{DocumentDB}Amazon DocumentDB クラスターのスナップショットの共有

AWS

-- 1. KMSカスタマキーの作成
vim key01.json

{
"Id": "key01",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999:user/iamuser"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::999999999999:user/iamuser",
"arn:aws:iam::888888888888:root"
]},
"Action": [
"kms:CreateGrant",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::999999999999:user/iamuser",
"arn:aws:iam::888888888888:root"
]}, "Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}

aws kms create-key \
--description key01 \
--policy file://key01.json


-- 2. Amazon DocumentDB クラスターの作成
cluster01 <-- 暗号化なし
cluster02 <-- 暗号化有


aws docdb create-db-cluster \
--db-cluster-identifier cluster01 \
--engine docdb \
--engine-version 4.0.0 \
--port 27017 \
--master-username test \
--master-user-password 'password' \
--no-storage-encrypted \
--no-deletion-protection


aws docdb create-db-instance \
--db-instance-identifier instance01 \
--db-instance-class db.t3.medium \
--engine docdb \
--no-auto-minor-version-upgrade \
--db-cluster-identifier cluster01

aws docdb create-db-cluster \
--db-cluster-identifier cluster02 \
--engine docdb \
--engine-version 4.0.0 \
--port 27017 \
--master-username test \
--master-user-password 'password' \
--storage-encrypted \
--no-deletion-protection \
--kms-key-id arn:aws:kms:ap-northeast-1:999999999999:key/11111111-2222-3333-4444-555555555555

 

aws docdb create-db-instance \
--db-instance-identifier instance02 \
--db-instance-class db.t3.medium \
--engine docdb \
--no-auto-minor-version-upgrade \
--db-cluster-identifier cluster02


aws docdb describe-db-clusters \
--filter Name=engine,Values=docdb


aws docdb describe-db-instances \
--filter Name=engine,Values=docdb


-- 3. テストデータ作成
echo -e "[mongodb-org-4.0] \nname=MongoDB Repository\nbaseurl=https://repo.mongodb.org/yum/amazon/2013.03/mongodb-org/4.0/x86_64/\ngpgcheck=1 \nenabled=1 \ngpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc" | sudo tee /etc/yum.repos.d/mongodb-org-4.0.repo
sudo yum install -y mongodb-org-shell

wget https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
mongo --ssl --host cluster01.cluster-xxxxxxxxxxxx.ap-northeast-1.docdb.amazonaws.com:27017 --sslCAFile rds-combined-ca-bundle.pem --username test
mongo --ssl --host cluster02.cluster-xxxxxxxxxxxx.ap-northeast-1.docdb.amazonaws.com:27017 --sslCAFile rds-combined-ca-bundle.pem --username test

--コレクション作成とデータ追加
use test

db.tab1.insert({_id:1,col2:"val12",col3:13});
db.tab1.insert({_id:2,col2:"val22",col3:23});

db.tab1.find()

show dbs
show collections


-- 4. クラスタースナップショットを作成する

aws docdb create-db-cluster-snapshot \
--db-cluster-identifier cluster01 \
--db-cluster-snapshot-identifier snap01


aws docdb create-db-cluster-snapshot \
--db-cluster-identifier cluster02 \
--db-cluster-snapshot-identifier snap02

aws docdb describe-db-cluster-snapshots

-- 5. クラスタースナップショットの共有

-- ①暗号化されていないスナップショットの共有

-- 共有の追加
aws docdb modify-db-cluster-snapshot-attribute \
--db-cluster-snapshot-identifier snap01 \
--attribute-name restore \
--values-to-add '["888888888888"]'

-- 共有の削除
aws docdb modify-db-cluster-snapshot-attribute \
--db-cluster-snapshot-identifier snap01 \
--attribute-name restore \
--values-to-remove '["888888888888"]'


-- ②暗号化されたスナップショットの共有

-- 共有の追加
aws docdb modify-db-cluster-snapshot-attribute \
--db-cluster-snapshot-identifier snap02 \
--attribute-name restore \
--values-to-add '["888888888888"]'

-- 共有の削除
aws docdb modify-db-cluster-snapshot-attribute \
--db-cluster-snapshot-identifier snap02 \
--attribute-name restore \
--values-to-remove '["888888888888"]'

 

※共有先で共有された暗号化スナップショットを使用するためには、まず共有先のアカウントにスナップショットをコピーする必要がある

 

-- 6. クリーンアップ

-- Amazon DocumentDBインスタンス削除

aws docdb delete-db-instance \
--db-instance-identifier instance01

aws docdb delete-db-instance \
--db-instance-identifier instance02


-- Amazon DocumentDBクラスター削除

aws docdb delete-db-cluster \
--db-cluster-identifier cluster01 \
--skip-final-snapshot

aws docdb delete-db-cluster \
--db-cluster-identifier cluster02 \
--skip-final-snapshot


-- クラスタースナップショットの一覧
aws docdb describe-db-cluster-snapshots


-- クラスタースナップショットの削除

aws docdb delete-db-cluster-snapshot --db-cluster-snapshot-identifier snap01
aws docdb delete-db-cluster-snapshot --db-cluster-snapshot-identifier snap02


-- KMSキーの一覧
aws kms list-keys


-- KMSキーの削除

aws kms schedule-key-deletion \
--key-id arn:aws:kms:ap-northeast-1:999999999999:key/11111111-2222-3333-4444-555555555555
--pending-window-in-days 7