Manage Cross Region RDS Read Replicas with AWS CLI

Some notes on creating a cross region RDS read replica & if necessary , to promote the Read Replica to a standalone RDS instance  using AWS CLI 

The purpose of these notes is to document the basic AWS CLI commands and does not replace a thorough Architectural review of  using RDS replica as an HA solution for your organization

---Create a cross region RDS replica 

--Get the source RDS arn from Region 1. This value is used to create the Read Replica , and will act as the Primary Source RDS

aws rds describe-db-instances --query "DBInstances[?DBInstanceIdentifier=='<replace_with_DBInstanceIdentifier>'].DBInstanceArn"

--Attempt 1 : Create cross-region read replica based on the source RDS instance 

aws rds create-db-instance-read-replica  --db-instance-identifier  <replace_with_RDS_read_replica_target_name>  --region <replace_with_target_region>  --source-db-instance-identifier <replace_with_source-RDS_ARN>

If you see this error , you'll need to  either speak to your Administrator or identify a list of security values 

An error occurred (InvalidSubnet) when calling the CreateDBInstanceReadReplica operation: No default subnet detected in VPC. Please contact AWS Support to recreate default Subnets.

A list of Amazon EC2 VPC security groups to associate with the read replica.Choose the appropriate one

aws ec2 describe-security-groups   --query "SecurityGroups[].[GroupName,GroupId]" --region <replace_with_Region 2> 

list subnet group names i alternative region , if there isn't a valid one - create a relevant one , either manually or IaC process

aws rds describe-db-subnet-groups --query "DBSubnetGroups[].DBSubnetGroupName" --region us-west-2

If you see this error , a valid KMS Key Id based in Region 2 is required 

An error occurred (InvalidParameterCombination) when calling the CreateDBInstanceReadReplica operation: Cannot create a cross region unencrypted read replica from encrypted source.

List out KMS keys & Pick  either the key ARN, key ID, alias ARN, or alias name for the KMS key.

aws kms list-aliases  --region <replace_with_Region_2>

The full create-db-instance-read-replica statement, with some fake values 

aws rds create-db-instance-read-replica --db-instance-identifier my_multi_region_Secondary --region us-east-1 --source-db-instance-identifier arn:aws:rds:us-west-2:xxxxxxxxxx:db: my_multi_region_Primary  --vpc-security-group-ids sg-xxxxxxx --db-subnet-group-name xxxxxxxxx --kms-key-id arn:aws:kms:us-east-1:xxxxxxxxx:alias/aws/xxxx

To check on the status of the target RDS read replica in the target region

aws rds describe-db-instances --db-instance-identifier  my_multi_region_Secondary --query "DBInstances[].[DBInstanceIdentifier,DBInstanceStatus,ReadReplicaSourceDBInstanceIdentifier]" --region us-east-1

"my_multi_region_Secondary",
"available",
arn:aws:rds:us-west-2:xxxxxxxxx:db:my_multi_region_Primary     ==>   This value is the source RDS and only appears for Read Replicas 

Promote the  read replica , if required , and will promote the Read Replica to a standalone RDS instance. Beware the Split Brain 

aws rds promote-read-replica my_multi_region_Secondary --region us-east-1

Check status of read-replica instance after it has been promoted to a complete standalone . Now accepting read & writes 

aws rds describe-db-instances --db-instance-identifier  my_multi_region_Secondary --query "DBInstances[].[DBInstanceIdentifier,DBInstanceStatus,ReadReplicaSourceDBInstanceIdentifier]" --region us-east-1 

"my_multi_region_Secondary",
"available",
null      ==>   The previous ReadReplicaSourceDBInstanceIdentifier value has disappeared 

Check status of the original source  instance

aws rds describe-db-instances --db-instance-identifier  my_multi_region_Secondary --query "DBInstances[].DBInstanceIdentifier,DBInstanceStatus,ReadReplicaSourceDBInstanceIdentifier]" --region us-west-2 

"my_multi_region_Primary",
"available",
null