DEV Community: Xavier Gourmandin The latest articles on DEV Community by Xavier Gourmandin (@xgourmandin). https://dev.to/xgourmandin https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F743815%2F1db4d863-2ad5-485a-95fb-e7f83c30329e.jpeg DEV Community: Xavier Gourmandin https://dev.to/xgourmandin en Restore AWS RDS Snapshots using Terraform Xavier Gourmandin Thu, 14 Sep 2023 08:31:27 +0000 https://dev.to/stack-labs/restore-aws-rds-snapshots-using-terraform-1ffi https://dev.to/stack-labs/restore-aws-rds-snapshots-using-terraform-1ffi <h2> The problem </h2> <p>A common use case for AWS accounts is the creation of ephemeral platforms.<br> Usually for development or integration environment, we want to optimize cost and therefore shutdown services when they are not needed.</p> <p>In our case, this process is managed by Terraform, which for example create/destroy the platform based on a schedule of our CI/CD tool.</p> <h3> The database problem </h3> <p>But by the nature of the platform concerned by this create/destroy cycle, customers often want their database to be filled with test data that helps them run their integration/functional tests.</p> <p>By chance, RDS offers a function to Snapshot the database just before deletion, and you can use it in the next platform creation iteration to restore it.</p> <p>And this is where things are gonna get messy.</p> <h3> The Terraform RDS resource problem </h3> <p>Let's check how AWS RDS resource works with Terraform.<br> You have two options to create an RDS instance:</p> <ul> <li>Without a Snapshot </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"dbname"</span> <span class="p">{</span> <span class="nx">allocated_storage</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"db-instance-id"</span> <span class="nx">db_name</span> <span class="p">=</span> <span class="s2">"dbname"</span> <span class="nx">engine</span> <span class="p">=</span> <span class="s2">"postgres"</span> <span class="nx">engine_version</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_rds_engine_version</span><span class="p">.</span><span class="nx">pg_version</span><span class="p">.</span><span class="nx">version</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.t3.micro"</span> <span class="nx">username</span> <span class="p">=</span> <span class="s2">"adminuser"</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">random_password</span><span class="p">.</span><span class="nx">admin</span><span class="p">.</span><span class="nx">result</span> <span class="nx">skip_final_snapshot</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">final_snapshot_identifier</span> <span class="p">=</span> <span class="s2">"${terraform.workspace}-${formatdate("</span><span class="nx">YYYYMMDDhhmmss</span><span class="s2">", timestamp())}"</span> <span class="nx">storage_encrypted</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">backup_retention_period</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">backup_window</span> <span class="p">=</span> <span class="s2">"07:00-09:00"</span> <span class="nx">maintenance_window</span> <span class="p">=</span> <span class="s2">"Tue:05:00-Tue:07:00"</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">allow_postgres</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="p">]</span> <span class="nx">db_subnet_group_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_db_name</span> <span class="p">}</span> </code></pre> </div> <ul> <li>With a Snapshot </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"dbname"</span> <span class="p">{</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"db-instance-id"</span> <span class="nx">db_name</span> <span class="p">=</span> <span class="s2">"dbname"</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.t3.micro"</span> <span class="nx">skip_final_snapshot</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">final_snapshot_identifier</span> <span class="p">=</span> <span class="s2">"${terraform.workspace}-${formatdate("</span><span class="nx">YYYYMMDDhhmmss</span><span class="s2">", timestamp())}"</span> <span class="nx">snapshot_identifier</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_db_snapshot</span><span class="p">.</span><span class="nx">latest_snapshot</span><span class="p">.</span><span class="nx">id</span> <span class="nx">storage_encrypted</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">backup_retention_period</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">backup_window</span> <span class="p">=</span> <span class="s2">"07:00-09:00"</span> <span class="nx">maintenance_window</span> <span class="p">=</span> <span class="s2">"Tue:05:00-Tue:07:00"</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">allow_postgres</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="p">]</span> <span class="nx">db_subnet_group_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_db_name</span> <span class="p">}</span> </code></pre> </div> <p>As we can see, the same resource is not configured in the same way, whether there is the <code>snapshot_identifier</code> property or not.</p> <h3> Before the first Terraform destroy </h3> <p>Before the first Terraform destroy process, there is no Snapshot available to restore from, so the first applies should be configured with the first definition above, but after the first destroy, a snapshot becomes available, and the RDS resource should be configured with the second definition above.</p> <p>Can we make come up with a RDS definition that works in all cases ?<br> Turns out we can, with a little bit of Terraform tricks.</p> <h2> The solution </h2> <h3> Terraform Data should point to existing resources </h3> <p>The first thing to note is that the snapshot identifier to restore from comes from a Terraform data source :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">snapshot_identifier</span> <span class="err">=</span> <span class="nx">data</span><span class="err">.</span><span class="nx">aws_db_snapshot</span><span class="err">.</span><span class="nx">latest_snapshot</span><span class="err">.