Creating required Amazon resources for Amazon DMS Fleet Advisor
DMS Fleet Advisor needs a set of Amazon resources in your account to forward and import inventory information, and to update the status of the DMS data collector.
Before you collect data and create inventories of databases and schemas for the first time, complete the following prerequisites.
To configure your Amazon S3 bucket and IAM resources, do one of the following:
Configure Amazon S3 and IAM resources using Amazon CloudFormation
A CloudFormation stack is a collection of Amazon resources that
you can manage as a single unit. To simplify creating required resources for
DMS Fleet Advisor, you can use the Amazon CloudFormation template files to create CloudFormation stacks. For more
information, see Creating a stack on the Amazon CloudFormation console
Note
This section only applies to using the standalone DMS Fleet Advisor collector. For information about using a single on-premises collector for gathering information about both databases and servers, see Application Discovery Service Agentless Collector in the Amazon Application Discovery Service User Guide.
Amazon S3 and IAM resources created by CloudFormation
When you use the CloudFormation templates, they create stacks that include the following resources in your Amazon Web Services account:
-
An Amazon S3 bucket named
dms-fleetadvisor-data-
accountId
-region
-
An IAM user named
FleetAdvisorCollectorUser-
region
-
An IAM service role named
FleetAdvisorS3Role-
region
-
An access policy named
FleetAdvisorS3Role-
region
-Policy -
An access policy named
FleetAdvisorCollectorUser-
region
-Policy -
An IAM Service Linked Role (SLR) named
AWSServiceRoleForDMSFleetAdvisor
Follow the steps listed below to configure your resources with CloudFormation.
Step 1: Download the CloudFormation template files
A CloudFormation template is a declaration of the Amazon resources that make up a stack. The template is stored as a JSON file.
To download the CloudFormation template files
-
Open the context (right-click) menu for one of the following links and choose Save Link As:
-
If you plan to use DMS Fleet Advisor, choose dms-fleetadvisor-iam-slr-s3.zip. If you have already created the SLR for DMS Fleet Advisor, choose dms-fleetadvisor-iam-s3.zip
-
If you plan to use the Amazon Application Discovery Service (ADS) Agentless Collector and have not created the SLR for it, then choose dms-fleetadvisor-ads-iam-slr-s3.zip. If you have created the SLR for DMS Fleet Advisor with ADS before, choose dms-fleetadvisor-ads-iam-s3.zip.
-
-
Save the file to your computer.
Step 2: Configure Amazon S3 and IAM using CloudFormation
When you use the CloudFormation template for IAM, it creates the Amazon S3 and IAM resources listed previously.
To configure Amazon S3 and IAM using CloudFormation
-
Open the CloudFormation console at https://console.amazonaws.cn/cloudformation
. -
Start the Create Stack wizard by choosing Create Stack and With new resources in the dropdown list.
-
On the Create stack page, do the following:
-
For Prepare template, choose Template is ready.
-
For Template source, choose Upload a template file.
-
For Choose file, navigate to, then choose dms-fleetadvisor-iam-slr-S3.json, dms-fleetadvisor-iam-S3.json., dms-fleetadvisor-ads-iam-slr-s3.zip, or dms-fleetadvisor-ads-iam-s3.zip.
-
Choose Next.
-
-
On the Specify stack details page, do the following:
-
For Stack name, enter
dms-fleetadvisor-iam-slr-s3
,dms-fleetadvisor-iam-s3
,dms-fleetadvisor-ads-iam-slr-s3
, ordms-fleetadvisor-ads-iam-s3
. -
Choose Next.
-
-
On the Configure stack options page, choose Next.
-
On the Review dms-fleetadvisor-iam-slr-s3,Review dms-fleetadvisor-iam-s3, Review dms-fleetadvisor-ads-iam-slr-s3, or Review dms-fleetadvisor-ads-iam-s3 page, do the following:
-
Select the I acknowledge that Amazon CloudFormation might create IAM resources with custom names check box.
-
Choose Submit.
