Update an Amazon MWAA environment - Amazon Managed Workflows for Apache Airflow
Before you beginWorker replacement strategyUpdate environment resourcesUpdate an environment
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Update an Amazon MWAA environment

Note

Amazon MWAA graceful updates are not yet supported in the Canada West (Calgary) and Asia Pacific (Malaysia) regions.

Amazon MWAA environment updates apply the latest changes and security patches. You can also edit existing configurations and upgrade the Apache Airflow version. This guide describes the steps to update an Amazon MWAA environment.

Before you begin

  • The VPC network you specified for your environment cannot be modified after the environment is created.

  • You need an Amazon S3 bucket configured to Block all public access, with Bucket Versioning enabled.

  • You need an Amazon account with permissions to use Amazon MWAA, and permission in Amazon Identity and Access Management (IAM) to create IAM roles. If you choose the Private network access mode for the Apache Airflow web server, which limits Apache Airflow access within your Amazon VPC, you'll need permission in IAM to create Amazon VPC endpoints.

  • To enable Graceful environment updates, you need to upgrade to Apache Airflow version 2.4.3 or higher. To upgrade the Airflow version, refer to Changing the Apache Airflow version.

Worker replacement strategy

You can choose a worker replacement strategy to control how Amazon MWAA handles active workers during an environment update. You can select one of the following strategies:

Forced updates

Forced update is the default worker replacement strategy. Forced updates immediately stop all active workers, causing running tasks to fail during the update.

Graceful updates

Graceful updates allow workers to continue running tasks for up to 12 hours before shutting down. It prevents tasks failing due to update interruptions, as long as they finish under 12 hours. New tasks are routed to updated workers.

To enable Graceful updates on an existing environment, you must complete one Forced update and ensure the environment is on Apache Airflow version 2.4.3 or higher.

Note

If you perform an update while your environment is in MAINTENANCE status, the worker replacement strategy for any ongoing environment update switches from GRACEFUL to FORCED. Your update is performed after maintenance is complete.

Update environment resources

Amazon MWAA environment updates use the existing environment configuration by default. To update the environment without changing your current configuration:

  1. Open the Environments page on the Amazon MWAA console.

  2. From the Environments list, choose the environment that you want to update.

  3. On the environment page, choose Edit to edit the environment.

  4. Choose Next until you are on the Review and save page.

  5. On the Review and save page, review your changes, then choose Save.

Update an environment

The following section describes the steps to update an Amazon MWAA environment.

Step one: Specify details

To specify details for the environment

  1. Open the Environments page on the Amazon MWAA console.

  2. From the Environments list, choose the environment that you want to update.

  3. On the environment page, choose Edit to edit the environment.

  4. In the Environment details section, for Airflow version, choose the new Apache Airflow version number that you want to upgrade the environment to from the dropdown list.

    Note

    Before you upgrade, make sure that your DAGs and other workflow resources are compatible with the new Apache Airflow version. For more information, refer to Changing the Apache Airflow version.

  5. Under DAG code in Amazon S3 specify the following:

    1. S3 Bucket. Choose Browse S3 and select your Amazon S3 bucket, or enter the Amazon S3 URI.

    2. DAGs folder. Choose Browse S3 and select the dags folder in your Amazon S3 bucket, or enter the Amazon S3 URI.

    3. Plugins file - optional. Choose Browse S3 and select the plugins.zip file on your Amazon S3 bucket, or enter the Amazon S3 URI.

    4. Requirements file - optional. Choose Browse S3 and select the requirements.txt file on your Amazon S3 bucket, or enter the Amazon S3 URI.

    5. Startup script file - optional, Choose Browse S3 and select the script file on your Amazon S3 bucket, or enter the Amazon S3 URI.

  6. Choose Next.

Step two: Configure advanced settings

To configure advanced settings

  1. Under Web server access, select your preferred Apache Airflow access mode:

    1. Private network. This limits access of the Apache Airflow UI to users within your Amazon VPC that have been granted access to the IAM policy for your environment. You need permission to create Amazon VPC endpoints for this step.

