in the claim as: aurorapgsqldb + ``` + Now we should be able to connect to the DB with psql client. diff --git a/examples/upbound-aws-provider/composite-resources/aurora-postgresql.yaml b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/aurora-postgresql.yaml similarity index 100% rename from examples/upbound-aws-provider/composite-resources/aurora-postgresql.yaml rename to examples/upbound-aws-provider/composite-resources/database-examples/aurora/aurora-postgresql.yaml From 88c5b1ac7267199893b4995093ea5a3d00fd8f47 Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Tue, 5 Sep 2023 18:58:12 -0500 Subject: [PATCH 05/25] Added the readme for aurora --- .../database-examples/aurora/README.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index 87d279df..e9159500 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -157,7 +157,7 @@ Create an policy to allow the pod to connect to the Aurora Database } ] }' - ``` + ``` Create a service account passing the above policy arn @@ -169,10 +169,10 @@ Create an policy to allow the pod to connect to the Aurora Database --attach-policy-arn ${POLICY_ARN} \ --approve \ -override-existing-serviceaccounts - ``` + ``` Generate a DB token which can be used for password when asked - ```shell + ```shell PROXY_TERGET-ENDPOINT=k get secrets aurora-cluster-secrets -n team-a -o json | jq -r .data.proxyEndpoint | base64 --decode CLUSTER_USER_NAME=k get secrets aurora-cluster-secrets -n team-a -o json | jq -r .data.clusterUsername | base64 --decode @@ -182,7 +182,8 @@ Create an policy to allow the pod to connect to the Aurora Database --port 5432 \ --region us-east-1 \ --username ${CLUSTER_USER_NAME} - ``` + + ``` create the pod with pgsql client: ```shell @@ -207,7 +208,7 @@ Create an policy to allow the pod to connect to the Aurora Database - name: secret-volume secret: secretName: aurora-cluster-secrets # This secret name can be changed in the claim - ``` + ``` Exec into the pod From 43873f32bbb7c61bfd5a94df1723dc70e95112a2 Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Tue, 5 Sep 2023 22:20:57 -0500 Subject: [PATCH 06/25] Updated readme for aurora --- .../database-examples/aurora/README.md | 99 ++++++++++--------- 1 file changed, 52 insertions(+), 47 deletions(-) diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index e9159500..016846bf 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -9,32 +9,37 @@ create a cluster and connect the cluster from a pod with an psql client. ### create 2 role, one for RDS Monitoring and one for RDS Proxy Create an IAM role and attach policy to the role (This role is required for aurora to perform monitoring) - ```shell + +```shell aws iam create-role --role-name aurora-monitoring \ - --assume-role-policy-document '{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "", - "Effect": "Allow", - "Principal": - { - "Service": "monitoring.rds.amazonaws.com" - }, - "Action": "sts:AssumeRole" + --assume-role-policy-document '{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": + { + "Service": "monitoring.rds.amazonaws.com" + }, + "Action": "sts:AssumeRole" - } - ] - }' + } + ] + }' + ``` (Attach the IAM role with AmazonRDSEnhancedMonitoringRole policy.) +```shell + aws iam attach-role-policy --role-name aurora-monitoring \ --policy-arn arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole - ``` + +``` Create an 2nd IAM role and attach policy to the role (This role is required for aurora proxy to fetch db secrets from secret manager ) - ```shell +```shell aws iam create-role --role-name rds-proxy \ --assume-role-policy-document '{ "Version": "2012-10-17", @@ -51,7 +56,10 @@ Create an IAM role and attach policy to the role (This role is required for auro } ] }' - +``` + + ```shell + aws iam put-role-policy --role-name rds-proxy \ --policy-name rds-proxy-policy \ --policy-document '{ @@ -77,7 +85,7 @@ Create an IAM role and attach policy to the role (This role is required for auro ] }' - ``` +``` ### Provide value to the claim before applying. 1. Open the claim and substitute the above 2 role arn with monitoringRoleArn and proxyRoleArn respectively. @@ -85,46 +93,44 @@ Create an IAM role and attach policy to the role (This role is required for auro Assuming that we have already applied the XRD and composition , if we run the below we can see a similar output as below ### Verify your XRDS and composition - + Verify the XRDs - ```shell +```shell kubectl get xrds - +``` Expected output NAME ESTABLISHED OFFERED AGE xauroras.db.awsblueprint.io True True 5m - ``` Verify the Compositions - ```shell + ```shell kubectl get compositions - +``` Expected output. Note: the output might contain more compositions but these are the ones uses by the claim in the next step NAME XR-KIND XR-APIVERSION AGE xauroras.db.awsblueprint.io XAurora db.awsblueprint.io/v1alpha1 5m - ``` if we have about same kind of output as above we can apply th claim: ( We are using a namespace as team-a in this example, if you want to change , please go ahead and create and update the same in the claim) - ```shell + ```shell cd ../composite-resources/database-examples/aurora k apply -f aurora-postgresql.yaml - ``` +``` We can check the execution of claim by following command: - ```shell + ```shell k get Aurora -n team-a k describe Aurora -n team-a - ``` +``` (It should take about 15-20 min to provision the Aurora RDS cluster.) Below is the default behaviour of the resource which will be provisioned through the claim, just to mention all this default behaviour can be overridden through patching . @@ -135,12 +141,12 @@ Create an IAM role and attach policy to the role (This role is required for auro 4. The security group has 2 rules , one to allow the app to connect to the proxy and one within the security group where the proxy can connect to the database (Make sure you have provided the correct the CIDR at the claim which is the allow CIDR on the security group from app.) 5. The Aurora DB has been configured with logging and monitoring. - ``` + ### Steps to check the connectivity from a pod Create an policy to allow the pod to connect to the Aurora Database - ```shell +```shell aws iam create-role --role-name aurora-monitoring \ --assume-role-policy-document '{ "Version": "2012-10-17", @@ -157,11 +163,11 @@ Create an policy to allow the pod to connect to the Aurora Database } ] }' - ``` +``` Create a service account passing the above policy arn - ```shell + ```shell eksctl create iamserviceaccount \ --name rds-access \ --namespace team-a \ @@ -169,10 +175,10 @@ Create an policy to allow the pod to connect to the Aurora Database --attach-policy-arn ${POLICY_ARN} \ --approve \ -override-existing-serviceaccounts - ``` +``` Generate a DB token which can be used for password when asked - ```shell +```shell PROXY_TERGET-ENDPOINT=k get secrets aurora-cluster-secrets -n team-a -o json | jq -r .data.proxyEndpoint | base64 --decode CLUSTER_USER_NAME=k get secrets aurora-cluster-secrets -n team-a -o json | jq -r .data.clusterUsername | base64 --decode @@ -183,12 +189,11 @@ Create an policy to allow the pod to connect to the Aurora Database --region us-east-1 \ --username ${CLUSTER_USER_NAME} - ``` +``` create the pod with pgsql client: - ```shell - pod.yaml - ========= +```shell + apiVersion: v1 kind: Pod metadata: @@ -208,22 +213,22 @@ Create an policy to allow the pod to connect to the Aurora Database - name: secret-volume secret: secretName: aurora-cluster-secrets # This secret name can be changed in the claim - ``` +``` Exec into the pod - ```shell +```shell k exec -it postgres-client -n team-a -- sh - ``` +``` create a DB connection and provide the token which you generate earlier for password. - ```shell +```shell psql -h ${PROXY_TERGET-ENDPOINT} -U ${CLUSTER_USER_NAME} -d aurorapgsqldb -W - +``` Note : we are providing the name of the database in the claim as: aurorapgsqldb - ``` - Now we should be able to connect to the DB with psql client. + + Now we should be able to connect to the DB with psql client. From 85aa6cc13b2bd46757d0136aad44bd9b7825d3d9 Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Wed, 6 Sep 2023 00:04:50 -0500 Subject: [PATCH 07/25] Updated readme for aurora --- .../database-examples/aurora/README.md | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index 016846bf..19808173 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -88,17 +88,19 @@ Create an IAM role and attach policy to the role (This role is required for auro ``` ### Provide value to the claim before applying. - 1. Open the claim and substitute the above 2 role arn with monitoringRoleArn and proxyRoleArn respectively. - 2. Make sure to go over the claim and substitute other field variable which has been mentioned e.g CIDR block + 1. Open the claim and substitute aurora-monitoring