Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⭐️ improve rds resource #4527

Merged
merged 6 commits into from
Aug 12, 2024
Merged

⭐️ improve rds resource #4527

merged 6 commits into from
Aug 12, 2024

Conversation

chris-rock
Copy link
Member

@chris-rock chris-rock commented Aug 11, 2024
edited
Loading

after #4526

The AWS RDS aws.rds.instances resource is handy to quickly see the RDS instances, their engines and engine version:

aws.rds.instances: [
  0: aws.rds.dbinstance id="database-1" region="us-east-1" engine="postgres" engineVersion="16.4"
  1: aws.rds.dbinstance id="database-2" region="us-east-1" engine="sqlserver-ex" engineVersion="15.00.4382.1.v1"
  2: aws.rds.dbinstance id="database-2-instance-1" region="us-east-1" engine="aurora-postgresql" engineVersion="15.4"
  3: aws.rds.dbinstance id="database-3" region="us-east-1" engine="postgres" engineVersion="11.22-rds.20240418"
  4: aws.rds.dbinstance id="docdb-2024-08-11-08-16-54" region="us-east-1" engine="docdb" engineVersion="5.0.0"
]

With this PR we extend the existing resource to become even more useful to verify that your RDS databases are configured correctly.

Certificate configuration

To ensure you have enabled certificate authentication you can check now if a certificateAuthority was attached

aws.rds.instances.all(certificateAuthority != empty)

Check if RDS databases is using IAM authentication

MQL now exposes a new field iamDatabaseAuthentication. This is handy when you want to verify that all database instances need to use IAM authentication:

aws.rds.instances.all(iamDatabaseAuthentication)

Expose activity stream mode

The new exposed activityStreamStatus field allows us to quickly verify that all aurora instances have an active activity stream:

aws.rds.instances.all(activityStreamStatus == "started")

expose status for cluster and instance

The new status field allows you to quickly verify if all instances are available:

cnspec> aws.rds.instances { id status }
aws.rds.instances: [
  0: {
    status: "available"
    id: "database-1"
  }
  1: {
    status: "available"
    id: "database-2"
  }
  2: {
    status: "available"
    id: "database-2-instance-1"
  }
  3: {
    status: "available"
    id: "database-3"
  }
  4: {
    status: "available"
    id: "docdb-2024-08-11-08-16-54"
  }
]

To check that all are available, just use:

cnspec> aws.rds.instances.all(status == "available")
[ok] value: true

Pending maintenance actions

It is often important to know that all databases are properly maintained. While AWS abstracts a lot of maintaince into RDS service, the engine may need an upgrade that leads to a downtime of the database. You can easily verify that no maintenance actions are open:

// global for all rds instances
aws.rds.allPendingMaintenanceActions == empty

You can also see individual maintenance actions for individual instances:

cnspec> aws.rds.instances { id pendingMaintenanceActions}
aws.rds.instances: [
  0: {
    pendingMaintenanceActions: []
    id: "database-1"
  }
  1: {
    pendingMaintenanceActions: []
    id: "database-2"
  }
  2: {
    pendingMaintenanceActions: []
    id: "database-2-instance-1"
  }
  3: {
    pendingMaintenanceActions: []
    id: "database-3"
  }
  4: {
    pendingMaintenanceActions: []
    id: "docdb-2024-08-11-08-16-54"
  }
]

expose AWS RDS instance monitoring interval

With the enhancedMonitoringResourceArn field and monitoringInterval you verify that all databases have enhanced monitoring enabled and a monitoring interval is set

cnspec> aws.rds.instances.all(enhancedMonitoringResourceArn != empty && monitoringInterval > 0)
[failed] [].all()
  actual:   [
    0: aws.rds.dbinstance engineVersion="15.00.4382.1.v1" region="us-east-1" engine="sqlserver-ex" id="database-2" {
      monitoringInterval: 0
      enhancedMonitoringResourceArn: null
    }
    1: aws.rds.dbinstance engineVersion="11.22-rds.20240418" region="us-east-1" engine="postgres" id="database-3" {
      monitoringInterval: 0
      enhancedMonitoringResourceArn: null
    }
    2: aws.rds.dbinstance engineVersion="5.0.0" region="us-east-1" engine="docdb" id="docdb-2024-08-11-08-16-54" {
      monitoringInterval: 0
      enhancedMonitoringResourceArn: null
    }
  ]

expose AWS RDS network type

To see which network types the databases use, we added a new networkType field to the instances and clusters:

cnspec> aws.rds.instances { id engine networkType }
aws.rds.instances: [
  0: {
    networkType: "IPV4"
    engine: "postgres"
    id: "database-1"
  }
  1: {
    networkType: "IPV4"
    engine: "sqlserver-ex"
    id: "database-2"
  }
  2: {
    networkType: "IPV4"
    engine: "aurora-postgresql"
    id: "database-2-instance-1"
  }
  3: {
    networkType: "IPV4"
    engine: "postgres"
    id: "database-3"
  }
  4: {
    networkType: "IPV4"
    engine: "docdb"
    id: "docdb-2024-08-11-08-16-54"
  }
]

@chris-rock chris-rock force-pushed the chris-rock/improve-rds-resource branch from 7b34d5e to 0a3e73d Compare August 11, 2024 10:54
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 11, 2024
edited
Loading

Test Results

3 097 tests  ±0   3 096 ✅ ±0   1m 22s ⏱️ -6s
  370 suites ±0       1 💤 ±0 
   28 files   ±0       0 ❌ ±0 

Results for commit 4145873. ± Comparison against base commit 0b3b6c9.

♻️ This comment has been updated with latest results.

@chris-rock chris-rock force-pushed the chris-rock/improve-rds-resource branch from 4ac4b47 to 526fc9e Compare August 11, 2024 11:01
preslavgerchev
preslavgerchev approved these changes Aug 12, 2024
View reviewed changes
Copy link
Contributor

@preslavgerchev preslavgerchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some small renaming suggestions

providers/aws/resources/aws_rds.go Outdated Show resolved Hide resolved
providers/aws/resources/aws_rds.go Outdated Show resolved Hide resolved
providers/aws/resources/aws_rds.go Outdated Show resolved Hide resolved
chris-rock and others added 5 commits August 12, 2024 10:37
@chris-rock
🧹 improve aws.rds resources
a5864e8 
- expose certificate configuration
- expose activity stream mode and status for cluster and instance
@chris-rock
⭐️ aws rds pending maintainance actions
98ec05a
@chris-rock
⭐️ expose aws rds instance monitoring interval
4719f19
@chris-rock
🧹 expose aws rds network type
aa2240b
@chris-rock @preslavgerchev
Apply suggestions from code review
82dfb62 
Co-authored-by: Preslav Gerchev <preslav@mondoo.com>
@chris-rock chris-rock force-pushed the chris-rock/improve-rds-resource branch from f779859 to 667ade4 Compare August 12, 2024 09:01
@github-actions GitHub Actions

This comment has been minimized.

Sign in to view
@chris-rock chris-rock force-pushed the chris-rock/improve-rds-resource branch from 667ade4 to 4145873 Compare August 12, 2024 09:06
@chris-rock chris-rock merged commit bc8a5ac into main Aug 12, 2024
15 checks passed
@chris-rock chris-rock deleted the chris-rock/improve-rds-resource branch August 12, 2024 09:18
@github-actions github-actions bot locked and limited conversation to collaborators Aug 12, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@preslavgerchev preslavgerchev preslavgerchev approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@chris-rock @preslavgerchev