RDS infrastructure automation with Ansible

In this article we are going to describe how we realized our RDS infrastructure using Ansible as automation tool. We’ve completely avoided using AWS GUI, both for implementation and management activities.

Our aim was to develop a parametric infrastructure, able to adapt to all of our projects simply by changing few parameters in the config files.

Please note that at the time of writing we’re using Ansible 2.2.2.

First of all, we need to declare somewhere every needed variable. A var file, to be included where required, fits well.

project: “project_name”

rds_env: “project_env”

database_instance_type: "{{ (rds_env == 'prod') | ternary('db.XX.XXXX','db.XX.XXXX') }}"

billing_tag_value: "{{ (rds_env == 'prod') | ternary(project+'_prod',project+'_dev') }}"

type_tag_value: "{{ rds_env }}_database"

az_a: "{{ default_region }}a"

az_b: "{{ default_region }}b"

dns_ttl_expire: XX

#Destroy all data and configurations

rds_delete_all: "{{ (destroy == 'true') | ternary('yes','no') }}"

rds_database_count_start: 0

rds_database_count_end: "{{ (rds_env == 'prod') | ternary(N,n) }}"

rds_database_size: XXX

rds_database_engine: MySQL

rds_database_multi_zone: yes

rds_database_name: "{{ project }}"

rds_database_version: "5.X.X"

rds_database_maint_window: "XXX:XX:XX-XXX:XX:XX"

rds_database_option_group: "default:{{ rds_database_engine | lower }}-{{ rds_database_version.split('.')[0] }}-{{ rds_database_version.split('.')[1] }}"

rds_database_parameter_group: "{{ project }}-{{ rds_env }}-{{ rds_database_version.replace('.', '-') }}"

rds_database_port: 3306

rds_database_publicly_accessible: no

rds_database_region: "{{ default_region }}"

rds_database_upgrade: yes

rds_database_zone: "{{ default_region }}"

rds_database_disk_iops: XXXX

rds_database_backup_retention: XX

rds_database_backup_window: XX:XX-XX:XX

#Security group firewall rules

firewall_rules:

- proto: all

from_port: X

to_port: X

cidr_ip: IP

#Parameters group for my.cnf

parameters_my_cnf:

max_connections: "XXX"

Changing the file values it is possible to create N RDS servers and link them to the existing project’s VPC. As shown later, the infrastructure playbook will be invoked with a “rds_env” parameter. This way the infrastructure scripts can gather every VPC references for the project (specified by the “project” var) and create proper network connections towards the VPC itself.

Here are some examples of how it works:

- name: INFRASTRUCTURE RDS | Getting vpc ID

ec2_vpc_subnet_facts:

filters:

"tag:Name": "{{ project }}_{{ rds_env }}_vpc_subnet_0"

- name: INFRASTRUCTURE RDS | Create security_group RDS

ec2_group:

description: "{{ project | capitalize}}_{{ rds_env }} local RDS security group"

vpc_id: "{{ vpc.subnets.0.vpc_id }}"

rules: "{{ firewall_rules }}"

- name: INFRASTRUCTURE RDS | Tags security_group RDS

ec2_tag:

state: present

tags:

Name: "{{ project }}_{{ rds_env }}_local_rds_sg"

billing: "{{ billing_tag_value }}"

resource: "{{ security_group.group_id }}"

- name: INFRASTRUCTURE RDS | Create subnet 0 for RDS

ec2_vpc_subnet:

state: present

vpc_id: "{{ vpc.subnets.0.vpc_id }}"

cidr: "10.0.{{ vpc.subnets.0.cidr_block.split('.')[2] | int + 1 }}.0/24"

az: "{{ az_a }}"

resource_tags:

Name: "{{ project }}_{{ rds_env }}_rds_subnet_0"

- name: INFRASTRUCTURE RDS | Create subnet 1 for RDS

ec2_vpc_subnet:

state: present

vpc_id: "{{ vpc.subnets.0.vpc_id }}"

cidr: "10.0.{{ vpc.subnets.0.cidr_block.split('.')[2] | int + 2 }}.0/24"

az: "{{ az_b }}"

resource_tags:

Name: "{{ project }}_{{ rds_env }}_rds_subnet_1"

- name: INFRASTRUCTURE RDS | Tags subnet 0 RDS

ec2_tag:

state: present

tags:

Name: "{{ project }}_{{ rds_env }}_local_rds_subnet"

billing: "{{ billing_tag_value }}"

resource: "{{ database_subnet_0.subnet.id }}"

- name: INFRASTRUCTURE RDS | Tags subnet 1 RDS

ec2_tag:

state: present

tags:

Name: "{{ project }}_{{ rds_env }}_local_rds_subnet"

billing: "{{ billing_tag_value }}"

resource: "{{ database_subnet_1.subnet.id }}"

- name: INFRASTRUCTURE RDS | Setting up RDS subnet group

rds_subnet_group:

state: present

description: RDS Subnet Group

subnets:

- "{{ database_subnet_0.subnet.id }}"

- "{{ database_subnet_1.subnet.id }}"

Now the RDS networking is set up and we can move on to the RDS instances creation.