role arn with monitoringRoleArn and rds-proxy role arn with proxyRoleArn respectively. + 2. Make sure check the CIDR block for application and provide in the claim. This will used as the security group + ingress rule for proxy from application ( we can also provide the security group id instead of CIDR). - Assuming that we have already applied the XRD and composition , if we run the below we can see a similar output as below ### Verify your XRDS and composition - Verify the XRDs + Verify the XRDs + ```shell kubectl get xrds ``` - Expected output + + Expected output NAME ESTABLISHED OFFERED AGE xauroras.db.awsblueprint.io True True 5m @@ -109,8 +111,10 @@ Create an IAM role and attach policy to the role (This role is required for auro ```shell kubectl get compositions -``` - Expected output. Note: the output might contain more compositions but these are the ones uses by the claim in the next step +``` + + Expected output. + Note: the output might contain more compositions but these are the ones uses by the claim in the next step NAME XR-KIND XR-APIVERSION AGE xauroras.db.awsblueprint.io XAurora db.awsblueprint.io/v1alpha1 5m @@ -123,8 +127,10 @@ Create an IAM role and attach policy to the role (This role is required for auro k apply -f aurora-postgresql.yaml ``` + We can check the execution of claim by following command: + ```shell k get Aurora -n team-a From ecd0ae8d24475b94461e5ac95460114d754a78b3 Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Thu, 7 Sep 2023 19:56:47 -0500 Subject: [PATCH 08/25] Readme updated: review comments --- .../database-examples/aurora/README.md | 310 +++++++++--------- .../aurora/psql-client-pod.yaml | 19 ++ 2 files changed, 167 insertions(+), 162 deletions(-) create mode 100644 examples/upbound-aws-provider/composite-resources/database-examples/aurora/psql-client-pod.yaml diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index 19808173..8cbf55fb 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -1,240 +1,226 @@ # Steps to to deploy aurora rds cluster -This example deploys an aurora postgresql database cluster when applied the claim. Below are the steps to execute to -create a cluster and connect the cluster from a pod with an psql client. +This example deploys an Aurora PostgreSQL database cluster. +Below are the steps to create a cluster and connect from a pod with an psql client. ## Pre-requisites - [Upbound AWS Provider Crossplane Blueprint Examples](../../README.md) -### create 2 role, one for RDS Monitoring and one for RDS Proxy +### Create 2 roles, one for RDS Monitoring and one for RDS Proxy Create an IAM role and attach policy to the role (This role is required for aurora to perform monitoring) + ```shell - aws iam create-role --role-name aurora-monitoring \ - --assume-role-policy-document '{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "", - "Effect": "Allow", - "Principal": - { - "Service": "monitoring.rds.amazonaws.com" - }, - "Action": "sts:AssumeRole" - - } - ] - }' +aws iam create-role --role-name aurora-monitoring \ + --assume-role-policy-document '{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": "monitoring.rds.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }' ``` (Attach the IAM role with AmazonRDSEnhancedMonitoringRole policy.) ```shell - aws iam attach-role-policy --role-name aurora-monitoring \ - --policy-arn arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole +aws iam attach-role-policy --role-name aurora-monitoring \ + --policy-arn arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole ``` Create an 2nd IAM role and attach policy to the role (This role is required for aurora proxy to fetch db secrets from secret manager ) ```shell - aws iam create-role --role-name rds-proxy \ - --assume-role-policy-document '{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "", - "Effect": "Allow", - "Principal": - { - "Service": "rds.amazonaws.com" - }, - "Action": "sts:AssumeRole" - - } - ] - }' +aws iam create-role --role-name rds-proxy \ + --assume-role-policy-document '{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": "rds.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }' ``` ```shell - - aws iam put-role-policy --role-name rds-proxy \ - --policy-name rds-proxy-policy \ - --policy-document '{ +aws iam put-role-policy --role-name rds-proxy \ + --policy-name rds-proxy-policy \ + --policy-document '{ "Version": "2012-10-17", "Statement": [ { - "Sid": "getsm", - "Effect": "Allow", - "Action": "secretsmanager:GetSecretValue", - "Resource": "*" + "Sid": "getsm", + "Effect": "Allow", + "Action": "secretsmanager:GetSecretValue", + "Resource": "*" }, { - "Sid": "kmsdecrypt", - "Effect": "Allow", - "Action": "kms:Decrypt", - "Resource": "*", - "Condition": { - "StringEquals": { - "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com" - } + "Sid": "kmsdecrypt", + "Effect": "Allow", + "Action": "kms:Decrypt", + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com" } } + } ] - }' - + }' ``` ### Provide value to the claim before applying. - 1. Open the claim and substitute aurora-monitoring role arn with monitoringRoleArn and rds-proxy role arn with proxyRoleArn respectively. - 2. Make sure check the CIDR block for application and provide in the claim. This will used as the security group - ingress rule for proxy from application ( we can also provide the security group id instead of CIDR). + 1. Open the claim and substitute aurora-monitoring role arn with monitoringRoleArn and rds-proxy role arn with proxyRoleArn respectively. + 2. Make sure check the CIDR block for application and provide in the claim. This will used as the security group + ingress rule for proxy from application ( we can also provide the security group id instead of CIDR). ### Verify your XRDS and composition Verify the XRDs ```shell - kubectl get xrds +kubectl get xrds | grep xauroras.db.awsblueprint.io ``` - Expected output +Expected output: - NAME ESTABLISHED OFFERED AGE - xauroras.db.awsblueprint.io True True 5m - +NAME ESTABLISHED OFFERED AGE +xauroras.db.awsblueprint.io True True 5m - Verify the Compositions + +Verify the Compositions ```shell - - kubectl get compositions +kubectl get compositions | grep xauroras.db.awsblueprint.io ``` - Expected output. - Note: the output might contain more compositions but these are the ones uses by the claim in the next step - - NAME XR-KIND XR-APIVERSION AGE - xauroras.db.awsblueprint.io XAurora db.awsblueprint.io/v1alpha1 5m +Expected output: +NAME XR-KIND XR-APIVERSION AGE +xauroras.db.awsblueprint.io XAurora db.awsblueprint.io/v1alpha1 5m - if we have about same kind of output as above we can apply th claim: ( We are using a namespace as team-a in this example, if you want to change , please go ahead and create and update the same in the claim) - ```shell - cd ../composite-resources/database-examples/aurora - k apply -f aurora-postgresql.yaml +if we have about same kind of output as above we can apply th claim: ( We are using a namespace as team-a in this example, if you want to change , please go ahead and create and update the same in the claim) + ```shell + cd ../composite-resources/database-examples/aurora + k apply -f aurora-postgresql.yaml ``` - We can check the execution of claim by following command: - - - ```shell - - k get Aurora -n team-a - k describe Aurora -n team-a +We can check the execution of claim by following command: +```shell +k get Aurora -n team-a +k describe Aurora -n team-a ``` - (It should take about 15-20 min to provision the Aurora RDS cluster.) - - Below is the default behaviour of the resource which will be provisioned through the claim, just to mention all this default behaviour can be overridden through patching . +(It should take about 15-20 min to provision the Aurora RDS cluster.) +Below is the default behaviour of the resource which will be provisioned through the claim, just to mention all this default behaviour can be overridden through patching . - 1. It will create a 3 node cluster with 1 writer and 2 reader endpoint spread across 3 Azs by default. - 2. It will also create a proxy to connect to the aurora cluster. - 3. The management of database credential is done through the secret manager. - 4. The security group has 2 rules , one to allow the app to connect to the proxy and one within the security group - where the proxy can connect to the database (Make sure you have provided the correct the CIDR at the claim which is the allow CIDR on the security group from app.) - 5. The Aurora DB has been configured with logging and monitoring. - - ### Steps to check the connectivity from a pod + 1. It will create a 3 node cluster with 1 writer and 2 reader endpoint spread across 3 Azs by default. + 2. It will also create a proxy to connect to