Disaster recovery

It is important to prepare your system and regularly capture full snapshots. This backs up your data and makes it easier to restore your system if disaster recovery is needed.

Prepare your system to support future disaster recovery

Disaster recovery starts by ensuring your data and environment are regularly backed up.

To make sure your system is equipped to help you recover from a potential system failure, you must:

  1. Track the Security Compliance Management Bolt project in version control and push the project to this repo whenever changes are made and applied to the Security Compliance Management target host.
    Important: Store any private keys in the ./keys directory separately. Do not include them in version control.
  2. Create a backup of the Security Compliance Management application using bolt plan run complyadm::backup on a regular basis and copy the resulting backup artifact to a secure location, such as an NFS share, S3 bucket, distributed file system, cloud storage, etc.

Disaster recovery process

Depending on the nature of the disaster you may need to follow different processes. This section covers a few disaster recovery scenarios.

Loss of Bolt project

Use this process to recover a backed-up Bolt project.

  1. Restore the Bolt project from version control.
  2. Restore the private key from its separate secure storage.

Loss of Security Compliance Management installation

Use this process to restore the Security Compliance Management host from a backup file.

Note: If you are restoring Security Compliance Management onto a new host, update the following items in your Bolt project before running the install plan:
  • Update all targets and the resolvable_hostname in data/common.yaml to the new hostname.
  • Update inventory.yaml to the new target host information.
  1. Create a new Security Compliance Management installation. From the Bolt project directory, run: 
    bolt plan run complyadm::install

    Select "yes" when prompted to use the existing Hiera data.

  2. Copy the tarball of the most recent backup into /var/lib/puppetlabs/comply/backups on the new target host.
  3. Restore the backup using: 
    bolt plan run complyadm::restore <backup_filename>
  4. Configure the TLS and MTLS certs for the new system by running the configure plan and selecting the relevant configuration items. From the root of your Security Compliance Management Puppet Bolt project run: 
    bolt plan run complyadm::configure