      Note

      Choose the Private network option if your Apache Airflow UI is only accessed within a corporate network, and you do not require access to public repositories for web server requirements installation. If you choose this access mode option, you need to create a mechanism to access your Apache Airflow Web server in your Amazon VPC. For more information, refer to Accessing the VPC endpoint for your Apache Airflow Web server (private network access).

    2. Public network. This allows the Apache Airflow UI to be accessed over the Internet by users granted access to the IAM policy for your environment.

  2. Under Security group(s), choose the security group used to secure your Amazon VPC:

    1. By default, Amazon MWAA creates a security group in your Amazon VPC with specific inbound and outbound rules in Create new security group.

    2. Optional. Deselect the check box in Create new security group to select up to 5 security groups.

      Note

      An existing Amazon VPC security group must be configured with specific inbound and outbound rules to allow network traffic. To learn more, refer to Security in your VPC on Amazon MWAA.

  3. Under Environment class, choose an environment class.

    We recommend choosing the smallest size necessary to support your workload. You can change the environment class at any time.

  4. For Maximum worker count, specify the maximum number of Apache Airflow workers to run in the environment.

    For more information, refer to Example high performance use case.

  5. Specify the Maximum web server count and Minimum web server count to configure how Amazon MWAA scales the Apache Airflow web servers in your environment.

    For more information about web server automatic scaling, refer to Configuring Amazon MWAA web server automatic scaling.

  6. Under Encryption, choose a data encryption option:

    1. By default, Amazon MWAA uses an Amazon owned key to encrypt your data.

    2. Optional. Choose Customize encryption settings (advanced) to choose a different Amazon KMS key. If you choose to specify a Customer managed key in this step, you must specify an Amazon KMS key ID or ARN. Amazon KMS aliases and multi-region keys are not supported by Amazon MWAA. If you specified an Amazon S3 key for server-side encryption on your Amazon S3 bucket, you must specify the same key for your Amazon MWAA environment.

      Note

      You must have permissions to the key to select it on the Amazon MWAA console. You must also grant permissions for Amazon MWAA to use the key by attaching the policy described in Attach key policy.

  7. Recommended. Under Monitoring, choose one or more log categories for Airflow logging configuration to send Apache Airflow logs to CloudWatch Logs:

    1. Airflow task logs. Choose the type of Apache Airflow task logs to send to CloudWatch Logs in Log level.

    2. Airflow web server logs. Choose the type of Apache Airflow web server logs to send to CloudWatch Logs in Log level.

    3. Airflow scheduler logs. Choose the type of Apache Airflow scheduler logs to send to CloudWatch Logs in Log level.

    4. Airflow worker logs. Choose the type of Apache Airflow worker logs to send to CloudWatch Logs in Log level.

    5. Airflow DAG processing logs. Choose the type of Apache Airflow DAG processing logs to send to CloudWatch Logs in Log level.

  8. Optional. For Airflow configuration options, choose Add custom configuration option.

    You can choose from the suggested dropdown list of Apache Airflow configuration options for your Apache Airflow version, or specify custom configuration options. For example, core.default_task_retries : 3.

  9. Under Permissions, choose an execution role:

    1. By default, Amazon MWAA creates an execution role in Create a new role. You must have permission to create IAM roles to use this option.

    2. Optional. Choose Enter role ARN to enter the Amazon Resource Name (ARN) of an existing execution role.

  10. Under Update specifications, choose a Worker replacement strategy to control how active workers are handled during an update.

  11. Choose Next.

Step three: Review and update

To review an environment summary

  • Review the environment summary, choose Save.

    Note

    It takes about twenty to thirty minutes to update an environment using forced updates. Graceful environment updates may take up to twelve hours to complete, as it waits for your ongoing tasks to finish.