the aurora cluster. + 3. The management of database credential is done through the secret manager. + 4. The security group has 2 rules , one to allow the app to connect to the proxy and one within the security group + where the proxy can connect to the database (Make sure you have provided the correct the CIDR at the claim which is the allow CIDR on the security group from app.) + 5. The Aurora DB has been configured with logging and monitoring. +### Steps to check the connectivity from a pod Create an policy to allow the pod to connect to the Aurora Database ```shell - aws iam create-role --role-name aurora-monitoring \ - --assume-role-policy-document '{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "", - "Effect": "Allow", - Action": [ - "rds-db:connect" - ], - "Resource": [ - "arn:aws:rds-db:${REGION_NAME}>:${ACCOUNT_NUMBER}:dbuser:*/*" - ] - } - ] - }' +aws iam create-role --role-name aurora-monitoring \ + --assume-role-policy-document '{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Action": [ + "rds-db:connect" + ], + "Resource": [ + "arn:aws:rds-db:${REGION_NAME}:${ACCOUNT_NUMBER}:dbuser:*/*" + ] + } + ] + }' ``` - - Create a service account passing the above policy arn +Create a service account passing the above policy arn - ```shell - eksctl create iamserviceaccount \ - --name rds-access \ - --namespace team-a \ - --cluster ${CLUSTER_NAME} \ - --attach-policy-arn ${POLICY_ARN} \ - --approve \ - -override-existing-serviceaccounts +```shell +eksctl create iamserviceaccount \ +--name rds-access \ +--namespace team-a \ +--cluster ${CLUSTER_NAME} \ +--attach-policy-arn ${POLICY_ARN} \ +--approve \ +-override-existing-serviceaccounts ``` - Generate a DB token which can be used for password when asked - +Generate a DB token which can be used for password when asked + ```shell - - PROXY_TERGET-ENDPOINT=k get secrets aurora-cluster-secrets -n team-a -o json | jq -r .data.proxyEndpoint | base64 --decode - CLUSTER_USER_NAME=k get secrets aurora-cluster-secrets -n team-a -o json | jq -r .data.clusterUsername | base64 --decode - - aws rds generate-db-auth-token \ - --hostname ${PROXY_TERGET-ENDPOINT} \ - --port 5432 \ - --region us-east-1 \ - --username ${CLUSTER_USER_NAME} - +PROXY_TERGET-ENDPOINT=k get secrets aurora-cluster-secrets -n team-a -o json | jq -r .data.proxyEndpoint | base64 --decode +CLUSTER_USER_NAME=k get secrets aurora-cluster-secrets -n team-a -o json | jq -r .data.clusterUsername | base64 --decode + +aws rds generate-db-auth-token \ +--hostname ${PROXY_TERGET-ENDPOINT} \ +--port 5432 \ +--region us-east-1 \ +--username ${CLUSTER_USER_NAME} ``` - create the pod with pgsql client: +create the pod with psql client: ```shell +k apply -f psql-client-pod.yaml +``` + +Exec into the pod + +```shell +k exec -it postgres-client -n team-a -- sh +``` - apiVersion: v1 - kind: Pod - metadata: - name: postgres-client - namespace: team-a - spec: - serviceAccountName: rds-access - containers: - - name: postgreclient - image: postgres:latest - command: ["sleep"] - args: ["3600"] # Sleep for 1 hour (3600 seconds) - envFrom: - - secretRef: - name: aurora-cluster-secrets - volumes: - - name: secret-volume - secret: - secretName: aurora-cluster-secrets # This secret name can be changed in the claim -``` - - Exec into the pod +create a DB connection and provide the token which you generate earlier for password. ```shell +psql -h ${PROXY_TERGET-ENDPOINT} -U ${CLUSTER_USER_NAME} -d aurorapgsqldb -W +``` +You should be able to connect to the db now then, lets check the list of default table - k exec -it postgres-client -n team-a -- sh - +```shell +\dt ``` +Now we can do all the required database operation. +Note : we are providing the name of the database in the claim as: aurorapgsqldb + +### Deleting the resources: - create a DB connection and provide the token which you generate earlier for password. +First delete the psql client +```shell +k delete -f psql-client-pod.yaml +``` +Delete the PostgreSQL Database by deleting the claim +```shell +k delete -f aurora-postgresql.yaml +``` +Note: It will take around ~15-20 min delete the whole cluster +Delete the composition and XRDs ```shell - - psql -h ${PROXY_TERGET-ENDPOINT} -U ${CLUSTER_USER_NAME} -d aurorapgsqldb -W +cd ../composition/upbound-aws-provider/aurora +k delete -f aurora.yaml +k delete -f defination.yaml ``` - Note : we are providing the name of the database in the claim as: aurorapgsqldb - - Now we should be able to connect to the DB with psql client. +Note : The role aurora-monitoring & rds-proxy will eventually be part of composition , till then it will required be create these roles external to the composition. \ No newline at end of file diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/psql-client-pod.yaml b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/psql-client-pod.yaml new file mode 100644 index 00000000..0cde9940 --- /dev/null +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/psql-client-pod.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: +name: postgres-client +namespace: team-a +spec: +serviceAccountName: rds-access +containers: +- name: postgreclient + image: postgres:latest + command: ["sleep"] + args: ["3600"] # Sleep for 1 hour (3600 seconds) + envFrom: + - secretRef: + name: aurora-cluster-secrets +volumes: + - name: secret-volume + secret: + secretName: aurora-cluster-secrets # This secret name can be changed in the claim \ No newline at end of file From 12254cc00452642bc35ed1da37c5930c8fb64d24 Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Thu, 7 Sep 2023 21:00:00 -0500 Subject: [PATCH 09/25] Readme updated: cli commands --- .../database-examples/aurora/README.md | 104 +++++------------- 1 file changed, 26 insertions(+), 78 deletions(-) diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index 8cbf55fb..e286a244 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -12,74 +12,31 @@ Create an IAM role and attach policy to the role (This role is required for auro ```shell -aws iam create-role --role-name aurora-monitoring \ - --assume-role-policy-document '{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "", - "Effect": "Allow", - "Principal": { - "Service": "monitoring.rds.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] - }' +aws iam create-role \ +--role-name aurora-monitoring \ +--assume-role-policy-document file://aurora-monitoring.json ``` (Attach the IAM role with AmazonRDSEnhancedMonitoringRole policy.) ```shell - -aws iam attach-role-policy --role-name aurora-monitoring \ - --policy-arn arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole - +aws iam attach-role-policy \ +--role-name aurora-monitoring \ +--policy-arn arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole ``` - Create an 2nd IAM role and attach policy to the role (This role is required for aurora proxy to fetch db secrets from secret manager ) +Create an 2nd IAM role and attach policy to the role (This role is required for aurora proxy to fetch db secrets from secret manager ) ```shell -aws iam create-role --role-name rds-proxy \ - --assume-role-policy-document '{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "", - "Effect": "Allow", - "Principal": { - "Service": "rds.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] - }' +aws iam create-role \ +--role-name rds-proxy \ +--assume-role-policy-document file://rds-proxy.json ``` ```shell -aws iam put-role-policy --role-name rds-proxy \ - --policy-name rds-proxy-policy \ - --policy-document '{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "getsm", - "Effect": "Allow", - "Action": "secretsmanager:GetSecretValue", - "Resource": "*" - }, - { - "Sid": "kmsdecrypt", - "Effect": "Allow", - "Action": "kms:Decrypt", - "Resource": "*", - "Condition": { - "StringEquals": { - "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com" - } - } - } - ] - }' +aws iam put-role-policy \ +--role-name rds-proxy \ +--policy-name rds-proxy-policy \ +--policy-document file://rds-proxy-policy.json ``` ### Provide value to the claim before applying. @@ -113,11 +70,11 @@ NAME XR-KIND XR-APIVERSION AGE xauroras.db.awsblueprint.io XAurora db.awsblueprint.io/v1alpha1 5m -if we have about same kind of output as above we can apply th claim: ( We are using a namespace as team-a in this example, if you want to change , please go ahead and create and update the same in the claim) +If we have about same kind of output as above we can apply th claim: ( We are using a namespace as team-a in this example, if you want to change , please go ahead and create and update the same in the claim) ```shell - cd ../composite-resources/database-examples/aurora - k apply -f aurora-postgresql.yaml +cd ../composite-resources/database-examples/aurora +k apply -f aurora-postgresql.yaml ``` We can check the execution of claim by following command: @@ -140,26 +97,16 @@ Below is the default behaviour of the resource which will be provisioned through Create an policy to allow the pod to connect to the Aurora Database ```shell -aws iam create-role --role-name aurora-monitoring \ - --assume-role-policy-document '{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "", - "Effect": "Allow", - "Action": [ - "rds-db:connect" - ], - "Resource": [ - "arn:aws:rds-db:${REGION_NAME}:${ACCOUNT_NUMBER}:dbuser:*/*" - ] - } - ] - }' +aws iam create-policy \ +--policy-name rdsproxy-access \ +--policy-document file://rdsproxy-access.json ``` Create a service account passing the above policy arn ```shell +POLICY_ARN=$(aws iam list-policies --query 'Policies[?PolicyName==`rdsproxy-access`].Arn' --output text) +CLUSTER_NAME=$(aws eks list-clusters --query 'clusters[]' --output text | grep ) + eksctl create iamserviceaccount \ --name rds-access \ --namespace team-a \ @@ -174,10 +121,11 @@ Generate a DB token which can be used for password when asked PROXY_TERGET-ENDPOINT=k get secrets aurora-cluster-secrets -n team-a -o json | jq -r .data.proxyEndpoint | base64 --decode CLUSTER_USER_NAME=k get secrets aurora-cluster-secrets -n team-a -o json | jq -r .data.clusterUsername | base64 --decode + aws rds generate-db-auth-token \ --hostname ${PROXY_TERGET-ENDPOINT} \ --port 5432 \ ---region us-east-1 \ +--region ${REGION} \ --username ${CLUSTER_USER_NAME} ``` create the pod with psql client: @@ -223,4 +171,4 @@ cd ../composition/upbound-aws-provider/aurora k delete -f aurora.yaml k delete -f defination.yaml ``` -Note : The role aurora-monitoring & rds-proxy will eventually be part of composition , till then it will required be create these roles external to the composition. \ No newline at end of file +Note : The role aurora-monitoring & rds-proxy will eventually be part of composition , till then it will be required to create these roles external to the composition. \ No newline at end of file From 06d1c5fd26e5fe1f7f77549b4814c4c3f3af8a4e Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Thu, 7 Sep 2023 21:01:22 -0500 Subject: [PATCH 10/25] committing the json for roles --- .../aurora/--policy-document | 0 .../database-examples/aurora/--policy-name | 0 .../aurora/aurora-monitoring.json | 13 +++++++++++ .../aurora/rds-proxy-policy.json | 22 +++++++++++++++++++ .../database-examples/aurora/rds-proxy.json | 13 +++++++++++ .../aurora/rdsproxy-access.json | 15 +++++++++++++ 6 files changed, 63 insertions(+) create mode 100644 examples/upbound-aws-provider/composite-resources/database-examples/aurora/--policy-document create mode 100644 examples/upbound-aws-provider/composite-resources/database-examples/aurora/--policy-name create mode 100644 examples/upbound-aws-provider/composite-resources/database-examples/aurora/aurora-monitoring.json create mode 100644 examples/upbound-aws-provider/composite-resources/database-examples/aurora/rds-proxy-policy.json create mode 100644 examples/upbound-aws-provider/composite-resources/database-examples/aurora/rds-proxy.json create mode 100644 examples/upbound-aws-provider/composite-resources/database-examples/aurora/rdsproxy-access.json diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/--policy-document b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/--policy-document new file mode 100644 index 00000000..e69de29b diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/--policy-name b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/--policy-name new file mode 100644 index 00000000..e69de29b diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/aurora-monitoring.json b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/aurora-monitoring.json new file mode 100644 index 00000000..1327e3bb --- /dev/null +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/aurora-monitoring.json @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": "monitoring.rds.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + } \ No newline at end of file diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rds-proxy-policy.json b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rds-proxy-policy.json new file mode 100644 index 00000000..66db5e95 --- /dev/null +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rds-proxy-policy.json @@ -0,0 +1,22 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "getsm", + "Effect": "Allow", + "Action": "secretsmanager:GetSecretValue", + "Resource": "*" + }, + { + "Sid": "kmsdecrypt", + "Effect": "Allow", + "Action": "kms:Decrypt", + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com" + } + } + } + ] + } \ No newline at end of file diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rds-proxy.json b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rds-proxy.json new file mode 100644 index 00000000..082d2925 --- /dev/null +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rds-proxy.json @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": "rds.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} \ No newline at end of file diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rdsproxy-access.json b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rdsproxy-access.json new file mode 100644 index 00000000..07c0fa39 --- /dev/null +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rdsproxy-access.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Action": [ + "rds-db:connect" + ], + "Resource": [ + "arn:aws:rds-db:us-east-1:277030185641:dbuser:*/*" + ] + } + ] +} \ No newline at end of file From 8a034ebccbca409f7a5501fa83685989d75e04fc Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Fri, 8 Sep 2023 18:00:48 -0500 Subject: [PATCH 11/25] Updated based on the review --- .../aurora/--policy-document | 0 .../database-examples/aurora/--policy-name | 0 .../database-examples/aurora/README.md | 68 +++++++++++++------ .../aurora/psql-client-pod.yaml | 24 +++---- 4 files changed, 60 insertions(+), 32 deletions(-) delete mode 100644 examples/upbound-aws-provider/composite-resources/database-examples/aurora/--policy-document delete mode 100644 examples/upbound-aws-provider/composite-resources/database-examples/aurora/--policy-name diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/--policy-document b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/--policy-document deleted file mode 100644 index e69de29b..00000000 diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/--policy-name b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/--policy-name deleted file mode 100644 index e69de29b..00000000 diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index e286a244..7fa1ec7d 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -5,7 +5,9 @@ Below are the steps to create a cluster and connect from a pod with an psql clie ## Pre-requisites - [Upbound AWS Provider Crossplane Blueprint Examples](../../README.md) - +Note : aurora-monitoring & rds-proxy role will eventually be part of composition , till then we need to create that 2 role external to the composition. +Reference of the issue created for tracking: +- [Add Aurora monitoring and rds proxy role as part of the aurora composition](https://github.com/awslabs/crossplane-on-eks/issues/144) ### Create 2 roles, one for RDS Monitoring and one for RDS Proxy Create an IAM role and attach policy to the role (This role is required for aurora to perform monitoring) @@ -54,9 +56,10 @@ kubectl get xrds | grep xauroras.db.awsblueprint.io Expected output: +```shell NAME ESTABLISHED OFFERED AGE xauroras.db.awsblueprint.io True True 5m - +``` Verify the Compositions @@ -66,22 +69,23 @@ kubectl get compositions | grep xauroras.db.awsblueprint.io Expected output: +```shell NAME XR-KIND XR-APIVERSION AGE xauroras.db.awsblueprint.io XAurora db.awsblueprint.io/v1alpha1 5m - +``` If we have about same kind of output as above we can apply th claim: ( We are using a namespace as team-a in this example, if you want to change , please go ahead and create and update the same in the claim) ```shell cd ../composite-resources/database-examples/aurora -k apply -f aurora-postgresql.yaml +kubectl apply -f aurora-postgresql.yaml ``` We can check the execution of claim by following command: ```shell -k get Aurora -n team-a -k describe Aurora -n team-a +kubectl get Aurora -n team-a +kubectl describe Aurora -n team-a ``` (It should take about 15-20 min to provision the Aurora RDS cluster.) Below is the default behaviour of the resource which will be provisioned through the claim, just to mention all this default behaviour can be overridden through patching . @@ -118,8 +122,8 @@ eksctl create iamserviceaccount \ Generate a DB token which can be used for password when asked ```shell -PROXY_TERGET-ENDPOINT=k get secrets aurora-cluster-secrets -n team-a -o json | jq -r .data.proxyEndpoint | base64 --decode -CLUSTER_USER_NAME=k get secrets aurora-cluster-secrets -n team-a -o json | jq -r .data.clusterUsername | base64 --decode +PROXY_TERGET-ENDPOINT=kubectl get secrets aurora-cluster-secrets -n team-a -o json | jq -r .data.proxyEndpoint | base64 --decode +CLUSTER_USER_NAME=kubectl get secrets aurora-cluster-secrets -n team-a -o json | jq -r .data.clusterUsername | base64 --decode aws rds generate-db-auth-token \ @@ -131,44 +135,68 @@ aws rds generate-db-auth-token \ create the pod with psql client: ```shell -k apply -f psql-client-pod.yaml +kubectl apply -f psql-client-pod.yaml ``` Exec into the pod ```shell -k exec -it postgres-client -n team-a -- sh +kubectl exec -it postgres-client -n team-a -- sh ``` create a DB connection and provide the token which you generate earlier for password. ```shell -psql -h ${PROXY_TERGET-ENDPOINT} -U ${CLUSTER_USER_NAME} -d aurorapgsqldb -W +psql -h $proxyEndpoint -U $clusterUsername -d aurorapgsqldb -W ``` -You should be able to connect to the db now then, lets check the list of default table +You should be able to connect to the db. Now lets check the list of default table +Note : we are providing the name of the database in the claim as: aurorapgsqldb ```shell \dt ``` -Now we can do all the required database operation. -Note : we are providing the name of the database in the claim as: aurorapgsqldb +We should be able to do the required database operation. + ### Deleting the resources: -First delete the psql client +First delete the psql client pod ```shell -k delete -f psql-client-pod.yaml +kubectl delete -f psql-client-pod.yaml ``` Delete the PostgreSQL Database by deleting the claim ```shell -k delete -f aurora-postgresql.yaml +kubectl delete -f aurora-postgresql.yaml ``` Note: It will take around ~15-20 min delete the whole cluster + +Delete the Roles created +```shell +# Delete the serviceaccount +eksctl delete iamserviceaccount --name rds-access --cluster ${CLUSTER_NAME} --namespace team-a + +# delete the policy created for serviceaccount +aws iam delete-policy --policy-arn $(aws iam list-policies --query 'Policies[?PolicyName==`rdsproxy-access`].Arn' --output text) + +# Delete the rds-proxy-policy attached to the role +aws iam delete-role-policy --policy-name rds-proxy-policy --role-name rds-proxy + +# Delete the rds-proxy role +aws iam delete-role --role-name rds-proxy + +# Delete the rds-proxy-policy attached to the role +aws iam detach-role-policy \ +--role-name aurora-monitoring \ +--policy-arn arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole + +# Delete aurora-monitoring role +aws iam delete-role --role-name aurora-monitoring +``` + Delete the composition and XRDs ```shell cd ../composition/upbound-aws-provider/aurora -k delete -f aurora.yaml -k delete -f defination.yaml +kubectl delete -f aurora.yaml +kubectl delete -f defination.yaml ``` -Note : The role aurora-monitoring & rds-proxy will eventually be part of composition , till then it will be required to create these roles external to the composition. \ No newline at end of file diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/psql-client-pod.yaml b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/psql-client-pod.yaml index 0cde9940..655c33ea 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/psql-client-pod.yaml +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/psql-client-pod.yaml @@ -1,19 +1,19 @@ apiVersion: v1 kind: Pod metadata: -name: postgres-client -namespace: team-a + name: postgres-client + namespace: team-a spec: -serviceAccountName: rds-access -containers: -- name: postgreclient - image: postgres:latest - command: ["sleep"] - args: ["3600"] # Sleep for 1 hour (3600 seconds) - envFrom: - - secretRef: - name: aurora-cluster-secrets -volumes: + serviceAccountName: rds-access + containers: + - name: postgreclient + image: postgres:latest + command: ["sleep"] + args: ["3600"] # Sleep for 1 hour (3600 seconds) + envFrom: + - secretRef: + name: aurora-cluster-secrets + volumes: - name: secret-volume secret: secretName: aurora-cluster-secrets # This secret name can be changed in the claim \ No newline at end of file From 3c241d70af07fbb0265be58ffee127a1952e475b Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Fri, 8 Sep 2023 18:25:18 -0500 Subject: [PATCH 12/25] Updated based on the review --- .../composite-resources/database-examples/aurora/README.md | 5 +++++ .../database-examples/aurora/rds-proxy-policy.json | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index 7fa1ec7d..31e20eb3 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -34,7 +34,12 @@ aws iam create-role \ --assume-role-policy-document file://rds-proxy.json ``` +Note: Before executing the below please navigate to rds-proxy-policy.json and replace +[REGIONNAME] with your current region. + ```shell +current_region=us-east-1 # provide your current region +sed -i -e "s/REGION-NAME/$current_region/g" rds-proxy-policy.json aws iam put-role-policy \ --role-name rds-proxy \ --policy-name rds-proxy-policy \ diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rds-proxy-policy.json b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rds-proxy-policy.json index 66db5e95..0cd20803 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rds-proxy-policy.json +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rds-proxy-policy.json @@ -14,7 +14,7 @@ "Resource": "*", "Condition": { "StringEquals": { - "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com" + "kms:ViaService": "secretsmanager.REGION-NAME.amazonaws.com" } } } From 789c3e1491d4d08be082aae54173158109742c38 Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Fri, 8 Sep 2023 18:27:36 -0500 Subject: [PATCH 13/25] Updated based on the review --- .../composite-resources/database-examples/aurora/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index 31e20eb3..14832c01 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -39,6 +39,9 @@ Note: Before executing the below please navigate to rds-proxy-policy.json and re ```shell current_region=us-east-1 # provide your current region +``` + +```shell sed -i -e "s/REGION-NAME/$current_region/g" rds-proxy-policy.json aws iam put-role-policy \ --role-name rds-proxy \ From 46112c20ea9c3257316018d93eec93ba31b252fc Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Fri, 8 Sep 2023 18:39:24 -0500 Subject: [PATCH 14/25] Updated based on the review --- .../database-examples/aurora/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index 14832c01..04bfcc03 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -38,11 +38,12 @@ Note: Before executing the below please navigate to rds-proxy-policy.json and re [REGIONNAME] with your current region. ```shell -current_region=us-east-1 # provide your current region +CURRENT_REGION= # replace with current region name e.g us-east-1. +CLUSTER_NAME= # replace with eks cluster name. ``` ```shell -sed -i -e "s/REGION-NAME/$current_region/g" rds-proxy-policy.json +sed -i -e "s/REGION-NAME/$CURRENT_REGION/g" rds-proxy-policy.json aws iam put-role-policy \ --role-name rds-proxy \ --policy-name rds-proxy-policy \ @@ -106,7 +107,7 @@ Below is the default behaviour of the resource which will be provisioned through 5. The Aurora DB has been configured with logging and monitoring. ### Steps to check the connectivity from a pod -Create an policy to allow the pod to connect to the Aurora Database +Create a policy to allow the pod to connect to the Aurora Database ```shell aws iam create-policy \ @@ -117,7 +118,6 @@ Create a service account passing the above policy arn ```shell POLICY_ARN=$(aws iam list-policies --query 'Policies[?PolicyName==`rdsproxy-access`].Arn' --output text) -CLUSTER_NAME=$(aws eks list-clusters --query 'clusters[]' --output text | grep ) eksctl create iamserviceaccount \ --name rds-access \ From 17431fdbc9be64bc52ae2c0a683b67359a5a765c Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Fri, 8 Sep 2023 18:43:00 -0500 Subject: [PATCH 15/25] Updated based on the review --- .../composite-resources/database-examples/aurora/README.