CloudFormation creates the S3 bucket and IAM roles and user that DMS Fleet Advisor requires. In the left panel, when dms-fleetadvisor-iam-slr-s3, dms-fleetadvisor-iam-s3, dms-fleetadvisor-ads-iam-slr-s3, or dms-fleetadvisor-ads-iam-s3 shows CREATE_COMPLETE, proceed to the next step.
-
-
In the left panel, choose dms-fleetadvisor-iam-slr-s3, dms-fleetadvisor-iam-s3, dms-fleetadvisor-ads-iam-slr-s3, or dms-fleetadvisor-ads-iam-s3. In the right panel, do the following:
-
Choose Stack info. Your stack has an ID in the format arn:aws:cloudformation:
region
:account-no
:stack/dms-fleetadvisor-iam-slr-s3/identifier
, arn:aws:cloudformation:region
:account-no
:stack/dms-fleetadvisor-iam-s3/identifier
, arn:aws:cloudformation:region
:account-no
:stack/dms-fleetadvisor-ads-iam-slr-s3/identifier
, or arn:aws:cloudformation:region
:account-no
:stack/dms-fleetadvisor-ads-iam-s3/identifier
. -
Choose Resources. You should see the following:
-
An Amazon S3 bucket named
dms-fleetadvisor-data-
accountId
-region
-
A service role named
FleetAdvisorS3Role-
region
-
An IAM user named
FleetAdvisorCollectorUser-
region
-
An IAM SLR named
AWSServiceRoleForDMSFleetAdvisor
(if you downloadeddms-fleet-advisor-iam-slr-s3.zip
ordms-fleet-advisor-ads-iam-slr-s3.zip
). -
An access policy named
FleetAdvisorS3Role-
region
-Policy -
An access policy named
FleetAdvisorCollectorUser-
region
-Policy
-
-
Configure Amazon S3 and IAM resources in the Amazon Web Services Management Console
Create an Amazon S3 bucket
Create an Amazon S3 bucket where inventory metadata can be stored. We recommend that you preconfigure this S3 bucket before using DMS Fleet Advisor. Amazon DMS stores your DMS Fleet Advisor inventory metadata in this S3 bucket.
For more information about creating an S3 bucket, see
Create your first S3 bucket
Note
DMS Fleet Advisor only supports SSE-S3 encrypted buckets.
To create an Amazon S3 bucket to store local data environment information
Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at https://console.amazonaws.cn/s3/
. Choose Create bucket.
On the Create bucket page, enter a globally unique name that includes your sign-in name for the bucket, such as fa-bucket-
yoursignin
.Choose the Amazon Web Services Region where you use the DMS Fleet Advisor.
Keep the remaining settings and choose Create bucket.
Create IAM resources
In this section, you create IAM resources for your data collector, IAM user, and DMS Fleet Advisor.
Create IAM resources for your data collector
To make sure that your data collector works correctly and uploads the collected metadata to your Amazon S3 bucket, create the following policies. Then, create an IAM user with the following minimum permissions. For more information about DMS data collector, see Discovering databases for migration using data collectors in Amazon DMS.
To create an IAM policy for DMS Fleet Advisor and your data collector to access Amazon S3
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. In the navigation pane, choose Policies.
Choose Create policy.
In the Create policy page, choose the JSON tab.
Paste the following JSON into the editor, replacing the example code. Replace
with the name of the Amazon S3 bucket that you created in the previous section.fa_bucket
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject*" ], "Resource": [ "arn:aws:s3:::
fa_bucket
", "arn:aws:s3:::fa_bucket
/*" ] } ] }Choose Next: Tags and Next: Review.
Enter
FleetAdvisorS3Policy
for Name*, and then choose Create policy.
To create an IAM policy for DMS data collector to access DMS Fleet Advisor
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. In the navigation pane, choose Policies.
Choose Create policy.
In the Create policy page, choose the JSON tab.
