Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws - rds - rdscluster - add new action for updating Parameter group attached to db instance or cluster #9505

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

aws - rds - rdscluster - add new action for updating Parameter group attached to db instance or cluster #9505

wants to merge 8 commits into from
+704 −0

Conversation

jasgrover
Copy link
Contributor

Rds and rdscluster resource currently does not support an action to modify the parameter group attached to a db instance or cluster. Our compliance operations require a policy that checks if a db instance or cluster has TLS encryption enabled and set to correct version. The db instance or cluster matching the filter, cannot be updated since the "modify-pg' action is not available under the resource.

Sample policy

policies:
  -  name: rds-update-tls-version-daily
     resource: rds
     filters:
       - type: db-parameter
         key: require_secure_transport
         op: ne
         value: 1
     actions:
       - type: modify-pg
         params:
         - name: require_secure_transport
           value: "1"

@jasgrover jasgrover requested a review from kapilt as a code owner May 14, 2024 23:12
@jasgrover
Copy link
Contributor Author

@kapilt @ajkerrigan could you please assist with review this PR. thanks Jas

@jasgrover
Copy link
Contributor Author

@kapilt @ajkerrigan sorry to pester you guys .. could I please get your inputs on this PR ..

@ajkerrigan
Copy link
Member

ajkerrigan commented May 30, 2024
edited
Loading

It seems like we'd want to handle this with the existing param group modify action rather than needing to iterate over all the instances/clusters. As far as I can tell you could make those parameter changes today - the convenience piece we're missing is a filter on those parameter group resources to check existing parameter values.

@jasgrover
Copy link
Contributor Author

@ajkerrigan I am not sure how we can do it these are 2 different resources

  • aws.rds
  • aws.rds-param-group
    the use case is to filter is to check all the rds instances (aws.rds) for tls settings and then modify the parameter group(aws.rds-param-group) attached to the instance.

@thisisshi
Copy link
Member

Hey @jasgrover let's do the following:

  • Add a filter for db parameters on the rds parameter group resource, that way we can filter on the parameter values
  • Modify the parameter group itself in its own policy, while using a mark-for-op workflow to mark the affected rds resources and rds clusters as needing a reboot
  • Then, you can notify any resource owners that they need to do a reboot or you will reboot automatically with a policy

@jasgrover jasgrover mentioned this pull request Jun 17, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kapilt kapilt Awaiting requested review from kapilt kapilt is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
Custodian PyCon 2024
Status: Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jasgrover @ajkerrigan @thisisshi