AWS DMS – Oracle to PostgreSQL and Object Case Issues

One of the differences between Oracle and PostgreSQL is the default behaviour of identifiers when they are not quoted. In Oracle it folds to uppercase (SQL Standard) while in PostgreSQL it folds to lowercase.

So when you migrate from Oracle to PostgreSQL with AWS DMS, the DMS wraps the DDL with quotes and makes the PostgreSQL objects case sensitive. It becomes an issue as instead of running your queries with:

select column1, column2 from schema.table

1	select column1, column2 from schema.table

you now have to quote the identifiers so it looks like:

select "COLUMN1", "COLUMN2" from "SCHEMA"."TABLE"

1	select "COLUMN1", "COLUMN2" from "SCHEMA"."TABLE"

I’m not a fan of case sensitive identifiers so thankfully the DMS has table mappings which can perform transformations on columns, tables and schema.

In my Oracle to PostgreSQL migration scenario I needed to migrate a schema and all its tables and objects. The steps I used to achieve this are as follows:

AWS Schema Conversion Tool to identify compatibility

AWS Schema Conversion Tool to generate DDL for indexes and other objects

Manipulate this file to suit my requirements

Create the JSON file with the appropriate rules for the migration. See code block below

Create the DMS task in console and paste in custom table mappings and run

In Oracle user and schema are synonymous. The user gives you login ability and you can also store objects within that “user” namespace. You also have the flexibility to separate this out with multiple users accessing a schema with different permission models and so forth. In PostgreSQL a user is a role and schema is a namespace to store objects. So when migrating to PostgreSQL you may need to add an extra layer as you cannot use the schema as a login role to access migrated data.

My solution to this was to migrate the Oracle schema as a different name into PostgreSQL and then create a role with appropriate permissions to the new schema in PostgreSQL with the same name as the Oracle user.

My lowercase table mapping JSON which migrates an Oracle Schema and converts it all to lowercase and renames the schema looks like:

{
  "rules": [
    {
      "rule-type": "selection",
      "rule-id": "1",
      "rule-name": "1",
      "object-locator": {
        "schema-name": "MYSCHEMA",
        "table-name": "%"
      },
      "rule-action": "include"
    },
    {
      "rule-type": "transformation",
      "rule-id": "2",
      "rule-name": "2",
      "rule-action": "rename",
      "rule-target": "schema",
      "object-locator": {
        "schema-name": "MYSCHEMA"
      },
      "value": "newschema"
    },
    {
      "rule-type": "transformation",
      "rule-id": "3",
      "rule-name": "3",
      "rule-action": "convert-lowercase",
      "rule-target": "table",
      "object-locator": {
        "schema-name": "%",
        "table-name": "%"
      }
    },
    {
      "rule-type": "transformation",
      "rule-id": "4",
      "rule-name": "4",
      "rule-action": "convert-lowercase",
      "rule-target": "column",
      "object-locator": {
        "schema-name": "%",
        "table-name": "%",
        "column-name": "%"
      }
    }
  ]
}

{

"rules": [

{

"rule-type": "selection",

"rule-id": "1",

"rule-name": "1",

"object-locator": {

"schema-name": "MYSCHEMA",

"table-name": "%"

"rule-action": "include"

{

"rule-type": "transformation",

"rule-id": "2",

"rule-name": "2",

"rule-action": "rename",

"rule-target": "schema",

"object-locator": {

"schema-name": "MYSCHEMA"

"value": "newschema"

{

"rule-type": "transformation",

"rule-id": "3",

"rule-name": "3",

"rule-action": "convert-lowercase",

"rule-target": "table",

"object-locator": {

"schema-name": "%",

"table-name": "%"

}

{

"rule-type": "transformation",

"rule-id": "4",

"rule-name": "4",

"rule-action": "convert-lowercase",

"rule-target": "column",

"object-locator": {

"schema-name": "%",

"table-name": "%",

"column-name": "%"

}

]

}

This was a pretty small database and the migration complete within 10 minutes ready for testing.

May 20, 2016

AWS S3 Object ACL and 403 Error

Recently I fell into the trap of S3 object ACL’s and the issue of an object having a different owner to the bucket. So when I tried to do something simple like the following I got a forbidden error.

aws s3 cp s3://mybucket-name-unique/foo.txt /tmp
A client error (403) occurred when calling the HeadObject operation: Forbidden
Completed 1 part(s) with ... file(s) remaining

aws s3 cp s3://mybucket-name-unique/foo.txt /tmp

A client error (403) occurred when calling the HeadObject operation: Forbidden

Completed 1 part(s) with ... file(s) remaining

This stumped me for a while as I couldn’t understand why an admin user connecting to an account where the bucket was created could not access the file that was in there. The bucket policy allowed read and write access across multiple AWS accounts. The mistake that I made was in one terminal session I had my cli profile accidentally set to another account so the owner of the object was set to that account when uploaded. Basically account-a uploaded a file into a bucket in account-b.

Lets go through an example of how this can happen. First we need a bucket with a policy that allows cross account read/write access.

aws s3api create-bucket --bucket mybucket-unique-name 
{
    "Location": "/mybucket-unique-name"
}

aws s3api put-bucket-policy --bucket mybucket-unique-name --policy file://bucket.acl 

cat bucket.acl 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::012345:root",
                    "arn:aws:iam::067890:root",
                    "arn:aws:iam::091234:root"
                ]
            },
            "Action": [
                "s3:PutBucketVersioning",
                "s3:PutObjectVersionAcl",
                "s3:GetObjectVersionTorrent",
                "s3:DeleteObject",
                "s3:ListMultipartUploadParts",
                "s3:GetObjectTorrent",
                "s3:GetBucketRequestPayment",
                "s3:ListBucketMultipartUploads",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetBucketAcl",
                "s3:DeleteObjectVersion",
                "s3:PutLifecycleConfiguration",
                "s3:GetObjectVersion",
                "s3:GetBucketLogging",
                "s3:AbortMultipartUpload",
                "s3:GetObject",
                "s3:GetBucketTagging",
                "s3:GetLifecycleConfiguration",
                "s3:GetObjectVersionAcl",
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:GetBucketVersioning",
                "s3:GetBucketWebsite",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy",
                "s3:GetObjectAcl",
                "s3:GetBucketNotification"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket-unique-name",
                "arn:aws:s3:::mybucket-unique-name/*"
            ]
        }
    ]
}

aws s3api create-bucket --bucket mybucket-unique-name

{

"Location": "/mybucket-unique-name"

}

aws s3api put-bucket-policy --bucket mybucket-unique-name --policy file://bucket.acl

cat bucket.acl

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "",

"Effect": "Allow",

"Principal": {

"AWS": [

"arn:aws:iam::012345:root",

"arn:aws:iam::067890:root",

"arn:aws:iam::091234:root"

]

"Action": [

"s3:PutBucketVersioning",

"s3:PutObjectVersionAcl",

"s3:GetObjectVersionTorrent",

"s3:DeleteObject",

"s3:ListMultipartUploadParts",

"s3:GetObjectTorrent",

"s3:GetBucketRequestPayment",

"s3:ListBucketMultipartUploads",

"s3:PutObject",

"s3:PutObjectAcl",

"s3:GetBucketAcl",

"s3:DeleteObjectVersion",

"s3:PutLifecycleConfiguration",

"s3:GetObjectVersion",

"s3:GetBucketLogging",

"s3:AbortMultipartUpload",

"s3:GetObject",

"s3:GetBucketTagging",

"s3:GetLifecycleConfiguration",

"s3:GetObjectVersionAcl",

"s3:ListBucket",

"s3:ListBucketVersions",

"s3:GetBucketVersioning",

"s3:GetBucketWebsite",

"s3:GetBucketLocation",

"s3:GetBucketPolicy",

"s3:GetObjectAcl",

"s3:GetBucketNotification"