Paste the following JSON code into the editor, replacing the example code.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dms:DescribeFleetAdvisorCollectors", "dms:ModifyFleetAdvisorCollectorStatuses", "dms:UploadFileMetadataList" ], "Resource": "*" } ] }
Choose Next: Tags and Next: Review.
Enter
DMSCollectorPolicy
for Name*, then choose Create policy.
To create an IAM user with minimum permissions to use DMS data collector
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. In the navigation pane, choose Users.
Choose Add users.
On the Add user page, enter
FleetAdvisorCollectorUser
for User name*. Choose Access key- Programmatic Access for Select Amazon Access Type. Choose Next: Permissions.In the Set permissions section, choose Attach existing policies directly.
Use the search control to find and choose the DMSCollectorPolicy and FleetAdvisorS3Policy policies that you created before. Choose Next: Tags.
On the Tags page, choose Next: Review.
On the Review page, choose Create user. On the next page, choose Download .csv to save the new user credentials. Use these credentials with DMS Fleet Advisor for minimum required access permissions.
To create an IAM role for DMS Fleet Advisor and your data collector to access Amazon S3
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. In the navigation pane, choose Roles.
Choose Create role.
On the Select trusted entity page, for Trusted entity type, choose Amazon Service. For Use cases for other Amazon services, choose DMS.
Select the DMS check box and choose Next.
On the Add permissions page, choose FleetAdvisorS3Policy. Choose Next.
On the Name, review, and create page, enter
FleetAdvisorS3Role
for Role name, then choose Create role.On the Roles page, enter
FleetAdvisorS3Role
for Role name. Choose FleetAdvisorS3Role.On the FleetAdvisorS3Role page, choose the Trust relationships tab. Choose Edit trust policy.
On the Edit trust policy page, paste the following JSON into the editor, replacing the existing text.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "dms.amazonaws.com", "dms-fleet-advisor.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
The preceding policy grants the
sts:AssumeRole
permission to the services that Amazon DMS uses to import collected data from the Amazon S3 bucket.Choose Update policy.
Create the DMS Fleet Advisor service-linked role
DMS Fleet Advisor uses a service-linked role to manage Amazon CloudWatch metrics in your Amazon Web Services account. DMS Fleet Advisor uses this service-linked role to publish the collected database performance metrics to CloudWatch on your behalf.
To create the service-linked role for DMS Fleet Advisor
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Roles. Then, choose Create role.
-
For Trusted entity type, choose Amazon service.
-
For Use cases for other Amazon services, choose DMS – Fleet Advisor.
-
Select the DMS – Fleet Advisor check box and choose Next.
-
On the Add permissions page, choose Next.
-
On the Name, review, and create page, choose Create role.
Alternatively, you can create this service-linked role from the Amazon API or Amazon CLI. For more information, see Creating a service-linked role for Amazon DMS Fleet Advisor.
After you create the service-linked role for DMS Fleet Advisor, you can see performance metrics for your source databases in target recommendations. Also, you can see these metrics and in your CloudWatch account. For more information, see Target recommendations.
To create an IAM policy that is required for the DMS Fleet Advisor service-linked role
The minimum required permissions to create the service-linked role are
specified in the
DMSFleetAdvisorCreateServiceLinkedRolePolicy
policy.
Create this IAM policy for your account if you are unable to create the
service-linked role.
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. In the navigation pane, choose Policies.
Choose Create policy.
In the Create policy page, choose the JSON tab.
Paste the following JSON code into the editor, replacing the example code.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/dms-fleet-advisor.amazonaws.com/AWSServiceRoleForDMSFleetAdvisor*", "Condition": {"StringLike": {"iam:AWSServiceName": "dms-fleet-advisor.amazonaws.com"}} }, { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::*:role/aws-service-role/dms-fleet-advisor.amazonaws.com/AWSServiceRoleForDMSFleetAdvisor*" } ] }
Choose Next: Tags and Next: Review.
Enter
DMSFleetAdvisorCreateServiceLinkedRolePolicy
for Name*, then choose Create policy.
Now, you can use this policy to create the service-linked role for DMS Fleet Advisor.