As you might guess, the number of instances is defined in the vars file:

1 2	rds_database_count_start: 0 rds_database_count_end: "{{ (rds_env == 'prod') \| ternary(N,n) }}"

Here is the full command for instances creation:

- name: INFRASTRUCTURE RDS | Create Instance RDS

rds:

command: create

instance_name: "{{ project }}-{{ rds_env }}-database-rds-{{ item }}"

wait: yes

wait_timeout: 3600

db_engine: "{{ rds_database_engine }}"

db_name: "{{ rds_database_name }}"

engine_version: "{{ rds_database_version }}"

size: "{{ rds_database_size }}"

instance_type: "{{ database_instance_type }}"

username: "{{ mysql.root_username }}"

password: "{{ mysql.root_password }}"

multi_zone: "{{ rds_database_multi_zone }}"

maint_window: "{{ rds_database_maint_window }}"

parameter_group: "{{ rds_database_parameter_group }}"

option_group: "{{ rds_database_option_group }}"

port: "{{ rds_database_port }}"

publicly_accessible: "{{ rds_database_publicly_accessible }}"

region: "{{ rds_database_region }}"

upgrade: "{{ rds_database_upgrade }}"

subnet: "{{ project }}_{{ rds_env }}_rds_vpc_subnet"

iops: "{{ rds_database_disk_iops }}"

vpc_security_groups: "{{ security_group.group_id }}"

backup_retention: "{{ rds_database_backup_retention }}"

backup_window: "{{ rds_database_backup_window }}"

tags:

Name: "{{ project }}_{{ rds_env }}_database_{{ item }}"

billing: "{{ billing_tag_value }}"

env: "{{ project }}_{{ rds_env }}"

role: "database"

type: "{{ type_tag_value }}"

with_sequence: start="{{ rds_database_count_start }}" end="{{ rds_database_count_end }}"

Moreover, we chose to assign a DNS name using Route53, to facilitate instances management:

- name: INFRASTRUCTURE RDS | Gathering Instance RDS

rds:

command: facts

instance_name: "{{ project }}-{{ rds_env }}-database-rds-{{ item }}"

with_sequence: start="{{ rds_database_count_start }}" end="{{ rds_database_count_end }}"

- name: INFRASTRUCTURE NUVOLA GENERIC | Create RDS DNS

route53:

command: create

zone: "{{ domain_tld }}"

record: "{{ project }}-{{ rds_env }}-database-rds-{{ item.1.instance.id.split('-')[4] }}.{{ domain_tld }}"

type: CNAME

value: "{{ item.1.instance.endpoint }}"

overwrite: yes

ttl: "{{ dns_ttl_expire }}"

with_indexed_items: '{{ rds_create_gathering.results }}'

Last but not least, we also chose to automate, thanks to Ansible, the whole environment destruction. Of course we set up strict controls to avoid destroying or corrupting production environments.

Here are some examples:

- name: INFRASTRUCTURE RDS | Fact Instance RDS

rds:

command: facts

instance_name: "{{ project }}-{{ rds_env }}-database-rds-{{ item }}"

with_sequence: start="{{ rds_database_count_start }}" end="{{ rds_database_count_end }}"

when: rds_delete_all == "yes"

- name: INFRASTRUCTURE RDS | Delete Instance RDS

rds:

command: delete

instance_name: "{{ project }}-{{ rds_env }}-database-rds-{{ item }}"

wait: yes

with_sequence: start=0 end="{{ rds_database_count_end }}"

when: rds_delete_all == "yes"

- name: INFRASTRUCTURE RDS | Delete RDS parameter groups

rds_param_group:

state: absent

when: rds_delete_all == "yes"

- name: INFRASTRUCTURE RDS | Delete RDS subnet group

rds_subnet_group:

state: absent

when: rds_delete_all == "yes"

- name: INFRASTRUCTURE RDS | Delete subnet 0 for RDS

ec2_vpc_subnet:

state: absent

vpc_id: "{{ vpc.subnets.0.vpc_id }}"

cidr: "10.0.{{ vpc.subnets_1 }}.0/24"

when: rds_delete_all == "yes"

