-
Notifications
You must be signed in to change notification settings - Fork 4
/
backup.sh
executable file
·84 lines (63 loc) · 2.39 KB
/
backup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#! /bin/bash
set -euo pipefail
# Check environment
if [ -z "${REGION:-}" ]; then
echo "REGION was not set"
fi
if [ -z "${POSTGRES_DATABASE:-}" ]; then
echo "POSTGRES_DATABASE was not set"
fi
if [ -z "${POSTGRES_HOST:-}" ]; then
echo "POSTGRES_HOST was not set"
fi
if [ -z "${POSTGRES_PORT:-}" ]; then
echo "POSTGRES_HOST was not set"
fi
if [ -z "${POSTGRES_USER:-}" ]; then
echo "POSTGRES_HOST was not set"
fi
if [ -z "${S3_BUCKET:-}" ]; then
echo "S3_BUCKET was not set"
fi
if [ -z "${S3_BUCKET:-}" ]; then
echo "S3_BUCKET was not set"
fi
if [ -z "${S3_PREFIX:-}" ]; then
echo "S3_BUCKET was not set"
fi
if [ -z "${S3_REGION:-}" ]; then
echo "S3_BUCKET not set, using \$REGION ($REGION)"
S3_REGION=$REGION
fi
if [ -z "${OPENSSL_PUBLIC_KEY:-}" ]; then
echo "OPENSSL_PUBLIC_KEY was not set"
fi
if [ -z "${RATE_LIMIT:-}" ]; then
echo "RATE_LIMIT was not set"
fi
# Fetch access token for a database we have access to, configured via IAM
export PGPASSWORD=$(aws rds generate-db-auth-token --hostname ${POSTGRES_HOST} --port ${POSTGRES_PORT} --username ${POSTGRES_USER} --region ${REGION})
echo "Printing Volume Information"
df -h .
FILENAME=${POSTGRES_DATABASE}_$(date +"%Y-%m-%dT%H:%M:%SZ")
echo "Using Filename: ${FILENAME}"
# Generate encryption keys
echo "Generating encryption keys..."
openssl version
echo "${OPENSSL_PUBLIC_KEY}" > pub.pem
openssl rand -base64 128 > key.txt
openssl rsautl -encrypt -inkey pub.pem -pubin -in key.txt -out key.txt.enc
# Upload key.
echo "Uploading encrypted key: aws s3 cp key.txt.enc \"s3://$S3_BUCKET/$S3_PREFIX/${FILENAME}.key.txt.enc\" --region=$S3_REGION"
aws s3 cp key.txt.enc "s3://$S3_BUCKET/$S3_PREFIX/${FILENAME}.key.txt.enc" --region=$S3_REGION
# Backup, compress, encrypt, upload on the fly.
echo "Fetching, compressing, encrypting, uploading DB dump..."
# Stream redirections are necessary so we can see pipe viewer output.
# We need to replace carrige returns by new lines.
{ pg_dump -h "${POSTGRES_HOST}" -p "${POSTGRES_PORT}" -U ${POSTGRES_USER} "dbname=${POSTGRES_DATABASE} sslmode=verify-full sslrootcert=rds_root.pem" |\
pv -L ${RATE_LIMIT} -r -b -i 60 -f 2>&3 |\
bzip2 |\
openssl enc -aes-256-cbc -salt -md sha256 -pass file:./key.txt |\
aws s3 cp - "s3://$S3_BUCKET/$S3_PREFIX/${FILENAME}.sql.bz.enc" --region=$S3_REGION; } 3>&1 | tr '\015' '\012'
# Note: For a backup larger than 50GB, we would need to use the --expected-size parameter.
echo "Done."