-
Notifications
You must be signed in to change notification settings - Fork 30
IAM and Security Groups for Existing Clusters
Lays out scenarios for using the Migration tools with existing clusters, and configuration changes that may be needed to allow proper communication between them.
For a Domain, there are typically two items that need to be configured to allow proper functioning of this solution
- The Domain should have a security group that allows communication from the applicable Migration services (Traffic Replayer, Migration Console, Reindex-from-Snapshot). This CDK will automatically create an
osClusterAccessSGsecurity group, which has already been applied to the Migration services, that a user should then add to their existing Domain to allow this access. - The access policy on the Domain should be an open access policy that allows all access or an access policy that at least allows the IAM task roles for the applicable Migration services (Traffic Replayer, Migration Console, Reindex-from-Snapshot)
A Collection, will need to configure a Network and Data Access policy to allow proper functioning of this solution
- The Collection should have a network policy that has a
VPCaccess type by creating a VPC endpoint on the VPC used for this solution. This VPC endpoint should be configured for the private subnets of the VPC and attach theosClusterAccessSGsecurity group. - The data access policy needed should grant permission to perform all index operations (
aoss:*) for all indexes in the given collection, and use the task roles of the applicable Migration services (Traffic Replayer, Migration Console, Reindex-from-Snapshot) as the principals for this data access policy.
Although this CDK does not set up the Capture Proxy on source cluster nodes (except in the case of the demo solution), the Capture Proxy instances do need to communicate with resources deployed by this CDK (e.g. Kafka) which this section covers
Before setting up Capture Proxy instances on the source cluster, the IAM policies and Security Groups for the nodes should allow access to the Migration tooling:
- The coordinator nodes should add the
trafficStreamSourceSGsecurity group to allow sending captured traffic to Kafka - The IAM role used by the coordinator nodes should have permissions to publish captured traffic to Kafka. A template policy to use, can be seen below
- This can be added through the AWS Console (IAM Role -> Add permissions -> Create inline policy -> JSON view)
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "kafka-cluster:Connect",
"Resource": "arn:aws:kafka:<REGION>:<ACCOUNT-ID>:cluster/migration-msk-cluster-<STAGE>/*",
"Effect": "Allow"
},
{
"Action": [
"kafka-cluster:CreateTopic",
"kafka-cluster:DescribeTopic",
"kafka-cluster:WriteData"
],
"Resource": "arn:aws:kafka:<REGION>:<ACCOUNT-ID>:topic/migration-msk-cluster-<STAGE>/*",
"Effect": "Allow"
}
]
}Encountering a compatibility issue or missing feature?
- Search existing issues to see if it’s already reported. If it is, feel free to upvote and comment.
- Can’t find it? Create a new issue to let us know.
- Migration Assistant Overview
- Is Migration Assistant Right for You?
- Existing Data Migration - Quick Start Guide
- A. Snapshot Creation Verification
- B. Client Traffic Switchover Verification
- C. Traffic Capture Verification
- D. System Reset Before Migration