"Resource": [

"arn:aws:s3:::mybucket-unique-name",

"arn:aws:s3:::mybucket-unique-name/*"

]

}

]

}

Upload file with Account A.

export AWS_PROFILE=accountA
aws s3 cp foo.txt s3://mybucket-unique-name/foo.txt

1 2	export AWS_PROFILE=accountA aws s3 cp foo.txt s3://mybucket-unique-name/foo.txt

Set profile to Account B and and try to copy the file.

export AWS_PROFILE=accountB
aws s3 cp s3://mybucket-name-unique/foo.txt /tmp
A client error (403) occurred when calling the HeadObject operation: Forbidden
Completed 1 part(s) with ... file(s) remaining

export AWS_PROFILE=accountB

aws s3 cp s3://mybucket-name-unique/foo.txt /tmp

A client error (403) occurred when calling the HeadObject operation: Forbidden

Completed 1 part(s) with ... file(s) remaining

Lets take a look at the owner of that file and see why this is happening.

aws s3api list-objects --bucket mybucket-unique-name  
{
    "Contents": [
       {
            "LastModified": "2016-05-19T22:30:14.000Z", 
            "ETag": "\"cblah123455667892\"", 
            "StorageClass": "STANDARD", 
            "Key": "foo.txt", 
            "Owner": {
                "DisplayName": "account-a", 
                "ID": "1234567890"
            }, 
            "Size": 4
        }
    ]
}

aws s3api list-objects --bucket mybucket-unique-name

{

"Contents": [

{

"LastModified": "2016-05-19T22:30:14.000Z",

"ETag": "\"cblah123455667892\"",

"StorageClass": "STANDARD",

"Key": "foo.txt",

"Owner": {

"DisplayName": "account-a",

"ID": "1234567890"

"Size": 4

}

]

}

We can see the DisplayName key as having the value account-a. When uploading a object – S3 creates a default ACL that grants the resource owner full control. In this case account-a had full control over a an object which lives in a bucket in account-b. account-b had no permissions on the object even though it owns the bucket. To solve my issue I could have deleted then re-added it correctly but I decided to modify the object acl so that I can read it via the accounts I need. This can be done via the put-object-acl api call. Here’s what I did to fix my issue.

aws s3api put-object-acl --bucket mybucket-unique-name --key foo.txt --grant-read "emailAddress=account-a@myhost.com.au,emailAddress=account-b@myhost.com.au"

1	aws s3api put-object-acl --bucket mybucket-unique-name --key foo.txt --grant-read "emailAddress=account-a@myhost.com.au,emailAddress=account-b@myhost.com.au"

The object now had read permission from account-b and I could successfully read and copy the file. If you need this cross account permissions for a bucket and its objects then it may be advisable to set the object acl so that the relevant accounts have read access like:

aws s3 cp foo.txt s3://mybucket-unique-name/foo.txt -grants read=emailAddress=account-a@myhost.com.au,emailAddress=account-b@myhost.com.au

1	aws s3 cp foo.txt s3://mybucket-unique-name/foo.txt -grants read=emailAddress=account-a@myhost.com.au,emailAddress=account-b@myhost.com.au

You can read more about S3 Object ACL’s here.

March 29, 2016March 30, 2016

AWS Database Migration Service

Amongst the many services being offered by AWS, one of the most anticipated from a database perspective is the Database Migration Service – DMS. It is now readily available across all regions after being in preview for while.

What better reason to give it a trial run. The AWS Blog has a nice article on how to get it going in a few clicks so instead of repeating the same steps I’ll use the cli to setup a replication.

The DMS is a heterogeneous replication tool allowing you to migrate between different database systems. In my test I’ll keep it simple and migrate a few tables from an on premise Oracle 11.2.0.3 database to an AWS Oracle RDS Instance.

The service also supports change data capture (CDC) allowing you to keep the tables in sync. I’ll configure my replication to use CDC.

The basic setup of the service is as follows:

Create a Replication Subnet Group

Create a Replication Instance

Create your Replication Endpoints (source and target)

Create your Replication Task

Before we start we need to prep our databases to make sure they meet the requirements of the service and in my case CDC. Archivelog mode needs to be enabled and we need to setup supplemental logging on the source. You also need to add supplemental logging to each tables primary keys. Oracle source requirements are detailed here.

alter database add supplemental log data;
alter table t1 add supplemental log data (PRIMARY KEY) columns;
alter table t2 add supplemental log data (PRIMARY KEY) columns;

alter database add supplemental log data;

alter table t1 add supplemental log data (PRIMARY KEY) columns;

alter table t2 add supplemental log data (PRIMARY KEY) columns;

Another prep item is to configure the user (I’m using awsdms) that will be used for the connection endpoints. This user must be granted certain privileges. The source user ddl can be found here while the target ddl can be found here.

Once that is all done we can move onto the DMS service. First lets create the replication subnet group using two private subnets in the VPC.

aws dms create-replication-subnet-group --replication-subnet-group-identifier dms-priv-subnet-group \
--replication-subnet-group-description "Private DMS Subnet Group" \
--subnet-ids subnet-1234 subnet-4567

aws dms create-replication-subnet-group --replication-subnet-group-identifier dms-priv-subnet-group \

--replication-subnet-group-description "Private DMS Subnet Group" \

--subnet-ids subnet-1234 subnet-4567

Now we can create the replication instance.

aws dms create-replication-instance --replication-instance-identifier "rep-instance-1" \
--replication-instance-class dms.t2.medium --replication-subnet-group-identifier dms-priv-subnet-group \
--no-publicly-accessible --allocated-storage 50

aws dms create-replication-instance --replication-instance-identifier "rep-instance-1" \

--replication-instance-class dms.t2.medium --replication-subnet-group-identifier dms-priv-subnet-group \

--no-publicly-accessible --allocated-storage 50

Once we have our replication instance up and running we can create our endpoints starting with source. For server name we need to specify an IP address as the DMS service cannot resolve on premise hostnames. A workaround to this is to create an AWS Route 53 address that points back to our on premise hosts IP but we’ll leave it as is for this test.

aws dms create-endpoint --endpoint-identifier ORCL1 --endpoint-type source \
--engine-name ORACLE --username awsdms --password awsdms1234 \
--server-name 10.10.10.99 --port 1521 --database-name ORCL1

aws dms create-endpoint --endpoint-identifier ORCL1 --endpoint-type source \

--engine-name ORACLE --username awsdms --password awsdms1234 \

--server-name 10.10.10.99 --port 1521 --database-name ORCL1

And now lets test connectivity and make sure our replication instance can talk to our source database.