- name: INFRASTRUCTURE RDS | Delete subnet 1 for RDS

ec2_vpc_subnet:

state: absent

vpc_id: "{{ vpc.subnets.0.vpc_id }}"

cidr: "10.0.{{ vpc.subnets_2 }}.0/24"

when: rds_delete_all == "yes"

- name: INFRASTRUCTURE RDS | Delete security_group RDS

ec2_group:

description: "{{ project | capitalize}}_{{ rds_env }} local RDS security group"

state: absent

when: rds_delete_all == "yes"

- name: INFRASTRUCTURE NUVOLA GENERIC | Delete RDS DNS

route53:

command: delete

zone: "{{ domain_tld }}"

record: "{{ project }}-{{ rds_env }}-database-rds-{{ item.0 }}.{{ domain_tld }}"

type: CNAME

value: "{{ item.1.instance.endpoint }}"

ttl: "{{ dns_ttl_expire }}"

with_indexed_items: '{{ rds_create_gathering.results }}'

when: rds_delete_all == "yes"

Now let’s glue the pieces together making use of a playbook, named infrastructure_rds.yml. As shown, secrets vars (db users, password, …) are kept in a different file.

vars_files:

- vars/vars_rds_common.yml

- vars/vars_rds_secure.yml

- "inventories/group_vars/regions.yml"

tasks:

- include: roles/infrastructure/tasks/infrastructure_rds.yml

Finally, for convenience, we wrapped it up with a bash script named infrastructure_rds.sh

#!/bin/bash

…

echo -e "\n\e[1m\e[42mSTARTING INFRASTRUCTURING OF [${RDS_ENV}] RDS INFRASTRUCTURE \e[0m"

ansible-playbook --vault-password-file secrets/vars_rds_secure.secret \

ansible/infrastructure_rds.yml \

$TAGS_OPTION -e"$EXTRA_OPTIONS $RDS_ENV"

echo -e "\n\e[1m\e[42m[${RDS_ENV}] RDS INFRASTRUCTURE COMPLETED\e[0m"

Now the RDS infrastructure management is automated and written as code! We hope you can find it useful and remember that comments are always welcomed.

4 commenti

ildar

05/06/2017 / 23:07 Rispondi

Thank you a lot!
G Pirker

06/04/2018 / 19:38 Rispondi

Just so everyone knows, there is no way to create an encrypted RDS instance using ansible modules. You would have to use cloudformation, a call to the AWS CLI or the API to do so.

All three can be done using Ansible.
- Loreno Edelmondo
  
  02/09/2018 / 11:24 Rispondi
  
  One solution is to integrate AWS command line into Ansible tasks.
  
  – name: INFRASTRUCTURE RDS | Create Instance RDS
  command: “aws rds create-db-instance
  –db-instance-identifier {{ project }}-{{ rds_env }}-database-rds-{{ item }}
  –db-instance-class {{ database_instance_type }}
  –db-name {{ rds_database_name }}
  –{{ (rds_database_multi_zone == ‘no’) | ternary(‘no-multi-az’,’multi-az’) }}
  –engine {{ rds_database_engine }}
  –engine-version {{ rds_database_version }}
  –db-parameter-group-name {{ rds_database_parameter_group }}
  –option-group-name {{ rds_database_option_group }}
  –storage-type {{ rds_database_storage_type }}
  –{{ (rds_database_encrypt_storage == ‘yes’) | ternary(‘storage-encrypted’,’no-storage-encrypted’) }}
  –allocated-storage {{ rds_database_size }}
  –master-username {{ mysql.root_username }}
  –master-user-password {{ mysql.root_password }}
  –vpc-security-group-ids {{ security_group.group_id }}
  –port {{ rds_database_port }}
  –db-subnet-group-name {{ project }}_{{ rds_env }}_rds_vpc_subnet
  –{{ (rds_database_publicly_accessible == ‘yes’) | ternary(‘publicly_accessible’,’no-publicly-accessible’) }}
  –preferred-maintenance-window {{ rds_database_maint_window }}
  –{{ (rds_database_upgrade == ‘yes’) | ternary(‘auto-minor-version-upgrade’,’no-auto-minor-version-upgrade’) }}
  –backup-retention-period {{ rds_database_backup_retention }}
  –preferred-backup-window {{ rds_database_backup_window }}
  –tags ‘Key=Name,Value={{ project }}_{{ rds_env }}_database_{{ item }}’ ‘Key=billing,Value={{ billing_tag_value }}'”
  register: rds_create_gathering
  with_sequence: start=”{{ rds_database_count_start }}” end=”{{ rds_database_count_end }}”
  when: rds_delete_all == “no”
Mayur

09/12/2019 / 07:37 Rispondi

Thank you so much !!

Rispondi a MayurCancella risposta

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.

Loreno Edelmondo

4 commenti

Rispondi a MayurCancella risposta