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index 04bfcc03..d731e900 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -26,16 +26,13 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole ``` -Create an 2nd IAM role and attach policy to the role (This role is required for aurora proxy to fetch db secrets from secret manager ) +Create second IAM role and attach policy to the role (This role is required for aurora proxy to fetch db secrets from secret manager ) ```shell aws iam create-role \ --role-name rds-proxy \ --assume-role-policy-document file://rds-proxy.json ``` - -Note: Before executing the below please navigate to rds-proxy-policy.json and replace -[REGIONNAME] with your current region. ```shell CURRENT_REGION= # replace with current region name e.g us-east-1. @@ -137,7 +134,7 @@ CLUSTER_USER_NAME=kubectl get secrets aurora-cluster-secrets -n team-a -o json aws rds generate-db-auth-token \ --hostname ${PROXY_TERGET-ENDPOINT} \ --port 5432 \ ---region ${REGION} \ +--region ${CURRENT_REGION} \ --username ${CLUSTER_USER_NAME} ``` create the pod with psql client: From 2e669c4e99e3f4b5c31ec51813dac5e3c41a6419 Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Sun, 10 Sep 2023 12:42:33 -0500 Subject: [PATCH 16/25] Updated README based on the review --- .../database-examples/aurora/README.md | 9 ++++++--- .../database-examples/aurora/rdsproxy-access.json | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index d731e900..8b046207 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -5,9 +5,7 @@ Below are the steps to create a cluster and connect from a pod with an psql clie ## Pre-requisites - [Upbound AWS Provider Crossplane Blueprint Examples](../../README.md) -Note : aurora-monitoring & rds-proxy role will eventually be part of composition , till then we need to create that 2 role external to the composition. -Reference of the issue created for tracking: -- [Add Aurora monitoring and rds proxy role as part of the aurora composition](https://github.com/awslabs/crossplane-on-eks/issues/144) +[!NOTE]\ : aurora-monitoring and rds-proxy iam roles need to be created manually at this time but will be added to the composition, track progress in [this issue](https://github.com/awslabs/crossplane-on-eks/issues/144). ### Create 2 roles, one for RDS Monitoring and one for RDS Proxy Create an IAM role and attach policy to the role (This role is required for aurora to perform monitoring) @@ -37,10 +35,12 @@ aws iam create-role \ ```shell CURRENT_REGION= # replace with current region name e.g us-east-1. CLUSTER_NAME= # replace with eks cluster name. +ACCOUNT_NUM=$(aws sts get-caller-identity --query Account --output text) ``` ```shell sed -i -e "s/REGION-NAME/$CURRENT_REGION/g" rds-proxy-policy.json + aws iam put-role-policy \ --role-name rds-proxy \ --policy-name rds-proxy-policy \ @@ -107,6 +107,9 @@ Below is the default behaviour of the resource which will be provisioned through Create a policy to allow the pod to connect to the Aurora Database ```shell +# provide the account number and region name to the policy document. +sed -i -e "s/REGION-NAME:ACCOUNT-NUM/$CURRENT_REGION:$ACCOUNT_NUM/g" rdsproxy-access.json + aws iam create-policy \ --policy-name rdsproxy-access \ --policy-document file://rdsproxy-access.json diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rdsproxy-access.json b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rdsproxy-access.json index 07c0fa39..e25fdf65 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rdsproxy-access.json +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/rdsproxy-access.json @@ -8,7 +8,7 @@ "rds-db:connect" ], "Resource": [ - "arn:aws:rds-db:us-east-1:277030185641:dbuser:*/*" + "arn:aws:rds-db:REGION-NAME:ACCOUNT-NUM:dbuser:*/*" ] } ] From facb81e3db2213eb1fa3ca5446bca28465f0b854 Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Sun, 10 Sep 2023 13:49:01 -0500 Subject: [PATCH 17/25] Updated README based on the review --- .../composite-resources/database-examples/aurora/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index 8b046207..779f1ff6 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -5,7 +5,7 @@ Below are the steps to create a cluster and connect from a pod with an psql clie ## Pre-requisites - [Upbound AWS Provider Crossplane Blueprint Examples](../../README.md) -[!NOTE]\ : aurora-monitoring and rds-proxy iam roles need to be created manually at this time but will be added to the composition, track progress in [this issue](https://github.com/awslabs/crossplane-on-eks/issues/144). +[!NOTE] : aurora-monitoring and rds-proxy iam roles need to be created manually at this time but will be added to the composition, track progress in [this issue](https://github.com/awslabs/crossplane-on-eks/issues/144). ### Create 2 roles, one for RDS Monitoring and one for RDS Proxy Create an IAM role and attach policy to the role (This role is required for aurora to perform monitoring) From 050b99b9d3c1a2990278b6f0d96806716eab7d0a Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Sun, 10 Sep 2023 18:51:21 -0500 Subject: [PATCH 18/25] Updated README based on the review --- .../composite-resources/database-examples/aurora/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index 779f1ff6..a416cea7 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -5,7 +5,7 @@ Below are the steps to create a cluster and connect from a pod with an psql clie ## Pre-requisites - [Upbound AWS Provider Crossplane Blueprint Examples](../../README.md) -[!NOTE] : aurora-monitoring and rds-proxy iam roles need to be created manually at this time but will be added to the composition, track progress in [this issue](https://github.com/awslabs/crossplane-on-eks/issues/144). +> [!NOTE] : aurora-monitoring and rds-proxy iam roles need to be created manually at this time but will be added to the composition, track progress in [this issue](https://github.com/awslabs/crossplane-on-eks/issues/144). ### Create 2 roles, one for RDS Monitoring and one for RDS Proxy Create an IAM role and attach policy to the role (This role is required for aurora to perform monitoring) From 43f84d5060e2862bf1562f7a398f33772bf45bd7 Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Sun, 10 Sep 2023 18:52:12 -0500 Subject: [PATCH 19/25] Updated README based on the review --- .../composite-resources/database-examples/aurora/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index a416cea7..425d50f0 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -5,7 +5,8 @@ Below are the steps to create a cluster and connect from a pod with an psql clie ## Pre-requisites - [Upbound AWS Provider Crossplane Blueprint Examples](../../README.md) -> [!NOTE] : aurora-monitoring and rds-proxy iam roles need to be created manually at this time but will be added to the composition, track progress in [this issue](https://github.com/awslabs/crossplane-on-eks/issues/144). +> [!NOTE] +> aurora-monitoring and rds-proxy iam roles need to be created manually at this time but will be added to the composition, track progress in [this issue](https://github.com/awslabs/crossplane-on-eks/issues/144). ### Create 2 roles, one for RDS Monitoring and one for RDS Proxy Create an IAM role and attach policy to the role (This role is required for aurora to perform monitoring) From b8e3a4b8e36ae63be5a3cff52c32dab4dfe6740c Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Sun, 10 Sep 2023 20:22:21 -0500 Subject: [PATCH 20/25] Updated README. --- .../database-examples/aurora/README.md | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index 425d50f0..0fc2bab2 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -47,15 +47,20 @@ aws iam put-role-policy \ --policy-name rds-proxy-policy \ --policy-document file://rds-proxy-policy.json ``` - ### Provide value to the claim before applying. +### Provide value to the claim before applying. 1. Open the claim and substitute aurora-monitoring role arn with monitoringRoleArn and rds-proxy role arn with proxyRoleArn respectively. 2. Make sure check the CIDR block for application and provide in the claim. This will used as the security group ingress rule for proxy from application ( we can also provide the security group id instead of CIDR). - ### Verify your XRDS and composition +### Deploy and verify XRD and composition - Verify the XRDs +Deploy the xrd and composition for aurora +```shell +# Assuming root directory. +cd ./compositions/upbound-aws-provider/aurora +kubectl apply -k . +``` ```shell kubectl get xrds | grep xauroras.db.awsblueprint.io @@ -81,10 +86,12 @@ NAME XR-KIND XR-APIVERSION AGE xauroras.db.awsblueprint.io XAurora db.awsblueprint.io/v1alpha1 5m ``` +### Apply the Aurora claim + If we have about same kind of output as above we can apply th claim: ( We are using a namespace as team-a in this example, if you want to change , please go ahead and create and update the same in the claim) ```shell -cd ../composite-resources/database-examples/aurora +cd ../../../examples/upbound-aws-provider/composite-resources/database-examples/aurora kubectl apply -f aurora-postgresql.yaml ``` @@ -104,7 +111,7 @@ Below is the default behaviour of the resource which will be provisioned through where the proxy can connect to the database (Make sure you have provided the correct the CIDR at the claim which is the allow CIDR on the security group from app.) 5. The Aurora DB has been