RDS StartDBInstanceAutomatedBackupsReplication preSignedURL (GovCloud) from Terraform

Question

Trying to deploy Terraform aws_db_instance_automated_backups_replication resource to enable replication of rds backups from 1 region to another. Had this working in AWS commercial, but same deployment in AWS GovCloud fails.

AWS resource definition in TF is:

resource "aws_db_instance_automated_backups_replication" "db_backup_replication" {
 provider = aws.recovery_region
 source_db_instance_arn = aws_db_instance.db.arn
 kms_key_id             = data.aws_kms_key.rds_recovery_kms_key.arn
 retention_period = local.retention_days
}

...but error in Terraform output is:

│ Error: starting RDS Instance Automated Backups Replication (arn:<partition>:rds:<primary-region>:<aws-accountID>:db:<rds-instance-name>): 
operation error RDS: StartDBInstanceAutomatedBackupsReplication, 
https response error StatusCode: 400, 
RequestID: *******-****-****-****-************, 
api error InvalidParameterValue: Encrypted instances require a valid presigned URL.

TF doc lists an optional argument to the resource:

pre_signed_url - (Optional, Forces new resource) A URL that contains a Signature Version 4 signed request for the StartDBInstanceAutomatedBackupsReplication action to be called in the AWS Region of the source DB instance.

...and AWS API doc (https://docs.aws.amazon.com/cli/latest/reference/rds/start-db-instance-automated-backups-replication.html) has bit more detail:

In an Amazon Web Services GovCloud (US) Region, an URL that contains a Signature Version 4 signed request for the StartDBInstanceAutomatedBackupsReplication operation to call in the Amazon Web Services Region of the source DB instance. The presigned URL must be a valid request for the StartDBInstanceAutomatedBackupsReplication API operation that can run in the Amazon Web Services Region that contains the source DB instance.

This setting applies only to Amazon Web Services GovCloud (US) Regions. It's ignored in other Amazon Web Services Regions.

To learn how to generate a Signature Version 4 signed request, see Authenticating Requests: Using Query Parameters (Amazon Web Services Signature Version 4) and Signature Version 4 Signing Process.

But their linked docs detail generating such preSignedURLs only for s3 URLs. I can't even find that error ("Encrypted instances require a valid presigned URL") in google.

Any ideas?

Answer 1

Thanks for the input @vht981230. Seems with AWS CLI call (start-db-instance-automated-backups-replication) has similar inputs but this useful note:

Note: If you are using an Amazon Web Services SDK tool or the CLI, you can specify SourceRegion (or --source-region for the CLI) instead of specifying PreSignedUrl manually. Specifying SourceRegion autogenerates a presigned URL that is a valid request for the operation that can run in the source Amazon Web Services Region.

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/start-db-instance-automated-backups-replication.html

I ended up taking that approach in my pipeline with AWSShellScript task after my TF apply. Not ideal taking it out of the TF code...but easier than figuring out the pre-signed-url mechanism.

Answer 2

I think boto3 has generate_presigned_url method which can be used to generate pre-signed URL for RDS. Although the documentation only has examples for generating S3 pre-signed URL, it should also work with RDS client provided the ClientMethod and Params matches with start_db_instance_automated_backups_replication input requirements

import boto3

session = boto3.Session(profile_name='profile_name')

url = session.client('rds', < source region >).generate_presigned_url(
    ClientMethod='start_db_instance_automated_backups_replication',
    Params={
        'SourceDBInstanceArn': < source db instance arn>,
        'BackupRetentionPeriod': < retention period>,
        'KmsKeyId': < kms key id >,
        'SourceRegion': < source region >
    },
    ExpiresIn=3600,
    HttpMethod=< http method >
)

print(url)