Overview
Ringer can be configured to import a database from Amazon RDS PostgreSQL or Amazon Aurora. To do this, Ringer must be able to connect to the database instance. If the database is running inside a VPC, you may need to configure the VPC to allow connections from the Ringer server. See the RDS User Guide for more info.
S3
To start, create an S3 bucket to hold data exported from your
database. You can use an existing bucket, but you should choose
a path prefix to isolate exported data from anything else in the
bucket. In the configuration below, replace <s3
bucket>
with the name of your bucket and <s3
prefix>
with the path prefix, or leave it blank if you
are not using one.
IAM
Next we will create the necessary IAM configuration in AWS.
Create a new IAM policy called Ringer
with the
following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPassRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<account>:role/Ringer" ] }, { "Sid": "AllowS3Access", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::<s3 bucket>", "arn:aws:s3:::<s3 bucket>/<s3 prefix>/*" ] }, { "Sid": "AllowRDSExport", "Effect": "Allow", "Action": [ "rds:DescribeExportTasks", "rds:StartExportTask" ], "Resource": "*" }, { "Sid": "AllowRDSSnapshot", "Effect": "Allow", "Action": [ "rds:DescribeDBSnapshots", "rds:CreateDbSnapshot" ], "Resource": [ "arn:aws:rds:<region>:<account>:db:<rds instance name>", "arn:aws:rds:<region>:<account>:snapshot:*" ] } ] }
The final statement is only required if you are importing from a standalone RDS instance rather than an Aurora cluster.
Next, create a new IAM user called Ringer
. Attach the
Ringer
IAM policy to this user, and create an access
key.
Finally, create an IAM role called Ringer
with the following trust relationship:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "Service": "export.rds.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Attach the Ringer
policy you created earlier to this role.
KMS
Now create a KMS key for encrypting exports from the
database. The key should be symmetric, managed by KMS, and the
user Ringer
should have permissions to use it.
The key policy should include a stanza like this:
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account>:user/Ringer" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", "kms:CreateGrant", "kms:RetireGrant" ], "Resource": "*" },
Connecting to RDS
Depending on your specific setup, you may need to make configuration changes to ensure that the Ringer server can connect to the RDS instance.
If Ringer is running on EC2 in the same VPC as your RDS instance, you may not have to make any changes. If Ringer is running in a different VPC, you may need to create a VPC peering connection. If Ringer is running outside of EC2, you may need to make your database publicly accessible and add a security group entry to specifically allow traffic from Ringer's IP.
See the RDS documentation for more information on these options. Where the documentation refers to a "web application server" which is connecting to your database, that's Ringer.
Ringer
Now we can configure Ringer to import from RDS. In the Ringer dashboard, select the base you want to import and choose "Edit". Set the import source to "Amazon RDS" and enter the configuration details. For the IAM and KMS ARN fields, enter the ARNs of the IAM role and KMS you created above. When you have entered all the details, click "Save".
Triggering an import
In the Ringer dashboard view for your database, test your import configuration by clicking "Start import". The import will take some time to complete. When it is done, you can create clones from your base. You now have a full, anonymised copy of your production database ready to work with.
You can configure Ringer to run a database import daily by clicking "Edit" and setting "Schedule frequency" to "Daily".