Skip to content

Latest commit



371 lines (224 loc) · 14.5 KB

File metadata and controls

371 lines (224 loc) · 14.5 KB

API Reference



A process to create sanitized snapshots of RDS instance or cluster, optionally on a schedule.

The process is handled by a step function.

  1. Snapshot the source database
  2. Optionally re-encrypt the snapshot with a different key in case you want to share it with an account that doesn't have access to the original key
  3. Create a temporary database
  4. Run a Fargate task to connect to the temporary database and execute an arbitrary SQL script to sanitize it
  5. Snapshot the sanitized database
  6. Clean-up temporary snapshots and databases


import { RdsSanitizedSnapshotter } from '@cloudsnorkel/cdk-rds-sanitized-snapshots'

new RdsSanitizedSnapshotter(scope: Construct, id: string, props: IRdsSanitizedSnapshotter)
Name Type Description
scope constructs.Construct No description.
id string No description.
props IRdsSanitizedSnapshotter No description.

  • Type: constructs.Construct

  • Type: string



Name Description
toString Returns a string representation of this construct.

public toString(): string

Returns a string representation of this construct.

Static Functions

Name Description
isConstruct Checks if x is a construct.

import { RdsSanitizedSnapshotter } from '@cloudsnorkel/cdk-rds-sanitized-snapshots'

RdsSanitizedSnapshotter.isConstruct(x: any)

Checks if x is a construct.

  • Type: any

Any object.


Name Type Description
node constructs.Node The tree node.
props IRdsSanitizedSnapshotter No description.
snapshotter aws-cdk-lib.aws_stepfunctions.StateMachine Step function in charge of the entire process including snapshotting, sanitizing, and cleanup.

public readonly node: Node;
  • Type: constructs.Node

The tree node.

public readonly props: IRdsSanitizedSnapshotter;

public readonly snapshotter: StateMachine;
  • Type: aws-cdk-lib.aws_stepfunctions.StateMachine

Step function in charge of the entire process including snapshotting, sanitizing, and cleanup.

Trigger this step function to get a new snapshot.




Name Type Description
script string SQL script used to sanitize the database. It will be executed against the temporary database.
vpc aws-cdk-lib.aws_ec2.IVpc VPC where temporary database and sanitizing task will be created.
databaseCluster aws-cdk-lib.aws_rds.IDatabaseCluster Database cluster to snapshot and sanitize.
databaseInstance aws-cdk-lib.aws_rds.IDatabaseInstance Database instance to snapshot and sanitize.
databaseKey aws-cdk-lib.aws_kms.IKey KMS key used to encrypt original database, if any.
databaseName string Name of database to connect to inside the RDS cluster or instance.
dbSubnets aws-cdk-lib.aws_ec2.SubnetSelection VPC subnets to use for temporary databases.
fargateCluster aws-cdk-lib.aws_ecs.ICluster Cluster where sanitization task will be executed.
sanitizeSubnets aws-cdk-lib.aws_ec2.SubnetSelection VPC subnets to use for sanitization task.
schedule aws-cdk-lib.aws_events.Schedule The schedule or rate (frequency) that determines when the sanitized snapshot runs automatically.
shareAccounts string[] List of accounts the sanitized snapshot should be shared with.
snapshotHistoryLimit number Limit the number of snapshot history.
snapshotKey aws-cdk-lib.aws_kms.IKey Optional KMS key to encrypt target snapshot.
snapshotPrefix string Prefix for sanitized snapshot name.
tempPrefix string Prefix for all temporary snapshots and databases.

public readonly script: string;
  • Type: string

SQL script used to sanitize the database. It will be executed against the temporary database.

You would usually want to start this with USE mydatabase;.

public readonly vpc: IVpc;
  • Type: aws-cdk-lib.aws_ec2.IVpc

VPC where temporary database and sanitizing task will be created.

public readonly databaseCluster: IDatabaseCluster;
  • Type: aws-cdk-lib.aws_rds.IDatabaseCluster

Database cluster to snapshot and sanitize.

Only one of databaseCluster and databaseInstance can be specified.

public readonly databaseInstance: IDatabaseInstance;
  • Type: aws-cdk-lib.aws_rds.IDatabaseInstance

Database instance to snapshot and sanitize.

Only one of databaseCluster and databaseInstance can be specified.

public readonly databaseKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey

KMS key used to encrypt original database, if any.

public readonly databaseName: string;
  • Type: string
  • Default: 'postgres' for PostgreSQL and not set for MySQL

Name of database to connect to inside the RDS cluster or instance.

This database will be used to execute the SQL script.

public readonly dbSubnets: SubnetSelection;
  • Type: aws-cdk-lib.aws_ec2.SubnetSelection
  • Default: ec2.SubnetType.PRIVATE_ISOLATED

VPC subnets to use for temporary databases.

public readonly fargateCluster: ICluster;
  • Type: aws-cdk-lib.aws_ecs.ICluster
  • Default: a new cluster running on given VPC

Cluster where sanitization task will be executed.

public readonly sanitizeSubnets: SubnetSelection;
  • Type: aws-cdk-lib.aws_ec2.SubnetSelection
  • Default: ec2.SubnetType.PRIVATE_WITH_EGRESS

VPC subnets to use for sanitization task.

public readonly schedule: Schedule;
  • Type: aws-cdk-lib.aws_events.Schedule

The schedule or rate (frequency) that determines when the sanitized snapshot runs automatically.

public readonly shareAccounts: string[];
  • Type: string[]

List of accounts the sanitized snapshot should be shared with.

public readonly snapshotHistoryLimit: number;
  • Type: number

Limit the number of snapshot history.

Set this to delete old snapshots and only leave a certain number of snapshots.

public readonly snapshotKey: IKey;
  • Type: aws-cdk-lib.aws_kms.IKey

Optional KMS key to encrypt target snapshot.

public readonly snapshotPrefix: string;
  • Type: string
  • Default: cluster identifier (which might be too long)

Prefix for sanitized snapshot name.

The current date and time will be added to it.

public readonly tempPrefix: string;
  • Type: string
  • Default: 'sanitize'

Prefix for all temporary snapshots and databases.

The step function execution id will be added to it.