aws dms test-connection --endpoint-arn arn:aws:dms:ap-southeast-2:<account id>:endpoint:A2TIPPV4OJRN3YWXVU6B6JQKDQ \
--replication-instance-arn arn:aws:dms:ap-southeast-2:<account id>:rep:GTW5ASF4XMTPQANZSRAYG5KOBE 
{
    "Connection": {
        "Status": "testing", 
        "ReplicationInstanceIdentifier": "rep-instance-1", 
        "EndpointArn": "arn:aws:dms:ap-southeast-2:<account id>:endpoint:A2TIPPV4OJRN3YWXVU6B6JQKDQ", 
        "EndpointIdentifier": "ORCL1", 
        "ReplicationInstanceArn": "arn:aws:dms:ap-southeast-2:<account id>:rep:GTW5ASF4XMTPQANZSRAYG5KOBE"
    }
}

aws dms describe-connections --filters Name=endpoint-arn,Values=arn:aws:dms:ap-southeast-2:<account id>:endpoint:FADB77OUCIWB3GQGHA7HUSU7B4 
{
    "Connections": [
        {
            "Status": "successful", 
            "ReplicationInstanceIdentifier": "rep-instance-1", 
            "EndpointArn": "arn:aws:dms:ap-southeast-2:<account id>:endpoint:A2TIPPV4OJRN3YWXVU6B6JQKDQ", 
            "EndpointIdentifier": "ORCL1", 
            "ReplicationInstanceArn": "arn:aws:dms:ap-southeast-2:<account id>:rep:GTW5ASF4XMTPQANZSRAYG5KOBE"
        }
    ]
}

aws dms test-connection --endpoint-arn arn:aws:dms:ap-southeast-2:<account id>:endpoint:A2TIPPV4OJRN3YWXVU6B6JQKDQ \

--replication-instance-arn arn:aws:dms:ap-southeast-2:<account id>:rep:GTW5ASF4XMTPQANZSRAYG5KOBE

{

"Connection": {

"Status": "testing",

"ReplicationInstanceIdentifier": "rep-instance-1",

"EndpointArn": "arn:aws:dms:ap-southeast-2:<account id>:endpoint:A2TIPPV4OJRN3YWXVU6B6JQKDQ",

"EndpointIdentifier": "ORCL1",

"ReplicationInstanceArn": "arn:aws:dms:ap-southeast-2:<account id>:rep:GTW5ASF4XMTPQANZSRAYG5KOBE"

}

aws dms describe-connections --filters Name=endpoint-arn,Values=arn:aws:dms:ap-southeast-2:<account id>:endpoint:FADB77OUCIWB3GQGHA7HUSU7B4

{

"Connections": [

{

"Status": "successful",

"ReplicationInstanceIdentifier": "rep-instance-1",

"EndpointArn": "arn:aws:dms:ap-southeast-2:<account id>:endpoint:A2TIPPV4OJRN3YWXVU6B6JQKDQ",

"EndpointIdentifier": "ORCL1",

"ReplicationInstanceArn": "arn:aws:dms:ap-southeast-2:<account id>:rep:GTW5ASF4XMTPQANZSRAYG5KOBE"

}

]

}

Now lets create the target endpoint. You can run the same tests as above but I’ll omit it for this exercise.

aws dms create-endpoint --endpoint-type target \
--endpoint-identifier ORCL2 --engine-name ORACLE --username awsdms --password awsdms1234 \
--server-name myendpoint.rds.amazonaws.com --port 1521 --database-name ORCL2

aws dms create-endpoint --endpoint-type target \

--endpoint-identifier ORCL2 --engine-name ORACLE --username awsdms --password awsdms1234 \

--server-name myendpoint.rds.amazonaws.com --port 1521 --database-name ORCL2

We are just about ready to create our replication task. The replication task requires two json files. One for our source table mappings and one for our task settings. Here is my source table mapping:

{  
   "TableMappings":[  
      {  
         "Type":"Explicit",
         "SourceSchema":"SCOTT",
         "SourceTable":"T1"
      },
      {  
         "Type":"Explicit",
         "SourceSchema":"SCOTT",
         "SourceTable":"T2"
      }
   ]
}

{

"TableMappings":[

{

"Type":"Explicit",

"SourceSchema":"SCOTT",

"SourceTable":"T1"

{

"Type":"Explicit",

"SourceSchema":"SCOTT",

"SourceTable":"T2"

}

]

}

And now the task settings. There are a number of configurable options here but I settled for the following:

{  
   "TargetMetadata":{  
      "TargetSchema":"SCOTT",
      "SupportLobs":true,
      "FullLobMode":true,
      "LobChunkSize":64,
      "LimitedSizeLobMode":false,
      "LobMaxSize":0
   },
   "FullLoadSettings":{  
      "FullLoadEnabled":true,
      "ApplyChangesEnabled":true,
      "TargetTablePrepMode":"TRUNCATE_BEFORE_LOAD",
      "CreatePkAfterFullLoad":true,
      "StopTaskCachedChangesApplied":false,
      "StopTaskCachedChangesNotApplied":false,
      "ResumeEnabled":true,
      "ResumeMinTableSize":100000,
      "ResumeOnlyClusteredPKTables":true,
      "MaxFullLoadSubTasks":8,
      "TransactionConsistencyTimeout":600,
      "CommitRate":10000
   },
   "Logging":{  
      "EnableLogging":true
   }
}

{

"TargetMetadata":{

"TargetSchema":"SCOTT",

"SupportLobs":true,

"FullLobMode":true,

"LobChunkSize":64,

"LimitedSizeLobMode":false,

"LobMaxSize":0

"FullLoadSettings":{

"FullLoadEnabled":true,

"ApplyChangesEnabled":true,

"TargetTablePrepMode":"TRUNCATE_BEFORE_LOAD",

"CreatePkAfterFullLoad":true,

"StopTaskCachedChangesApplied":false,

"StopTaskCachedChangesNotApplied":false,

"ResumeEnabled":true,

"ResumeMinTableSize":100000,

"ResumeOnlyClusteredPKTables":true,

"MaxFullLoadSubTasks":8,

"TransactionConsistencyTimeout":600,

"CommitRate":10000

"Logging":{

"EnableLogging":true

}

Putting this all together we can create the replication task with a migration type of full-load-and-cdc.

aws dms create-replication-task --replication-task-identifier "orcl1-to-orcl2" \
--source-endpoint-arn arn:aws:dms:ap-southeast-2:<account id>:endpoint:A2TIPPV4OJRN3YWXVU6B6JQKDQ \
--target-endpoint-arn arn:aws:dms:ap-southeast-2:<account id>:endpoint:FADB77OUCIWB3GQGHA7HUSU7B4 \
--replication-instance-arn arn:aws:dms:ap-southeast-2:<account id>:rep:GTW5ASF4XMTPQANZSRAYG5KOBE \
--migration-type full-load-and-cdc --table-mappings file://source_tables.json \
--replication-task-settings file://task_settings.json

aws dms create-replication-task --replication-task-identifier "orcl1-to-orcl2" \

--source-endpoint-arn arn:aws:dms:ap-southeast-2:<account id>:endpoint:A2TIPPV4OJRN3YWXVU6B6JQKDQ \

--target-endpoint-arn arn:aws:dms:ap-southeast-2:<account id>:endpoint:FADB77OUCIWB3GQGHA7HUSU7B4 \

--replication-instance-arn arn:aws:dms:ap-southeast-2:<account id>:rep:GTW5ASF4XMTPQANZSRAYG5KOBE \

--migration-type full-load-and-cdc --table-mappings file://source_tables.json \

--replication-task-settings file://task_settings.json

And finally lets start it.

aws dms start-replication-task --replication-task-arn arn:aws:dms:ap-southeast-2:<account id>:task:7IPMBFL6V6I4NIBE6KBHABIXVU \
--start-replication-task-type start-replication

1 2	aws dms start-replication-task --replication-task-arn arn:aws:dms:ap-southeast-2:<account id>:task:7IPMBFL6V6I4NIBE6KBHABIXVU \ --start-replication-task-type start-replication

After a few minutes you should see the tables created on the target database. I can update, insert, delete data on these two tables and they’ll be kept in sync.

