diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..ee529f0 --- /dev/null +++ b/Makefile @@ -0,0 +1,5 @@ +start: + echo This Makefile has no default action. Be specific. + +do-full-recovery: + docker-compose run --rm do-full-recovery diff --git a/docker-compose.yml b/docker-compose.yml index 37c51df..1caa692 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,4 +3,11 @@ services: app: build: . volumes: - - ./:/usr/src/app \ No newline at end of file + - ./:/usr/src/app + + do-full-recovery: + build: recovery/. + volumes: + - ./:/data + working_dir: /data + command: ./recovery/do-full-recovery.sh diff --git a/recovery/Dockerfile b/recovery/Dockerfile new file mode 100644 index 0000000..cfb3a3d --- /dev/null +++ b/recovery/Dockerfile @@ -0,0 +1,9 @@ +FROM node:10 + +# Install the AWS CLI +RUN curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip" +RUN unzip awscli-bundle.zip +RUN ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws + +# Install the Serverless Framework +RUN npm install -g serverless diff --git a/recovery/do-full-recovery.sh b/recovery/do-full-recovery.sh index 907e44b..41fb1cf 100755 --- a/recovery/do-full-recovery.sh +++ b/recovery/do-full-recovery.sh @@ -24,25 +24,31 @@ echo "[Press Enter to continue] " read unusedVariable2 echo "" -echo "*** WARNING ***" -echo "You should ONLY run this from the root folder of your local copy of the " -echo "Serverless MFA API's files. You are currently in the following folder: " echo "" -pwd +echo "--------------------- Configuring AWS CLI profiles ----------------------" echo "" -echo "Please cancel this if that is not the appropriate folder. " -echo "[Press Enter to continue] " -read unusedVariable3 + +echo "Please enter the AWS Access Key ID/Secret for the source AWS account, " +echo "which we will use to download the backup data from S3." +echo "" +echo "For the default region, use the region where the current Serverless MFA " +echo "API is running (probably us-east-1). The Default output format can be " +echo "left blank." +aws configure --profile restore-s3-backups echo "" +echo "Now please enter the AWS Access Key ID/Secret for the target AWS " +echo "account, which we will use to create the new copy of the Serverless MFA " +echo "API. " echo "" -echo "--------------------- Preparing to download backups ---------------------" +echo "For the default region, use the region where you want to deploy the new " +echo "copy of the Serverless MFA API (such as us-east-1, us-east-2, us-west-1, " +echo "or us-west-2). The Default output format can be left blank." +aws configure echo "" -echo "Which AWS CLI profile should we use to download the backup data from the " -echo "existing Serverless MFA API that you are trying to recover? " -echo "EXAMPLE: sourceAWSaccount-dynamodb-backup-manager-yourname" -read awsProfileForDownloadingBackups +echo "" +echo "--------------------- Preparing to download backups ---------------------" echo "" echo "What is the S3 bucket where those backups are stored? " @@ -54,7 +60,7 @@ aws s3 sync \ --delete \ --acl private \ --sse AES256 \ - --profile "${awsProfileForDownloadingBackups}" \ + --profile "restore-s3-backups" \ "s3://${s3bucketToRestoreFrom}" \ "recovery/TempCopyOfBackups/" @@ -62,7 +68,7 @@ echo "" echo "------------- Installing serverless-mfa-api's dependencies --------------" echo "" -sudo npm i -g npm +npm i -g npm npm ci @@ -97,7 +103,7 @@ echo "" echo "---------------------- Installing backups library -----------------------" echo "" -sudo npm install gulp-cli -g +npm install gulp-cli -g if [ ! -d "./recovery/DynamoDbBackUp" ]; then cd ./recovery @@ -121,6 +127,7 @@ echo "" echo "What name do you want to use for the new S3 Bucket where backups will be " echo "stored? " echo "EXAMPLE: targetAWSaccount.backups.dynamodb.${newServiceName}" +echo "(but replace targetAWSaccount with the name of the target AWS account)" read newS3bucketName echo "" @@ -251,16 +258,23 @@ echo "" echo "---------------------- Finished setting up the new ----------------------" echo "--------------- Serverless MFA API with data from backups ---------------" echo "" +echo " IMPORTANT! " +echo "" echo "You can now update your systems that need to use this, giving them the " -echo "new API Gateway URL (visible in the Serverless output a ways above this " -echo "line, as well as in the AWS CloudFormation 'Service Endpoint' Output for " -echo "the ${newServiceName}-${stage} stack) as the new value for their " -echo "apiBaseUrl. (The apiKey and apiSecret will not have changed, since those " -echo "were in the restored data.) " -echo "" -echo "If using this with our IdP-in-a-Box, you will need to update the " -echo "mfa_totp_apibaseurl and mfa_u2f_apibaseurl Terraform variables for the " -echo "ID Broker workspace of the applicable IdP." +echo "new API Gateway URL. To find that... " +echo "" +echo "1. Sign in to the target AWS account. " +echo "2. Go to CloudFormation. " +echo "3. Find the ${newServiceName}-${stage} stack. " +echo "4. In its Outputs section, find the 'Service Endpoint' URL. " +echo "5. ADD A TRAILING SLASH and use that as the new value for the apiBaseUrl " +echo " of any IdP that should use this new copy of the Serverless MFA API. " +echo " (The apiKey and apiSecret will not have changed, since those were in " +echo " the restored data.) " +echo "" +echo " If using this with our IdP-in-a-Box, you will do so by updating the " +echo " mfa_totp_apibaseurl and mfa_u2f_apibaseurl Terraform variables for " +echo " the ID Broker workspace of the applicable IdP." echo "" echo "=========================================================================" echo ""