Infrastructure at your Service

Introduction

I created a RDS SQL Server instance on AWS. I use it for test purpose and to minimize the costs I needed to ensure that my instance is stopped automatically at the end of the working day and also because on RDS instances are automatically activated when its schedule maintenance is triggered.

In this article I will share the solution I implemented to achieve my goal.
I assume you have already created a RDS instance.

I also mentioned that during the walkthrough even some parameters are optional like name and description, I recommend to set it for a better clarity of your environment.

So first login to your AWS console and let you walkthrough

1- Preparation of your RDS Instance

Open the RDS service console and select your RDS instance
Adding tags on the RDS instance is the first step of the process, it will be used later
Click Add and key in a Tag Key and a Tag Value

2- Create a policy

Now open the IAM service, select the Policies section and create a new policy

Select the RDS service, typing RDS in the search textbox and selecting RDS in the result list

Then choose the action by typing StopDBInstance in the search textbox and select the it in the result list.

Type now DescribeDBInstance in the search textbox and select it in the result list

Check if you have both actions DescribeDBInstance and StopDBInstance listed and select All resources in the Resources part. You can also select specific DB instances if you will.
Than click Review Policy button

Key in a name for your policy and a description (optional) and click Create Policy

So we are done with the security policy creation, we can proceed with the next step

3- Create a role

Now we have to create a role that will be granted with the policy we just created. The role will be use by System Manager to execute the needed task.

Again in the IAM service console, chose the Role option and create a new role.

Select AWS service in the type of trusted entity and select EC2 in the Use Case list

In the Select your use case chose EC2 again and click on Next:Permissions button

In the search text box type AmazonSSMMaintenanceWindowRole and select it in the list

Repeat permission selection selecting the security policy you created (in my case secpol_RDS_StopDBInstance) and click Next:Tags and Next:Review on the following screen

Enter a role name and a description (optional), check the policies and click Create Role

On the Role screen, notice the information that your role has been created and make sure to see it in the list.
You can also notice that the Trusted entities for your role is EC2

As we want to use the role in SSM we have to change the Trusted entity accordingly.
To achieve that, click on the role you just created, select the Trust relationships tab and click and Edit trust relationship.

You can see that the service is ec2.amazomaws.com.

Change the service replacing ec2 with SSM and click on Update Trust Policy

We are done concerning the IAM service

4- Create a resource group

Now switch to the System Manager service
Click on the menu Services, type System Manager in the search textbox and select System Manager

Select Resource Groups in the left pane and click on Create resource Group button.

Chose the Tag based option, search for DBInstance and select it as resource type, than search for the tag set on your RDS instance (in my case tag_RDSInstance) and its value (in my case RDS_awsvdata. Enter than a name and a description and click on Create group.

5- Create maintenance windows

Switch back on the System Manager service home screen and select Maintenance Windows on the left pane and click on the Create maintenance Window button.

Capture a name and a description

Define your schedule when your maintenance window must run. Do not omit to specify your time zone to avoid your maintenance window to execute at an unexpected time. Click on the Create maintenance window button.

Check if your maintenance window has been created and it appears in the list. Check has well that the next execution time match the expected schedule.

Select the maintenance window you just created and select target tab and click on Register target button

In the Register target screen, defined a name a description and defined the target selecting the Choose a resource group option and selecting the resource group created in point 4. Select also your resource types if you have other resources than DBInstance in your resource group. Click register target button.

Next step is to register an Automation task. Select again your maintenance window and chose the Tasks tab and click on Register task selecting the Register Automation task.

Set a name and a description.

Select the Automation document, scrolling in the pages to find and select AWS-StopRDSInstance

Define the target selecting the registered target group and the one you created previously. Set the rate control according to your need and constrains.

Then important is to defined the IAM service role selecting the role you created in point 3.

In the input parameter use enter the ID of your RDS database instance.
Finally click the Register Automation task.

6- Test you Maintenance Window

If you can stop your instance whenever you want, adjust your Cron settings to a near time and check the history of your maintenance window.
After the schedule time check the maintenance window history

Conclusion

There are indeed some tricks to go through and to know in order to setup this but it is worth doing it to avoid costs surprises.
Hoping you enjoy reading

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Christophe Cosme
Christophe Cosme

Consultant