Overall a pretty straightforward and simple tool to use to migrate and keep data in sync. I came across a few issues while testing this and currently have a support case open. Issues include:

Target user permissions missing delete any table in DMS Online documentation – bug raised

When delete fails due to permission problem, exception does not get logged properly

DMS Logminer reader doesn’t like standby databases configured on source database and tries to read non existent logs – working with AWS support on this

DMS cannnot resolve our on premise hostnames and we can’t influence which DNS server it uses. Route 53 workaround.

Diagnosing replication issues with RDS target can be tricky as its a managed service. I had to replicate on an EC2 instance.

February 12, 2016

Oracle RDS with SSL

Amazon just recently announced support for SSL connections with Oracle RDS. What better reason to try and test it out.

To use SSL with Oracle you’ll need:

Option Group with SSL enabled

VPC Security Group allowing port 2484

With that in mind I’ve created a cloudformation template to automate the build.

You can run the template via the cli assuming you have all your environment setup.

aws cloudformation create-stack --stack-name "ora-rds-ssl" --template-body file://ora_rds_ssl.json --parameters ParameterKey=VpcId,ParameterValue=<yourvpc> ParameterKey=Subnets,ParameterValue=\
"<priv sub 1>,<priv sub 2>,<priv sub n>\" ParameterKey=CidrIp,ParameterValue="<your CidrIp"

1 2	aws cloudformation create-stack --stack-name "ora-rds-ssl" --template-body file://ora_rds_ssl.json --parameters ParameterKey=VpcId,ParameterValue=<yourvpc> ParameterKey=Subnets,ParameterValue=\ "<priv sub 1>,<priv sub 2>,<priv sub n>\" ParameterKey=CidrIp,ParameterValue="<your CidrIp"

Once we have all the config complete and we create our stack we need to setup the Oracle client and wallet. First we create a directory to store everything and download the RDS CA certificate file from https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem.

cd $ORACLE_HOME
mkdir ssl_wallet
cd ssl_wallet
wget https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem

cd $ORACLE_HOME

mkdir ssl_wallet

cd ssl_wallet

wget https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem

Create our wallet and add the cert with the following commands.

orapki wallet create -wallet $ORACLE_HOME/ssl_wallet -auto_login_only

orapki wallet add -wallet $ORACLE_HOME/ssl_wallet -trusted_cert -cert
      $ORACLE_HOME/ssl_wallet/rds-ca-2015-root.pem -auto_login_only

orapki wallet create -wallet $ORACLE_HOME/ssl_wallet -auto_login_only

orapki wallet add -wallet $ORACLE_HOME/ssl_wallet -trusted_cert -cert

$ORACLE_HOME/ssl_wallet/rds-ca-2015-root.pem -auto_login_only

Finally, add the following parameters to $ORACLE_HOME/network/admin/sqlnet.ora

WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = $ORACLE_HOME/ssl_wallet))) 
SSL_CLIENT_AUTHENTICATION = FALSE 
SSL_VERSION = 1.0 
SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA) 
SSL_SERVER_DN_MATCH = ON

WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = $ORACLE_HOME/ssl_wallet)))

SSL_CLIENT_AUTHENTICATION = FALSE

SSL_VERSION = 1.0

SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA)

SSL_SERVER_DN_MATCH = ON

We are now ready to connect with SSL on port 2484.

sqlplus 'oradba@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = <end point>)(PORT = 2484))(CONNECT_DATA = (SID = orcl)))' 

SQL*Plus: Release 12.1.0.2.0 Production on Fri Feb 12 11:59:56 2016

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

Enter password: 
Last Successful login time: Fri Feb 12 2016 11:39:26 +11:00

Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL>

sqlplus 'oradba@(DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = <end point>)(PORT = 2484))(CONNECT_DATA = (SID = orcl)))'

SQL*Plus: Release 12.1.0.2.0 Production on Fri Feb 12 11:59:56 2016

Enter password:

Last Successful login time: Fri Feb 12 2016 11:39:26 +11:00

Connected to:

Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL>

February 11, 2016

Restore & Clone PostgreSQL from Snapshot Backup

If you are using snapshots as your backup strategy then there may be times where you want to clone the snapshot and restore it on another server. I’ll go through that scenario. My environment is Redhat 6.1, PostgreSQL 9.2 and Netapp Snapshots.

It’ll be a similar process with other snapshot technologies but the cloning and mounting of disks may differ. Firstly, we need to get the mounts cloned and presented to the appropriate server which can be done by a trusty storage admin.

10.240.52.1:/clone_pg01/data 	/pg01_r/data   nfs     rw,bg,hard,intr,tcp,vers=3,rsize=65536,wsize=65536,noacl,timeo=600      0       0
10.240.52.1:/clone_pg01/archive /pg01_r/archive   nfs     rw,bg,hard,intr,tcp,vers=3,rsize=65536,wsize=65536,noacl,timeo=600      0       0
10.240.52.1:/clone_pg01/xlog  /pg01_r/xlog   nfs     rw,bg,hard,intr,tcp,vers=3,rsize=65536,wsize=65536,noacl,timeo=600      0       0

10.240.52.1:/clone_pg01/data /pg01_r/data nfs rw,bg,hard,intr,tcp,vers=3,rsize=65536,wsize=65536,noacl,timeo=600 0 0

10.240.52.1:/clone_pg01/archive /pg01_r/archive nfs rw,bg,hard,intr,tcp,vers=3,rsize=65536,wsize=65536,noacl,timeo=600 0 0

10.240.52.1:/clone_pg01/xlog /pg01_r/xlog nfs rw,bg,hard,intr,tcp,vers=3,rsize=65536,wsize=65536,noacl,timeo=600 0 0

We add the above details to /ets/fstab and mount our volumes. We need to create directories first, mount and change permissions. The server that I’m working on already has a database running on it under /pg01/data so I’ve appended “_r” to my mounts.

for x in data archive xlog; do mkdir -p /pg01_r/${x}; done
for x in data archive xlog; do mount /pg01_r/${x}; done
chown -R postgres:postgres /pg01_r

for x in data archive xlog; do mkdir -p /pg01_r/${x}; done

for x in data archive xlog; do mount /pg01_r/${x}; done

chown -R postgres:postgres /pg01_r

Now that we have our cloned filesystems ready to go, we can modify the appropriate values in /pg01_r/data/postgresql.conf. The following were relevant in my environment:

$ egrep "listen_address|port|archive_command" postgresql.conf
listen_addresses = '10.85.122.9'	# what IP address(es) to listen on;
port = 5499				# (change requires restart)					
archive_command = 'cp %p /pg01_r/archive/%f'		# command to use to archive a logfile segment

$ egrep "listen_address|port|archive_command" postgresql.conf

listen_addresses = '10.85.122.9' # what IP address(es) to listen on;

port = 5499 # (change requires restart)

archive_command = 'cp %p /pg01_r/archive/%f' # command to use to archive a logfile segment

I needed to change the listen_address as I was on a new host. I already had a postgresql cluster running on the default port so that needed to change and my filesystem was slightly different from the original server so my archive command needed a tweak.

