diff --git a/aws/projects/adsd-chris/README.md b/aws/projects/adsd-chris/README.md index 17190132..9fbd8fda 100644 --- a/aws/projects/adsd-chris/README.md +++ b/aws/projects/adsd-chris/README.md @@ -1,6 +1,18 @@ # ADSD CHRIS This document lists some basic architecture and requirements of the ADSD CHRIS System +* CHRIS application is a .Net application that runs on windows servers with a MSSQL Server backend database. +* Application interfaces with other systems. Most of the interfaces are through windows shared file systems. +* It is tightly integrated with boc.ad.census.gov domain. It need access to boc.ad.census.gov on-prem file shares. +* Web and Application EC2 servers need to be joined to boc.ad.census.gov domain. +* Web and Application servers need common shared filesystem that can be mounted on both servers. FSx for windows AWS storage service is an ideal choice. + +# RDS MSSQL Server engine: +* CHRIS database need native SQL Server Auditing enabled. We use this feature to comply with security baseline, track user activity and data access. +* CHRIS database need native SQL Server backup and restore functionality. We use native backups to move/migrate CHRIS databases to Cloud-RDS. +* CHRIS application also uses SSIS - SQL Server Integration Services feature to process interface data files. +* The options group (SQLSERVER_AUDIT , SQL_Server_Backup_Restore , SSIS) require tight integration with S3 storage. +* SSIS options group require tight integration with boc.ad.census.gov customer managed domain controller. ## Challenges @@ -19,12 +31,91 @@ to any future MSSQL setups. ## RDS * Security Group -* Paraameter Group + * Security groups and Parameter groups are common for all database engines. + * sg-adsd-chris-qa-mssql + * Port 1433 + * Port 445 +* Parameter Group + * census-sqlserver-se-15-0 + * census-sqlserver-se-16-0 * Option Group * list each desired setting name and value + * base-ms-sqlserver-ee-15-00 + * base-ms-sqlserver-se-15-00 + * base-ms-sqlserver-ee-16-00 + * base-ms-sqlserver-se-16-00 + * Settings + * SQLSERVER_AUDIT + * RETENTION_TIME + * 365 + * S3_BUCKET_ARN + * S3 bucket/mssql + * IAM_ROLE_ARN + * IAM Role + * SQLSERVER_BACKUP_RESTORE + * IAM_ROLE_ARN + * IAM Role + * SSIS + * IAM_ROLE_ARN + * IAM Role + * AD Integration + * TDE + * Audit + * SQLSERVER_AUDIT * Backup + * SQLSERVER_BACKUP_RESTORE * Integration with boc.ad.census.gov + * SSIS +## The OG module for the mssql db does the following + 1. creates the OG + 2. if enable_s3_backups set, checks for options_group_bucket_id and options_group_role_arn + 3. if enable_s3_audit set, checks for same as #2 + 4. if none of the things are set in #2, and create_resources is set + 1. create s3 bucket (need to have a lifecycle on it) + 2. with kms key + 3. create iam role + 5. uses same bucket, key, and role for both backups and audit + 6. need to decide on defaults +## Formats + 1. s3: v-s3-{blf}-mssql-{sqlinstance}-{account_id}-{regionshort} + 2. iam: r-{blf}-mssql-{sqlinstance} +## SSO Permission + if the sc-dba needs to read/write the bucket, we would grant assume role access to the iam role +## Process + * is this write access a one time thing? + Not a one time thing. It will be needed until the CHRIS migration is completed. The CHRIS databases are currently on-prem and the backup files will need to be copied to the S3 Bucket so they can be restored to the AWS RDS DB instance. + * is it only from windows servers? + Yes, it will only be from windows servers + * do the windows servers have the aws cli and the ability to use sso and/or the aws sdk and assume roles? + Yes, the windows server I will be using has the aws cli and the ability to use sso. + * is there one bucket per mssql db and an associated role for it? + If you mean one bucket per environment (dev,test,stage,prod) then yes a S3 bucket is needed for each environment which I believe already exists. + would like to use the current S3 bucket "s3://v-s3-adsd-chris-dev-rds-dump-582222802695-uge1/mssql/" and create a new folder called "restore" or "restore fromonprem" for testing. The role which writes backups and audit, that has write access + * what folders are in use for the backups and for the audit? + This has nothing to do with the audit folders only backups and i would like to get a new folder created under the "mssql" folder (s3://v-s3-adsd-chris-de v-rds-dump-582222802695-uge1/mssql/) called "migration", "restore" or "restorefromonprem" and upload the on-prem backup files to that folder. The files will be deleted once the restore is completed. + * Backups + s3://v-s3-adsd-chris-dev-rds-dump-582222802695-uge1/mssql/backup/chris-dev-db1/ + * diff/ + * full/ + * Audits + s3://v-s3-adsd-chris-dev-rds-dump-582222802695-uge1/mssql/chris-dev-db1/ + * ADSD_Audit/ + * Database_Audit/ + * Database_Schema_Object_Change_Audit/ + * DatabaseTables_Audit/ + * Login_Audit/ + * Login_Failed_Audit/ + * RoleMemberChange_Audit/ + * Schema_Object_Access_Audit/ + * would it be a different folder for the migration? + Yes, I would like to get a new folder created called "migration", "restore" or "restorefromonprem" + * once migrated is that write access still needed? + No + * Read will be needed to validate. + * for the backups it is run from within the SQL Server Instance via a schedule job using an AWS RDS provided stored procedure "EXEC msdb.dbo.rds_backup_dat abase" + * the folder(s) get created from the "msdb.dbo.rds_backup_database" stored procedure if they do not exist already. + ## FSx Windows * Integration with boc.ad.census.gov