diff --git a/docs/docs/exporting-snapshot-to-landing-zone.md b/docs/docs/exporting-snapshot-to-landing-zone.md index 1469ac41..5de087e6 100644 --- a/docs/docs/exporting-snapshot-to-landing-zone.md +++ b/docs/docs/exporting-snapshot-to-landing-zone.md @@ -19,3 +19,90 @@ After the deployment these resources will export the data from any instance list 5. Once the export task is started the lambda queues an SQS message with the export task identifier and the RDS export storage bucket name 6. The queued message invoked the copier lambda 7. The copier lambda checks the state of the export task and once the export is completed, it transfers the exported data into an S3 bucket in the data platform account + +### Developer notes + +There are development modules for testing this setup between sandbox and Data Platform development account. They'll deploy all necessary resources for complete test setup. + +The modules can be found in `core/29-db-snapshot-to-s3-sandbox.tf` file. + +To deploy the resources please follow these steps (instructions also in the terraform file itself): + +1. Deploy the `db_snapshot_to_s3_sandbox_resources` module. This will deploy the database and bastion bost resources to sandbox account +2. Copy the deployed sandbox database's name to `rds_instance_ids` array variable in the `env.tfvars` file +3. Deploy the `lambda_artefact_storage_for_sandbox_account` module. This will deploy the bucket for Lambda resources +4. Deploy the `db_snapshot_to_s3_sandbox` module. This is the current module for the RDS snapshot to cross account S3 feature used in production and will deploy all resources required for end to end setup +5. Update the raw zone bucket on Data Platform devevelopment account in your workspace with the following bucket and bucket key policy statements. Use these as inputs for `bucket_policy_statements` and `bucket_key_policy_statements` in the raw zone bucket module + +Bucket policy statement: + +``` +sandbox_s3_to_s3_copier_write_access_to_raw_zone_statement = { + sid = "AllowSandboxS3toS3CopierWriteAccessToRawZoneUnrestrictedLocation" + effect = "Allow" + + actions = [ + "s3:ListBucket", + "s3:PutObject", + "s3:PutObjectAcl" + ] + principals = { + type = "AWS" + identifiers = [ + "arn:aws:iam::${var.aws_sandbox_account_id}:root", + "arn:aws:iam::${var.aws_sandbox_account_id}:role/${local.identifier_prefix}-s3-to-s3-copier-lambda" + ] + } + + resources = [ + "${module.raw_zone.bucket_arn}", + "${module.raw_zone.bucket_arn}/unrestricted/${replace(lower(local.identifier_prefix), "/[^a-zA-Z0-9]+/", "_")}sandbox/*" + ] +} + +``` + +Bucket key policy statement: + +``` +sandbox_s3_to_s3_copier_raw_zone_key_statement = { + sid = "SandboxS3ToS3CopierAccessToRawZoneKey" + effect = "Allow" + actions = [ + "kms:Encrypt", + "kms:GenerateDataKey*" + ] + + principals = { + type = "AWS" + identifiers = [ + "arn:aws:iam::${var.aws_sandbox_account_id}:root" + "arn:aws:iam::${var.aws_sandbox_account_id}:role/${local.identifier_prefix}-s3-to-s3-copier-lambda" + ] +} +``` + +6. Uncomment the statement in the sandbox database key policy to allow the RDS snapshot to S3 lambda role access to the key. This must be done after all other resources have been deployed. + +7. Connect to the database from the sandbox bastion host using AWS Session Manager and import some dummy data for testing + +You can import some test data by following these steps: +``` + sudo yum update -y + sudo amazon-linux-extras enable postgresql14 + sudo yum install postgresql-server -y + psql --host= --port=5432 --username=sandbox_db_admin --password --dbname= + + Enter the generated database password from the Secrets Manager + + You can use the following resources for quick test data setup + + schema: https://github.com/LBHackney-IT/social-care-case-viewer-api/blob/master/database/schema.sql + seeds: https://github.com/LBHackney-IT/social-care-case-viewer-api/blob/master/database/seeds.sql + + Simply copy and paste the files' content to the PSQL CLI terminal + ``` + +8. Test the setup by taking a manual snapshot of the sandbox database. Once the process is complete you should have data in your Data Platform devevelopment raw zone in the unrestricted area. The data will be in a folder matching the sandbox database name + +Once you have completed testing you can destroy the resources by completing the steps in reverse order from step 6.