I also had to change my tablespace and xlog symlinks as they were still pointing to the “/pg01” directory and not the new cloned mounts.

cd $PGDATA
ln -sf ../xlog pg_xlog

cd pg_tblspc/
ln -sf /pg01_r/data/system 16386
ln -sf /pg01_r/data/data01 16387

cd $PGDATA

ln -sf ../xlog pg_xlog

cd pg_tblspc/

ln -sf /pg01_r/data/system 16386

ln -sf /pg01_r/data/data01 16387

And finally create the recovery.conf in the $PGDATA directory.

echo "restore_command = 'cp /pg01_r/archive/%f %p'" > recovery.conf

1	echo "restore_command = 'cp /pg01_r/archive/%f %p'" > recovery.conf

I wanted to recovery to our last transaction so I didn’t specify any point in time values but it could have easily be done with recovery_target_time. Now we can start our cluster.

pg_ctl start -D /pg01_r/data

1	pg_ctl start -D /pg01_r/data

After a few minutes our cluster should be recovered, cloned and ready to go. We can check our postgresql.log file and see output like this.

2016-02-09 11:33:19 AEDT  LOG:  restored log file "0000000300000071000000C0" from archive
2016-02-09 11:33:20 AEDT  LOG:  restored log file "0000000300000071000000C1" from archive
2016-02-09 11:33:21 AEDT  LOG:  restored log file "0000000300000071000000C2" from archive
cp: cannot stat `/pg01_r/archive/0000000300000071000000C3': No such file or directory
2016-02-09 11:33:21 AEDT  LOG:  could not open file "pg_xlog/0000000300000071000000C3" (log file 113, segment 195): No such file or directory
2016-02-09 11:33:21 AEDT  LOG:  redo done at 71/C2FFF9E8
2016-02-09 11:33:21 AEDT  LOG:  last completed transaction was at log time 2016-02-08 23:49:31.461895+11
2016-02-09 11:33:22 AEDT  LOG:  restored log file "0000000300000071000000C2" from archive
cp: cannot stat `/pg01_r/archive/00000004.history': No such file or directory
2016-02-09 11:33:22 AEDT  LOG:  selected new timeline ID: 4
cp: cannot stat `/pg01_r/archive/00000003.history': No such file or directory
2016-02-09 11:33:22 AEDT  LOG:  archive recovery complete
2016-02-09 11:33:30 AEDT  LOG:  autovacuum launcher started
2016-02-09 11:33:30 AEDT  LOG:  database system is ready to accept connections

2016-02-09 11:33:19 AEDT LOG: restored log file "0000000300000071000000C0" from archive

2016-02-09 11:33:20 AEDT LOG: restored log file "0000000300000071000000C1" from archive

2016-02-09 11:33:21 AEDT LOG: restored log file "0000000300000071000000C2" from archive

cp: cannot stat `/pg01_r/archive/0000000300000071000000C3': No such file or directory

2016-02-09 11:33:21 AEDT LOG: could not open file "pg_xlog/0000000300000071000000C3" (log file 113, segment 195): No such file or directory

2016-02-09 11:33:21 AEDT LOG: redo done at 71/C2FFF9E8

2016-02-09 11:33:21 AEDT LOG: last completed transaction was at log time 2016-02-08 23:49:31.461895+11

2016-02-09 11:33:22 AEDT LOG: restored log file "0000000300000071000000C2" from archive

cp: cannot stat `/pg01_r/archive/00000004.history': No such file or directory

2016-02-09 11:33:22 AEDT LOG: selected new timeline ID: 4

cp: cannot stat `/pg01_r/archive/00000003.history': No such file or directory

2016-02-09 11:33:22 AEDT LOG: archive recovery complete

2016-02-09 11:33:30 AEDT LOG: autovacuum launcher started

2016-02-09 11:33:30 AEDT LOG: database system is ready to accept connections

January 28, 2016

CentOS 7 Teamed Interface on Virtual Box

I wanted to have a look at the NetworkManager utilities in CentOS 7 so I thought I’d test out a teamed (aka bonded) interface. So here’s my setup.

Virtual Box Version 5.0.14 r105127

CentOS Linux release 7.2.1511 (Core)

Network 1 – NAT

Network 2 & 3 – Host Only

Setup looks like the following.

So now on to the config. I’ll be using the nmcli command line utility to configure it in an active-backup setup. First create the teamed interface.

nmcli connection add type bond ifname bond0 con-name bond0 mode active-backup primary enp0s8 miimon 200 ip4 192.168.56.101 gw4 192.168.56.1
Connection 'bond0' (2056c502-0225-4171-8916-665883192864) successfully added.

1 2	nmcli connection add type bond ifname bond0 con-name bond0 mode active-backup primary enp0s8 miimon 200 ip4 192.168.56.101 gw4 192.168.56.1 Connection 'bond0' (2056c502-0225-4171-8916-665883192864) successfully added.

One thing I found out early was that I needed to set the fail_over_mac parameter to 1 as Virtual Box does not like the bond to get the same MAC address for all nics. Setting this parameter means the bond will get the MAC of the active nic.

nmcli con mod bond0 +bond.options fail_over_mac=1

1	nmcli con mod bond0 +bond.options fail_over_mac=1

Now I can add the slaves.

nmcli connection add type bond-slave ifname enp0s8 master bond0
nmcli connection add type bond-slave ifname enp0s9 master bond0

1 2	nmcli connection add type bond-slave ifname enp0s8 master bond0 nmcli connection add type bond-slave ifname enp0s9 master bond0

Startup up all the components.

nmcli c u bond0
nmcli c u bond-slave-enp0s8
nmcli c u bond-slave-enp0s9

nmcli c u bond0

nmcli c u bond-slave-enp0s8

nmcli c u bond-slave-enp0s9

We can check our setup and it looks good for now.

=================================================================================
                         NetworkManager active profiles
=================================================================================
NAME               UUID                                  TYPE            DEVICE 
---------------------------------------------------------------------------------
bond0              2056c502-0225-4171-8916-665883192864  bond            bond0  
bond-slave-enp0s8  e61588b1-538d-4f3b-83cc-6bcd5bc50afb  802-3-ethernet  enp0s8 
enp0s3             74502bfb-de0c-4c0b-9236-2bab0d1ff2e2  802-3-ethernet  enp0s3 
bond-slave-enp0s9  8bd3f6c0-d6e1-4401-b5f5-cd8661076c74  802-3-ethernet  enp0s9

=================================================================================

NetworkManager active profiles

=================================================================================

NAME UUID TYPE DEVICE

---------------------------------------------------------------------------------

bond0 2056c502-0225-4171-8916-665883192864 bond bond0

bond-slave-enp0s8 e61588b1-538d-4f3b-83cc-6bcd5bc50afb 802-3-ethernet enp0s8

enp0s3 74502bfb-de0c-4c0b-9236-2bab0d1ff2e2 802-3-ethernet enp0s3

bond-slave-enp0s9 8bd3f6c0-d6e1-4401-b5f5-cd8661076c74 802-3-ethernet enp0s9

And now we can down some interfaces and see the bonding in action.

[root@centos7 ~]# ifdown enp0s8
Device 'enp0s8' successfully disconnected.
[root@centos7 ~]# ip addr show bond0
5: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN 
    link/ether 08:00:27:d4:02:84 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.101/32 brd 192.168.56.101 scope global bond0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fed4:284/64 scope link 
       valid_lft forever preferred_lft forever
[root@centos7 ~]# nmcli con up bond-slave-enp0s8
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
[root@centos7 ~]# ip addr show bond0
5: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN 
    link/ether 08:00:27:c6:c0:55 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.101/32 brd 192.168.56.101 scope global bond0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fed4:284/64 scope link 
       valid_lft forever preferred_lft forever

[root@centos7 ~]# ifdown enp0s8

Device 'enp0s8' successfully disconnected.