</span><span class="nx">id</span> </code></pre> </div> <p>which is defined like this :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_db_snapshot"</span> <span class="s2">"latest_snapshot"</span> <span class="p">{</span> <span class="nx">db_instance_identifier</span> <span class="p">=</span> <span class="s2">"db-instance-id"</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>But, by its nature, Terraform cannot read data that don't exists without complete failure of the Terraform process, so we will need to read the snapshot id data only if a snapshot already exists.</p> <h3> Reading data only if it exists </h3> <p>We need to check first if a snapshot exists, before reading it with terraform.<br> So we make the following changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"external"</span> <span class="s2">"rds_final_snapshot_exists"</span> <span class="p">{</span> <span class="nx">program</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"./check-rds-snapshot.sh"</span><span class="p">,</span> <span class="s2">"db-instance-${terraform.workspace}"</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_db_snapshot"</span> <span class="s2">"latest_snapshot"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">external</span><span class="p">.</span><span class="nx">rds_final_snapshot_exists</span><span class="p">.</span><span class="nx">result</span><span class="p">.</span><span class="nx">db_exists</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">db_instance_identifier</span> <span class="p">=</span> <span class="s2">"db-instance-id"</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>And the content of the <code>check-rds-snapshot.sh</code> script :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nv">db_id</span><span class="o">=</span><span class="nv">$1</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="k">${</span><span class="nv">db_id</span><span class="k">}</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"usage : </span><span class="nv">$0</span><span class="s2"> &lt;db_id&gt;"</span> <span class="o">&gt;</span>2 <span class="nb">exit </span>1 <span class="k">fi </span><span class="nv">RESULT</span><span class="o">=(</span><span class="si">$(</span>aws rds describe-db-snapshots <span class="nt">--db-instance-identifier</span> <span class="nv">$db_id</span> <span class="nt">--output</span> text 2&gt; /dev/null<span class="si">)</span><span class="o">)</span> <span class="nv">aws_result</span><span class="o">=</span><span class="nv">$?</span> <span class="k">if</span> <span class="o">[</span> <span class="k">${</span><span class="nv">aws_result</span><span class="k">}</span> <span class="nt">-eq</span> 0 <span class="o">]</span> <span class="o">&amp;&amp;</span> <span class="o">[[</span> <span class="k">${</span><span class="nv">RESULT</span><span class="p">[0]</span><span class="k">}</span> <span class="o">==</span> <span class="s2">"DBSNAPSHOTS"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nv">result</span><span class="o">=</span><span class="s1">'true'</span> <span class="k">else </span><span class="nv">result</span><span class="o">=</span><span class="s1">'false'</span> <span class="k">fi </span>jq <span class="nt">-n</span> <span class="nt">--arg</span> exists <span class="k">${</span><span class="nv">result</span><span class="k">}</span> <span class="s1">'{"db_exists": $exists }'</span> </code></pre> </div> <p>The external data source checks with the AWS CLI if the snapshot exists, and the count argument on the snapshot data source prevents Terraform from reading its value if none exists.</p> <p>Now, we only need to combine the two RDS declaration to make it works every time, !<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"dbname"</span> <span class="p">{</span> <span class="nx">allocated_storage</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"db-instance-id"</span> <span class="nx">db_name</span> <span class="p">=</span> <span class="s2">"dbname"</span> <span class="nx">engine</span> <span class="p">=</span> <span class="s2">"postgres"</span> <span class="nx">engine_version</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_rds_engine_version</span><span class="p">.</span><span class="nx">pg_version</span><span class="p">.</span><span class="nx">version</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.t3.micro"</span> <span class="nx">username</span> <span class="p">=</span> <span class="s2">"adminuser"</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">random_password</span><span class="p">.</span><span class="nx">admin</span><span class="p">.</span><span class="nx">result</span> <span class="nx">skip_final_snapshot</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">final_snapshot_identifier</span> <span class="p">=</span> <span class="s2">"${terraform.workspace}-${formatdate("</span><span class="nx">YYYYMMDDhhmmss</span><span class="s2">", timestamp())}"</span> <span class="nx">snapshot_identifier</span> <span class="p">=</span> <span class="nx">try</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">aws_db_snapshot</span><span class="p">.</span><span class="nx">latest_snapshot</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="kc">null</span><span class="p">)</span> <span class="nx">storage_encrypted</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">backup_retention_period</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">backup_window</span> <span class="p">=</span> <span class="s2">"07:00-09:00"</span> <span class="nx">maintenance_window</span> <span class="p">=</span> <span class="s2">"Tue:05:00-Tue:07:00"</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">allow_postgres</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="p">]</span> <span class="nx">db_subnet_group_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_db_name</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">snapshot_identifier</span><span class="p">,</span> <span class="nx">final_snapshot_identifier</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>And there you have it, a Terraform configuration that create RDS database and restore the latest snapshot if it exists.</p> <p>Thanks for reading! I’m Xavier, Cloud Developer at <a href="//stack-labs.com">Stack Labs</a>.</p> <p>If you want to join an enthusiast <a href="https://www.welcometothejungle.com/fr/companies/stack-labs" rel="noopener noreferrer">Dev cloud team</a>, please contact us.</p> aws rds terrafom cloud