Database Procedures
AWS DocumentDB with MongoDB Engine
Support AWS Services with PostgreSQL Engines
MetaDefender Software Supply Chain natively supports AWS DocumentDB with MongoDB 5.0 engine. MetaDefender Software Supply Chain does not require any specific pre-installation steps to work with Amazon MongoDB.
Database Configuration
High Availability with AWS DocumentDB
AWS DocumentDB supports various multi-az deployment that can be configured following this documentation. You can compare the different configuration options available in this AWS documentation. For having MetaDefender Software Supply Chain installed using any of this approaches we recommend to follow the instructions indicated by AWS in case of having MetaDefender Software Supply Chain installed in a EC2 instance. For EKS Cluster deployment OPSWAT provide a terraform code to deploy it together with the K8S cluster, see EKS Cluster Provisioning
Database Connection
For general information of how to connect to the RDS depending on the scenarios it is recommended to read this docs from AWS.
Connect to DocumentDB
To connect MetaDefender Software Supply Chain with MongoDB hosted in a private subnet, the configuration will depend on the type of deployment.
For Single EC2 deployment, it is needed to indicate that the DocumentDB will be only available from the EC2 instance where MetaDefender Software Supply Chain is running, configuring it from the Connectivity section when creating the RDS instance as following.
The database connection endpoint is generated by AWS once the DocumentDB cluster is created you can access to this information on the Connectivity & security tab. Once you have this information it should be set up in customer.env as documented here: Managed Services configuration in AWS.
For EKS deployment, using the terraform project provided by OPSWAT it is deployed in a private subnet only allowing access from VPC CIDR where the EKS cluster is deployed. In case of creating the DocumentDB instance from the console follow these steps
- Indicate if you want to deploy a single instance or an Elastic cluster
- Indicate not to connect to an EC2. For multiple VPC, deploy it in a different VPC than EKS. This example is using the same VPC
- Set up Authentication.
Multiple VPC for MetaDefender Core and AWS RDS
When working with multiple VPCs where we have deployed MetaDefender Core either in a Single EC2 or with EKS in one VPC and the DocumentDB instance in a different VPC, it will be needed to configure a VPC peering between both VPC for MetaDefender Core to use the database.
Steps to configure it
- Create a Peering Connection between both VPCs
- Modify the route table to route the traffic to the peering for the requests from both VPCs
- Modify the security group to allow connections from both VPCs
Database Endpoint Management
The database connection endpoint is generated by AWS once the DocumentDB cluster is created you can access to this information on the Connectivity & security tab. Once you have this information it should be set up in the ConfigMap "mdssc-env", setting up the connection url of the database to MONGO_URL .
More detailed information from AWS here
Upgrade DocumentDB major version
Currently, Amazon DocumentDB supports three major versions: Amazon DocumentDB 3.6, 4.0, and 5.0. You can perform an in-place major version upgrade (MVU) of your database while keeping the same endpoints, storage, and tags of the clusters and can continue using your applications without any modifications.
Your Amazon DocumentDB clusters will be unavailable during the in-place major version upgrade and your clusters will experience multiple reboots. Upgrade downtime can vary from cluster to cluster depending on number of collections, indexes, databases, and instances.
Major version upgrades should only be performed by following this documentation.