[root@centos7 ~]# ip addr show bond0

5: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN

link/ether 08:00:27:d4:02:84 brd ff:ff:ff:ff:ff:ff

inet 192.168.56.101/32 brd 192.168.56.101 scope global bond0

valid_lft forever preferred_lft forever

inet6 fe80::a00:27ff:fed4:284/64 scope link

valid_lft forever preferred_lft forever

[root@centos7 ~]# nmcli con up bond-slave-enp0s8

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)

[root@centos7 ~]# ip addr show bond0

5: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN

link/ether 08:00:27:c6:c0:55 brd ff:ff:ff:ff:ff:ff

inet 192.168.56.101/32 brd 192.168.56.101 scope global bond0

valid_lft forever preferred_lft forever

inet6 fe80::a00:27ff:fed4:284/64 scope link

valid_lft forever preferred_lft forever

Our network connectivity survived and we can see from the above the MAC address for the bond changed to the active nic.

January 19, 2016March 15, 2016

Extracting IP’s From Oracle Listener Log

There may be times when you want to extract all the client and host IP’s from the listener log to see who’s connecting to a particular database or service.

I was interested in a particular service so the following will extract all IP’s connecting in to that service. Please not that our listener logs are rotated and zipped.

$
zgrep <SERVICE_NAME> *.zip   | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq -c | sort -n 
     1 10.30.37.199
      1 10.20.67.111
      3 10.30.66.154
      3 10.30.76.38
      3 10.20.117.171
      4 10.20.112.58
     10 10.20.203.9
     16 10.20.112.112
     18 10.20.117.186
     30 10.20.193.17
     32 10.30.35.91
     39 10.20.193.18
     44 10.20.112.23
     48 10.20.193.15
     53 10.20.193.16
     70 10.20.112.6
     74 10.20.107.143
    100 10.40.32.23
    101 10.20.203.8
    703 10.20.193.13
    989 10.20.193.78
    995 10.20.193.79
  14101 10.20.203.155

zgrep <SERVICE_NAME> *.zip | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq -c | sort -n

1 10.30.37.199

1 10.20.67.111

3 10.30.66.154

3 10.30.76.38

3 10.20.117.171

4 10.20.112.58

10 10.20.203.9

16 10.20.112.112

18 10.20.117.186

30 10.20.193.17

32 10.30.35.91

39 10.20.193.18

44 10.20.112.23

48 10.20.193.15

53 10.20.193.16

70 10.20.112.6

74 10.20.107.143

100 10.40.32.23

101 10.20.203.8

703 10.20.193.13

989 10.20.193.78

995 10.20.193.79

14101 10.20.203.155

You could tweak it and pipe it to nslookup to get actual hostname but for my requirements the above was enough.

January 18, 2016January 18, 2016

Authorizing AWS Inbound Traffic For Your IP Using CLI

One of the security measures you may want to implement in your AWS setup is to have a bastion host or limit ssh access from the whole world and only use your private network.

If you have your own account and your instances are exposed to the public you should at least limit ssh access by IP. Here’s how to do it.

First, get your current IP.

curl  http://checkip.amazonaws.com/
123.456.789.0/32

1 2	curl http://checkip.amazonaws.com/ 123.456.789.0/32

Find out the security group to which your instance is assigned.

aws ec2 describe-instances --instance-ids i-1234 | grep GroupId 
                            "GroupId": "sg-1234"

1 2	aws ec2 describe-instances --instance-ids i-1234 \| grep GroupId "GroupId": "sg-1234"

Once we have our security group we can see what inbound rules we have.

aws ec2 describe-security-groups --group-ids sg-1234 | egrep "FromPort|Cidr" 
                    "FromPort": 22, 
                            "CidrIp": "123.456.789.0/32"

aws ec2 describe-security-groups --group-ids sg-1234 | egrep "FromPort|Cidr"

"FromPort": 22,

"CidrIp": "123.456.789.0/32"

Now we need to revoke our old IP and authorize our new IP.

aws ec2 revoke-security-group-ingress --group-id sg-1234 --protocol tcp --port 22 --cidr 123.456.789.0/32

aws ec2 authorize-security-group-ingress --group-id sg-1234 --protocol tcp --port 22 --cidr 123.456.789.1/32

aws ec2 revoke-security-group-ingress --group-id sg-1234 --protocol tcp --port 22 --cidr 123.456.789.0/32

aws ec2 authorize-security-group-ingress --group-id sg-1234 --protocol tcp --port 22 --cidr 123.456.789.1/32

You should now be able to ssh into your ec2 instance and only your IP will be allowed through. You can read more about securing your ec2 instance at Tips for Securing Your EC2 Instance

January 15, 2016January 15, 2016

Change of Direction

I created this blog a few years ago to get a head start on Oracle 12c as I didn’t think the uptake in business would match my curiosity.

Technology changes very quickly and there have been lots of other things to keep me busy and interested since that time. I’ve found myself slowly drifting away and using various other tools. I’ve also been frustrated with the state of play in Oracle’s licensing model and cost and the battle that you have to fight all to regularly.

With that in mind the blog will take a change in direction and I’ll start writing about anything tech that piques my interest or anything else I’m currently working on. So you’ll start seeing things like AWS, PostgreSQL, Python, Flask, maybe MySQL, Linux and whatever else.

Hopefully I can add something of value and learn along the way.

January 12, 2016

Simple PostgreSQL RDS CloudFormation Template

I’ve been working with the Amazon RDS offerings lately and used a few of the services and tools. Here’s a simple cloudformation sample to create a PostgreSQL RDS.

The template creates a security group allowing access on port 5432 to subnet 10.0.0.0/16. It also creates a database parameter group with the pg_stat_statements module as coming from an Oracle background I like to have executions stats of my sql.

{
  "AWSTemplateFormatVersion" : "2010-09-09",

  "Description" : "PostgreSQL RDS Template ",

  "Parameters" : {

    "DBName": {
      "Default": "pgdb",
      "Description" : "The database name",
      "Type": "String",
      "MinLength": "1",
      "MaxLength": "8",
      "AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*",
      "ConstraintDescription" : "must begin with a letter and contain only alphanumeric characters."
    },

    "DBUsername": {
      "Default": "root",
      "NoEcho": "true",
      "Description" : "The database admin account username",
      "Type": "String",
      "MinLength": "1",
      "MaxLength": "16",
      "AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*",
      "ConstraintDescription" : "must begin with a letter and contain only alphanumeric characters."
    },

    "DBPassword": {
      "Default": "root1234",
      "NoEcho": "true",
      "Description" : "The database admin account password",
      "Type": "String",
      "MinLength": "8"
    },

    "DBClass" : {
      "Default" : "db.t2.micro",
      "Description" : "Database instance class",
      "Type" : "String",
      "AllowedValues" : [ "db.t2.micro", "db.m1.small", "db.m1.large", "db.m1.xlarge", "db.m2.xlarge" ],
      "ConstraintDescription" : "must select a valid database instance type."
    },

    "DBAllocatedStorage" : {
      "Default": "5",
      "Description" : "The size of the database (Gb)",
      "Type": "Number",
      "MinValue": "5",
      "MaxValue": "6144",
      "ConstraintDescription" : "must be between 5+"
    }