configured with logging and monitoring. -### Steps to check the connectivity from a pod +### Test - Steps to check the database connectivity from a pod Create a policy to allow the pod to connect to the Aurora Database ```shell @@ -167,7 +174,7 @@ Note : we are providing the name of the database in the claim as: aurorapgsqldb We should be able to do the required database operation. -### Deleting the resources: +### Clean up: First delete the psql client pod ```shell From 03e30776d31fecc103658f7e4a5be760c3a913e3 Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Mon, 11 Sep 2023 16:44:14 -0500 Subject: [PATCH 21/25] Updated based on the PR review comment --- .../upbound-aws-provider/aurora/aurora.yaml | 2 +- .../aurora/kustomization.yaml | 2 +- .../database-examples/aurora/README.md | 34 +++++++++++++------ .../aurora/aurora-monitoring.json | 3 +- .../aurora/psql-client-pod.yaml | 2 +- .../aurora/rds-proxy-policy.json | 5 +-- .../database-examples/aurora/rds-proxy.json | 2 +- .../aurora/rdsproxy-access.json | 4 +-- 8 files changed, 34 insertions(+), 20 deletions(-) diff --git a/compositions/upbound-aws-provider/aurora/aurora.yaml b/compositions/upbound-aws-provider/aurora/aurora.yaml index fd93726f..ef601712 100644 --- a/compositions/upbound-aws-provider/aurora/aurora.yaml +++ b/compositions/upbound-aws-provider/aurora/aurora.yaml @@ -548,4 +548,4 @@ spec: toFieldPath: spec.forProvider.targetGroupName - type: FromCompositeFieldPath fromFieldPath: status.clusterIdentifier - toFieldPath: spec.forProvider.dbClusterIdentifier \ No newline at end of file + toFieldPath: spec.forProvider.dbClusterIdentifier diff --git a/compositions/upbound-aws-provider/aurora/kustomization.yaml b/compositions/upbound-aws-provider/aurora/kustomization.yaml index 7f2577d1..ba82900b 100644 --- a/compositions/upbound-aws-provider/aurora/kustomization.yaml +++ b/compositions/upbound-aws-provider/aurora/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - definition.yaml -- aurora.yaml \ No newline at end of file +- aurora.yaml diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index 0fc2bab2..f028019c 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -1,5 +1,5 @@ # Steps to to deploy aurora rds cluster -This example deploys an Aurora PostgreSQL database cluster. +This example deploys an Aurora PostgreSQL database cluster with Amazon RDS Proxy for Aurora. Below are the steps to create a cluster and connect from a pod with an psql client. ## Pre-requisites @@ -11,6 +11,11 @@ Below are the steps to create a cluster and connect from a pod with an psql clie Create an IAM role and attach policy to the role (This role is required for aurora to perform monitoring) +```shell +# Assuming root directory. +cd cd ./examples/upbound-aws-provider/composite-resources/database-examples/aurora +``` + ```shell aws iam create-role \ @@ -40,7 +45,7 @@ ACCOUNT_NUM=$(aws sts get-caller-identity --query Account --output text) ``` ```shell -sed -i -e "s/REGION-NAME/$CURRENT_REGION/g" rds-proxy-policy.json +envsubst Date: Mon, 11 Sep 2023 17:08:57 -0500 Subject: [PATCH 22/25] Updated based on the PR review comment --- .../composite-resources/database-examples/aurora/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index f028019c..f7ede54a 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -13,7 +13,7 @@ Create an IAM role and attach policy to the role (This role is required for auro ```shell # Assuming root directory. -cd cd ./examples/upbound-aws-provider/composite-resources/database-examples/aurora +cd ./examples/upbound-aws-provider/composite-resources/database-examples/aurora ``` From 2a107e5e7a6291b31bfc0f0de8b53992895a0939 Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Wed, 13 Sep 2023 23:08:08 -0500 Subject: [PATCH 23/25] Updated xrd and composition --- .../upbound-aws-provider/aurora/aurora.yaml | 83 ++++++++++--------- .../aurora/definition.yaml | 19 +++-- .../aurora/aurora-postgresql.yaml | 25 +++--- 3 files changed, 69 insertions(+), 58 deletions(-) diff --git a/compositions/upbound-aws-provider/aurora/aurora.yaml b/compositions/upbound-aws-provider/aurora/aurora.yaml index ef601712..24d1e875 100644 --- a/compositions/upbound-aws-provider/aurora/aurora.yaml +++ b/compositions/upbound-aws-provider/aurora/aurora.yaml @@ -1,11 +1,12 @@ apiVersion: apiextensions.crossplane.io/v1 kind: Composition metadata: - name: xauroras.db.awsblueprint.io + name: xaurora-postgresql.db.awsblueprint.io labels: awsblueprints.io/provider: aws awsblueprints.io/environment: dev cluster.awsblueprints.io/configuration: standard + cluster.awsblueprints.io/type: postgresql spec: writeConnectionSecretsToNamespace: crossplane-system compositeTypeRef: @@ -181,7 +182,7 @@ spec: - type: PatchSet patchSetName: common-fields - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.parameterGroupFamily + fromFieldPath: spec.clusterConfig.parameterGroupFamily toFieldPath: spec.forProvider.family - type: ToCompositeFieldPath fromFieldPath: status.atProvider.arn @@ -229,49 +230,49 @@ spec: - type: PatchSet patchSetName: common-fields - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.databaseName + fromFieldPath: spec.clusterConfig.databaseName toFieldPath: spec.forProvider.databaseName - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.engine + fromFieldPath: spec.clusterConfig.engine toFieldPath: spec.forProvider.engine - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.engineVersion + fromFieldPath: spec.clusterConfig.engineVersion toFieldPath: spec.forProvider.engineVersion - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.masterUsername + fromFieldPath: spec.clusterConfig.masterUsername toFieldPath: spec.forProvider.masterUsername - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.skipFinalSnapshot + fromFieldPath: spec.clusterConfig.skipFinalSnapshot toFieldPath: spec.forProvider.skipFinalSnapshot - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.storageType + fromFieldPath: spec.clusterConfig.storageType toFieldPath: spec.forProvider.storageType - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.allocatedStorage + fromFieldPath: spec.clusterConfig.allocatedStorage toFieldPath: spec.forProvider.allocatedStorage - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.availabilityZones + fromFieldPath: spec.clusterConfig.availabilityZones toFieldPath: spec.forProvider.availabilityZones - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.backupRetentionPeriod + fromFieldPath: spec.clusterConfig.backupRetentionPeriod toFieldPath: spec.forProvider.backupRetentionPeriod - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.enabledCloudwatchLogsExports + fromFieldPath: spec.clusterConfig.enabledCloudwatchLogsExports toFieldPath: spec.forProvider.enabledCloudwatchLogsExports - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.preferredBackupWindow + fromFieldPath: spec.clusterConfig.preferredBackupWindow toFieldPath: spec.forProvider.preferredBackupWindow - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.preferredMaintenanceWindow + fromFieldPath: spec.clusterConfig.preferredMaintenanceWindow toFieldPath: spec.forProvider.preferredMaintenanceWindow - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.applyImmediately + fromFieldPath: spec.clusterConfig.applyImmediately toFieldPath: spec.forProvider.applyImmediately - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.snapshotIdentifier + fromFieldPath: spec.clusterConfig.snapshotIdentifier toFieldPath: spec.forProvider.snapshotIdentifier - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.finalSnapshotIdentifier + fromFieldPath: spec.clusterConfig.finalSnapshotIdentifier toFieldPath: spec.forProvider.finalSnapshotIdentifier - type: FromCompositeFieldPath fromFieldPath: status.clusterParameterGroupName @@ -319,28 +320,28 @@ spec: - type: PatchSet patchSetName: common-fields - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.engine + fromFieldPath: spec.clusterConfig.engine toFieldPath: spec.forProvider.engine - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.engineVersion + fromFieldPath: spec.clusterConfig.engineVersion toFieldPath: spec.forProvider.engineVersion - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.clusterInstanceClass + fromFieldPath: spec.clusterConfig.clusterInstanceClass toFieldPath: spec.forProvider.instanceClass - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.performanceInsightsEnabled + fromFieldPath: spec.clusterConfig.performanceInsightsEnabled toFieldPath: spec.forProvider.performanceInsightsEnabled - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.monitoringRoleArn + fromFieldPath: spec.clusterConfig.monitoringRoleArn toFieldPath: spec.forProvider.monitoringRoleArn - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.monitoringInterval + fromFieldPath: spec.clusterConfig.monitoringInterval toFieldPath: spec.forProvider.monitoringInterval - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.applyImmediately + fromFieldPath: spec.clusterConfig.applyImmediately toFieldPath: spec.forProvider.applyImmediately - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.performanceInsightsRetentionPeriod + fromFieldPath: spec.clusterConfig.performanceInsightsRetentionPeriod toFieldPath: spec.forProvider.performanceInsightsRetentionPeriod - type: FromCompositeFieldPath fromFieldPath: status.clusterIdentifier @@ -367,28 +368,28 @@ spec: - type: PatchSet patchSetName: common-fields - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.engine + fromFieldPath: spec.clusterConfig.engine toFieldPath: spec.forProvider.engine - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.engineVersion + fromFieldPath: spec.clusterConfig.engineVersion toFieldPath: spec.forProvider.engineVersion - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.clusterInstanceClass + fromFieldPath: spec.clusterConfig.clusterInstanceClass toFieldPath: spec.forProvider.instanceClass - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.performanceInsightsEnabled + fromFieldPath: spec.clusterConfig.performanceInsightsEnabled toFieldPath: spec.forProvider.performanceInsightsEnabled - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.monitoringRoleArn + fromFieldPath: spec.clusterConfig.monitoringRoleArn toFieldPath: spec.forProvider.monitoringRoleArn - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.monitoringInterval + fromFieldPath: spec.clusterConfig.monitoringInterval toFieldPath: spec.forProvider.monitoringInterval - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.applyImmediately + fromFieldPath: spec.clusterConfig.applyImmediately toFieldPath: spec.forProvider.applyImmediately - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.performanceInsightsRetentionPeriod + fromFieldPath: spec.clusterConfig.performanceInsightsRetentionPeriod toFieldPath: spec.forProvider.performanceInsightsRetentionPeriod - type: FromCompositeFieldPath fromFieldPath: status.clusterIdentifier @@ -415,28 +416,28 @@ spec: - type: PatchSet patchSetName: common-fields - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.engine + fromFieldPath: spec.clusterConfig.engine toFieldPath: spec.forProvider.engine - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.engineVersion + fromFieldPath: spec.clusterConfig.engineVersion toFieldPath: spec.forProvider.engineVersion - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.clusterInstanceClass + fromFieldPath: spec.clusterConfig.clusterInstanceClass toFieldPath: spec.forProvider.instanceClass - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.performanceInsightsEnabled + fromFieldPath: spec.clusterConfig.performanceInsightsEnabled toFieldPath: spec.forProvider.performanceInsightsEnabled - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.monitoringRoleArn + fromFieldPath: spec.clusterConfig.monitoringRoleArn toFieldPath: spec.forProvider.monitoringRoleArn - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.monitoringInterval + fromFieldPath: spec.clusterConfig.monitoringInterval toFieldPath: spec.forProvider.monitoringInterval - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.applyImmediately + fromFieldPath: spec.clusterConfig.applyImmediately toFieldPath: spec.forProvider.applyImmediately - type: FromCompositeFieldPath - fromFieldPath: spec.resourceConfig.performanceInsightsRetentionPeriod + fromFieldPath: spec.clusterConfig.performanceInsightsRetentionPeriod toFieldPath: spec.forProvider.performanceInsightsRetentionPeriod - type: FromCompositeFieldPath fromFieldPath: status.clusterIdentifier diff --git a/compositions/upbound-aws-provider/aurora/definition.yaml b/compositions/upbound-aws-provider/aurora/definition.yaml index 822fa269..08940e0b 100644 --- a/compositions/upbound-aws-provider/aurora/definition.yaml +++ b/compositions/upbound-aws-provider/aurora/definition.yaml @@ -66,6 +66,18 @@ spec: - Orphan type: string default: Delete + tags: + additionalProperties: + type: string + description: Key-value map of resource tags. + type: object + required: + - providerConfigName + - region + clusterConfig: + description: parameter for Aurora cluster resource. + type: object + properties: parameterGroupFamily: description: Parameter group family name. type: string @@ -133,14 +145,7 @@ spec: type: string finalSnapshotIdentifier: type: string - tags: - additionalProperties: - type: string - description: Key-value map of resource tags. - type: object required: - - providerConfigName - - region - monitoringRoleArn proxyConfig: description: parameter for Aurora Proxy configuration diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/aurora-postgresql.yaml b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/aurora-postgresql.yaml index 4d561001..e3efdf94 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/aurora-postgresql.yaml +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/aurora-postgresql.yaml @@ -11,7 +11,20 @@ spec: awsblueprints.io/provider: aws awsblueprints.io/environment: dev cluster.awsblueprints.io/configuration: standard + cluster.awsblueprints.io/type: postgresql + resourceConfig: + # Required Fields + providerConfigName: aws-provider-config + region: us-east-1 + deletionPolicy: Delete + # Optional Field + tags: + cluster: aurora-cluster + namespace: team-a + environment: dev + application: my-app networkConfig: + # Required Fields for network config # the below ids needs to be updated before use. vpcId: vpc-123455 subnetIds: @@ -22,14 +35,11 @@ spec: allowedCidrBlocks: - 10.0.0.0/8 # allowedSecurityGroupId: sg-0dd0ff1bsgd345 - resourceConfig: - # Required Fields for Cluster - providerConfigName: aws-provider-config - region: us-east-1 + clusterConfig: + # Required Fields for Cluster config monitoringRoleArn: arn:aws:iam::12345678901:role/name-of-the-rds-role # Below parameters have default set up in definition # This can be patched to a different value based on req. - deletionPolicy: Delete databaseName: aurorapgsqldb parameterGroupFamily: aurora-postgresql15 engine: aurora-postgresql @@ -50,11 +60,6 @@ spec: #Optional Field enabledCloudwatchLogsExports: - "postgresql" - tags: - cluster: aurora-cluster - namespace: team-a - environment: dev - application: my-app proxyConfig: # Required Fields for proxy # Role for aurora proxy to get the secrets from secret manager From 82e6db9ee06f7f39888d65d5163647da4f31d6ce Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Wed, 13 Sep 2023 23:10:10 -0500 Subject: [PATCH 24/25] Updated xrd and composition --- compositions/upbound-aws-provider/aurora/aurora.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/compositions/upbound-aws-provider/aurora/aurora.yaml b/compositions/upbound-aws-provider/aurora/aurora.yaml index 24d1e875..b79d77b5 100644 --- a/compositions/upbound-aws-provider/aurora/aurora.yaml +++ b/compositions/upbound-aws-provider/aurora/aurora.yaml @@ -1,7 +1,7 @@ apiVersion: apiextensions.crossplane.io/v1 kind: Composition metadata: - name: xaurora-postgresql.db.awsblueprint.io + name: xauroras-postgresql.db.awsblueprint.io labels: awsblueprints.io/provider: aws awsblueprints.io/environment: dev From 5baf7f205af48a2b69bb7807ea2e7a3ecea75137 Mon Sep 17 00:00:00 2001 From: biswajitbabu Date: Wed, 13 Sep 2023 23:27:47 -0500 Subject: [PATCH 25/25] Updated README. --- .../database-examples/aurora/README.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md index f7ede54a..1150ccd9 100644 --- a/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md +++ b/examples/upbound-aws-provider/composite-resources/database-examples/aurora/README.md @@ -109,10 +109,24 @@ kubectl describe Aurora -n team-a It should take about 15-20 min to provision the Aurora RDS cluster. ```shell -# Commands we can use to check the status of the cluster. -# you can use describe to get detail information. +# To check the status of the cluster. kubectl get clusters.rds.aws.upbound.io kubectl get clusterinstances.rds.aws.upbound.io + +# to check the status of proxy +kubectl get proxies.rds.aws.upbound.io + +# To check the status of security group +kubectl get securitygroup.ec2.aws.upbound.io +kubectl get securitygrouprules.ec2.aws.upbound.io + +# To check the status of subnet group +kubectl get subnetgroups.rds.aws.upbound.io + +# To check the status of subnet group +k get Aurora -n team-a + +# you can use describe to get detail information of the particular resource. ``` Below is the default behaviour of the resource which will be provisioned through the claim, just to mention all this default behaviour can be overridden through patching .