  },

  "Mappings" : {
    "VPC" : {
      "single-vpc-pub-priv" : { "Id" : "vpc-1234" }
    },
    "Subnets" : {
      "private-subnet" : {
        "PrivateSubnet2b" : "subnet-b1234",
        "PrivateSubnet2c" : "subnet-c1234"
      },
      "public-subnet" : {
        "PublicSubnet2b" : "subnet-b123456",
        "PublicSubnet2c" : "subnet-c123456"
      }
    }
  },

  "Resources" : {

    "myDBEC2SecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties" : {
        "GroupDescription" : "Frontend Access",
        "VpcId"            : { "Fn::FindInMap" : [ "VPC", "single-vpc-pub-priv", "Id" ] },
        "SecurityGroupIngress" : [{
          "IpProtocol" : "tcp",
          "FromPort"   : 5432,
          "ToPort"     : 5432,
          "CidrIp"     : "10.0.0.0/16"
        }]
      }
    },

    "myDBParamGroup": {
        "Type": "AWS::RDS::DBParameterGroup",
        "Properties": {
            "Description": "Database Parameter Group + pg_stat_statements",
            "Family": "postgres9.4",
             "Parameters": {
                "shared_preload_libraries": "pg_stat_statements"
            }
        }
    },

    "myDBSubnetGroup" : {
      "Type" : "AWS::RDS::DBSubnetGroup",
      "Properties" : {
         "DBSubnetGroupDescription" : "DB Private Subnet",
         "SubnetIds" : [
          { "Fn::FindInMap" : [ "Subnets", "private-subnet", "PrivateSubnet2b" ] },
          { "Fn::FindInMap" : [ "Subnets", "private-subnet", "PrivateSubnet2c" ] }
         ]
      }
    },

    "pgDB" : {
      "Type" : "AWS::RDS::DBInstance",
      "Properties" : {
        "DBName" : { "Ref" : "DBName" },
        "AllocatedStorage" : { "Ref" : "DBAllocatedStorage" },
        "DBInstanceClass" : { "Ref" : "DBClass" },
        "Engine" : "postgres",
        "MasterUsername" : { "Ref" : "DBUsername" } ,
        "MasterUserPassword" : { "Ref" : "DBPassword" },
        "DBSubnetGroupName" : { "Ref" : "myDBSubnetGroup" },
        "DBParameterGroupName" : {"Ref" : "myDBParamGroup" },
        "VPCSecurityGroups" : [ { "Fn::GetAtt" : [ "myDBEC2SecurityGroup", "GroupId" ] } ]
      }
    }
  },

  "Outputs" : {
    "JDBCConnectionString": {
      "Description" : "JDBC connection string for database",
      "Value" : { "Fn::Join": [ "", [ "jdbc:postgresql://",
                                      { "Fn::GetAtt": [ "pgDB", "Endpoint.Address" ] },
                                      ":",
                                      { "Fn::GetAtt": [ "pgDB", "Endpoint.Port" ] },
                                      "/",
                                      { "Ref": "DBName" }]]}
    }
  }
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

{

"AWSTemplateFormatVersion" : "2010-09-09",

"Description" : "PostgreSQL RDS Template ",

"Parameters" : {

"DBName": {

"Default": "pgdb",

"Description" : "The database name",

"Type": "String",

"MinLength": "1",

"MaxLength": "8",

"AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*",

"ConstraintDescription" : "must begin with a letter and contain only alphanumeric characters."

"DBUsername": {

"Default": "root",

"NoEcho": "true",

"Description" : "The database admin account username",

"Type": "String",

"MinLength": "1",

"MaxLength": "16",

"AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*",

"ConstraintDescription" : "must begin with a letter and contain only alphanumeric characters."

"DBPassword": {

"Default": "root1234",

"NoEcho": "true",

"Description" : "The database admin account password",

"Type": "String",

"MinLength": "8"

"DBClass" : {

"Default" : "db.t2.micro",

"Description" : "Database instance class",

"Type" : "String",

"AllowedValues" : [ "db.t2.micro", "db.m1.small", "db.m1.large", "db.m1.xlarge", "db.m2.xlarge" ],

"ConstraintDescription" : "must select a valid database instance type."

"DBAllocatedStorage" : {

"Default": "5",

"Description" : "The size of the database (Gb)",

"Type": "Number",

"MinValue": "5",

"MaxValue": "6144",

"ConstraintDescription" : "must be between 5+"

}

"Mappings" : {

"VPC" : {

"single-vpc-pub-priv" : { "Id" : "vpc-1234" }

"Subnets" : {

"private-subnet" : {

"PrivateSubnet2b" : "subnet-b1234",

"PrivateSubnet2c" : "subnet-c1234"

"public-subnet" : {

"PublicSubnet2b" : "subnet-b123456",

"PublicSubnet2c" : "subnet-c123456"

}

"Resources" : {

"myDBEC2SecurityGroup": {

"Type": "AWS::EC2::SecurityGroup",

"Properties" : {

"GroupDescription" : "Frontend Access",

"VpcId" : { "Fn::FindInMap" : [ "VPC", "single-vpc-pub-priv", "Id" ] },

"SecurityGroupIngress" : [{

"IpProtocol" : "tcp",

"FromPort" : 5432,

"ToPort" : 5432,

"CidrIp" : "10.0.0.0/16"

}]

}

"myDBParamGroup": {

"Type": "AWS::RDS::DBParameterGroup",

"Properties": {

"Description": "Database Parameter Group + pg_stat_statements",

"Family": "postgres9.4",

"Parameters": {

"shared_preload_libraries": "pg_stat_statements"

}

"myDBSubnetGroup" : {

"Type" : "AWS::RDS::DBSubnetGroup",

"Properties" : {

"DBSubnetGroupDescription" : "DB Private Subnet",

"SubnetIds" : [

{ "Fn::FindInMap" : [ "Subnets", "private-subnet", "PrivateSubnet2b" ] },

{ "Fn::FindInMap" : [ "Subnets", "private-subnet", "PrivateSubnet2c" ] }

]

}

"pgDB" : {

"Type" : "AWS::RDS::DBInstance",

"Properties" : {

"DBName" : { "Ref" : "DBName" },

"AllocatedStorage" : { "Ref" : "DBAllocatedStorage" },

"DBInstanceClass" : { "Ref" : "DBClass" },

"Engine" : "postgres",

"MasterUsername" : { "Ref" : "DBUsername" } ,

"MasterUserPassword" : { "Ref" : "DBPassword" },

"DBSubnetGroupName" : { "Ref" : "myDBSubnetGroup" },

"DBParameterGroupName" : {"Ref" : "myDBParamGroup" },

"VPCSecurityGroups" : [ { "Fn::GetAtt" : [ "myDBEC2SecurityGroup", "GroupId" ] } ]

}

"Outputs" : {

"JDBCConnectionString": {

"Description" : "JDBC connection string for database",

"Value" : { "Fn::Join": [ "", [ "jdbc:postgresql://",

{ "Fn::GetAtt": [ "pgDB", "Endpoint.Address" ] },

":",

{ "Fn::GetAtt": [ "pgDB", "Endpoint.Port" ] },

"/",

{ "Ref": "DBName" }]]}

}

Lets validate the template to make sure our json is well formed.

aws cloudformation validate-template --template-body file://pg_rds3.json 
{
    "Description": "PostgreSQL RDS Template ", 
    "Parameters": [
        {
            "DefaultValue": "root1234", 
            "NoEcho": true, 
            "Description": "The database admin account password", 
            "ParameterKey": "DBPassword"
        }, 
        {
            "DefaultValue": "root", 
            "NoEcho": true, 
            "Description": "The database admin account username", 
            "ParameterKey": "DBUsername"
        }, 
        {
            "DefaultValue": "db.t2.micro", 
            "NoEcho": false, 
            "Description": "Database instance class", 
            "ParameterKey": "DBClass"
        }, 
        {
            "DefaultValue": "pgdb", 
            "NoEcho": false, 
            "Description": "The database name", 
            "ParameterKey": "DBName"
        }, 
        {
            "DefaultValue": "5", 
            "NoEcho": false, 
            "Description": "The size of the database (Gb)", 
            "ParameterKey": "DBAllocatedStorage"
        }
    ]
}

aws cloudformation validate-template --template-body file://pg_rds3.json

{

"Description": "PostgreSQL RDS Template ",

"Parameters": [

{

"DefaultValue": "root1234",

"NoEcho": true,

"Description": "The database admin account password",

"ParameterKey": "DBPassword"

{

"DefaultValue": "root",

"NoEcho": true,

"Description": "The database admin account username",

"ParameterKey": "DBUsername"

{

"DefaultValue": "db.t2.micro",

"NoEcho": false,

"Description": "Database instance class",

"ParameterKey": "DBClass"

{

"DefaultValue": "pgdb",

"NoEcho": false,

"Description": "The database name",

"ParameterKey": "DBName"

{

"DefaultValue": "5",

"NoEcho": false,

"Description": "The size of the database (Gb)",

"ParameterKey": "DBAllocatedStorage"

}

]

}

In this test I’ll use the aws cli to run the cloudformation template but the CloudFormation Management console is another option.

aws cloudformation create-stack --stack-name pg-rds-simple --template-body file://pg_rds.json

1	aws cloudformation create-stack --stack-name pg-rds-simple --template-body file://pg_rds.json

We can see how its going by describing the stack events.

aws cloudformation describe-stack-events --stack-name pg-rds-simple | egrep "ResourceStatus|ResourceType" 
            "ResourceStatus": "CREATE_COMPLETE", 
            "ResourceType": "AWS::CloudFormation::Stack", 
            "ResourceStatus": "CREATE_COMPLETE", 
            "ResourceType": "AWS::RDS::DBInstance", 
            "ResourceStatus": "CREATE_IN_PROGRESS", 
            "ResourceType": "AWS::RDS::DBInstance", 
            "ResourceStatusReason": "Resource creation Initiated", 
            "ResourceStatus": "CREATE_IN_PROGRESS", 
            "ResourceType": "AWS::RDS::DBInstance", 
            "ResourceStatus": "CREATE_COMPLETE", 
            "ResourceType": "AWS::EC2::SecurityGroup", 
            "ResourceStatus": "CREATE_IN_PROGRESS", 
            "ResourceType": "AWS::EC2::SecurityGroup", 
            "ResourceStatusReason": "Resource creation Initiated", 
            "ResourceStatus": "CREATE_COMPLETE", 
            "ResourceType": "AWS::RDS::DBParameterGroup", 
            "ResourceStatus": "CREATE_COMPLETE", 
            "ResourceType": "AWS::RDS::DBSubnetGroup", 
            "ResourceStatus": "CREATE_IN_PROGRESS", 
            "ResourceType": "AWS::RDS::DBSubnetGroup", 
            "ResourceStatusReason": "Resource creation Initiated", 
            "ResourceStatus": "CREATE_IN_PROGRESS", 
            "ResourceType": "AWS::RDS::DBParameterGroup", 
            "ResourceStatusReason": "Resource creation Initiated", 
            "ResourceStatus": "CREATE_IN_PROGRESS", 
            "ResourceType": "AWS::RDS::DBSubnetGroup", 
            "ResourceStatus": "CREATE_IN_PROGRESS", 
            "ResourceType": "AWS::RDS::DBParameterGroup", 
            "ResourceStatus": "CREATE_IN_PROGRESS", 
            "ResourceType": "AWS::EC2::SecurityGroup", 
            "ResourceStatus": "CREATE_IN_PROGRESS", 
            "ResourceType": "AWS::CloudFormation::Stack", 
            "ResourceStatusReason": "User Initiated",

aws cloudformation describe-stack-events --stack-name pg-rds-simple | egrep "ResourceStatus|ResourceType"

"ResourceStatus": "CREATE_COMPLETE",

"ResourceType": "AWS::CloudFormation::Stack",

"ResourceStatus": "CREATE_COMPLETE",

"ResourceType": "AWS::RDS::DBInstance",

"ResourceStatus": "CREATE_IN_PROGRESS",

"ResourceType": "AWS::RDS::DBInstance",

"ResourceStatusReason": "Resource creation Initiated",

"ResourceStatus": "CREATE_IN_PROGRESS",

"ResourceType": "AWS::RDS::DBInstance",

"ResourceStatus": "CREATE_COMPLETE",

"ResourceType": "AWS::EC2::SecurityGroup",

"ResourceStatus": "CREATE_IN_PROGRESS",

"ResourceType": "AWS::EC2::SecurityGroup",

"ResourceStatusReason": "Resource creation Initiated",

"ResourceStatus": "CREATE_COMPLETE",

"ResourceType": "AWS::RDS::DBParameterGroup",

"ResourceStatus": "CREATE_COMPLETE",

"ResourceType": "AWS::RDS::DBSubnetGroup",

"ResourceStatus": "CREATE_IN_PROGRESS",

"ResourceType": "AWS::RDS::DBSubnetGroup",

"ResourceStatusReason": "Resource creation Initiated",

"ResourceStatus": "CREATE_IN_PROGRESS",

"ResourceType": "AWS::RDS::DBParameterGroup",

"ResourceStatusReason": "Resource creation Initiated",

"ResourceStatus": "CREATE_IN_PROGRESS",

"ResourceType": "AWS::RDS::DBSubnetGroup",

"ResourceStatus": "CREATE_IN_PROGRESS",

"ResourceType": "AWS::RDS::DBParameterGroup",

"ResourceStatus": "CREATE_IN_PROGRESS",

"ResourceType": "AWS::EC2::SecurityGroup",

"ResourceStatus": "CREATE_IN_PROGRESS",

"ResourceType": "AWS::CloudFormation::Stack",

"ResourceStatusReason": "User Initiated",

After about 10 minutes we should have our database created. As this database lives in our private subnet and is not open to the world we need to test connectivity by going to a server in our public subnet and running our psql command from there.

psql -h blah.blah.us-west-2.rds.amazonaws.com -d pgdb -U root
Password for user root: 
SSL connection (cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256)
Type "help" for help.

pgdb=> \l
                                  List of databases
   Name    |  Owner   | Encoding |   Collate   |    Ctype    |   Access privileges   
-----------+----------+----------+-------------+-------------+-----------------------
 pgdb      | root     | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 postgres  | root     | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 rdsadmin  | rdsadmin | UTF8     | en_US.UTF-8 | en_US.UTF-8 | rdsadmin=CTc/rdsadmin
 template0 | rdsadmin | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/rdsadmin          +
           |          |          |             |             | rdsadmin=CTc/rdsadmin
 template1 | root     | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/root              +
           |          |          |             |             | root=CTc/root
(5 rows)

psql -h blah.blah.us-west-2.rds.amazonaws.com -d pgdb -U root

Password for user root:

SSL connection (cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256)

Type "help" for help.

pgdb=> \l

List of databases

-----------+----------+----------+-------------+-------------+-----------------------

(5 rows)

So thats pretty much it for our simple cloudformation RDS test. There are a lot more options and parameters out there and this all can be done on the AWS free tier.