Dual write example

Author: michaelraney

.gitignore

@@ -1,3 +1,2 @@
 scala/datastax-v4/aws-glue/dist/
-scala/datastax-v4/aws-glue/.DS_Store
-scala/datastax-v4/.DS_Store
+**/*.DS_Store

migration/online/zdm-proxy/Dockerfile

@@ -0,0 +1,20 @@
+FROM datastax/zdm-proxy:latest
+
+# Install tools
+RUN apk add --no-cache socat bind-tools curl
+
+RUN mkdir -p /app
+
+ADD https://certs.secureserver.net/repository/sf-class2-root.crt /app/sf-class2-root.crt
+
+# Declare build-time ARG
+#ARG ARG_KEYSPACES_ENPOINT=cassandra.us-east-1.amazonaws.com
+
+# Make it available at runtime via ENV
+# ENV KEYSPACES_ENPOINT=${ARG_KEYSPACES_ENPOINT
+
+COPY entrypoint.sh /entrypoint.sh
+
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

migration/online/zdm-proxy/README.md

@@ -0,0 +1,91 @@
+# 🚀 ZDM Dual Write Proxy for Amazon Keyspaces Migration
+
+This project extends the official [ ZDM Proxy](https://github.com/datastax/zdm-proxy) to support seamless **zero-downtime migration** from **Apache Cassandra** to **Amazon Keyspaces (for Apache Cassandra)** with AWS best practices. 
+
+It introduces key enhancements:
+
+- A custom Docker image hosted in **Amazon ECR** for VPC-accessible deployments.
+- A **CloudFormation template** to deploy the proxy on **AWS Fargate**, ensuring a scalable, serverless, and secure setup within your existing AWS infrastructure.
+
+
+The proxy is deployed with Amazon ECS on Fargate which can scale up and down based on application demand. The Network load balancer allows application traffic to be distributed across a number of ECS tasks. 
+
+![this screenshot](/aws-ecs-zdm.drawio.png)
+
+
+
+## 📁 Project Structure
+
+| File                            | Description                                                                                                                  |
+| ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
+| `Dockerfile`                    | Builds the custom ZDM Proxy image with Keyspaces-compatible networking and TLS support.                                      |
+| `entrypoint.sh`                 | Entry script for the container. Resolves DNS, manages proxy routing via `socat`, and sets environment variables dynamically. |
+| `move-docker-to-ecr.sh`         | Automates Docker image build, tagging, and pushing to Amazon ECR. Also downloads the required TLS root cert.                 |
+| `zdm-proxy-cloudformation.yaml` | CloudFormation template for deploying the proxy as a Fargate task behind an NLB in a private VPC.                            |
+
+---
+
+## 🛠️ Parameters (CloudFormation Template)
+
+### 🔌 Network Configuration
+
+- **VPCId**: ID of your target VPC.
+- **PrivateSubnetIds**: List of private subnet IDs.
+- **SecurityGroupId**: Security Group for the Network Load Balancer.
+- **RouteTableId**: Optional; for route management if using PrivateLink.
+
+### 🔄 Origin & Target Cassandra Config
+
+- **ZDMOriginContactPoints**, **ZDMTargetContactPoints**: IP/DNS for the clusters.
+- **ZDMOriginPort**, **ZDMTargetPort**: Usually 9042 for Cassandra, 9142 for Amazon Keyspaces.
+- **ZDMOriginUsername/Password**, **ZDMTargetUsername/Password**: Auth credentials.
+
+### ⚙️ Proxy Config
+
+- **ServiceReplicaCount**: Number of ECS tasks to launch.
+- **ZDMProxyPort**: Port for the proxy service. Default is `14002`.
+
+---
+
+## 📦 Deployment Instructions
+
+### 1. 🧱 Build and Push Image
+
+```bash
+./move-docker-to-ecr.sh
+```
+
+### 2. ☁️ Launch CloudFormation Stack
+
+Upload the `zdm-proxy-cloudformation.yaml` to S3 or the AWS Console and deploy it. Provide required parameters (e.g., subnets, contact points).
+
+---
+
+## 🔐 Security and TLS
+
+- TLS is handled via Amazon Keyspaces' default requirement. The proxy ensures secure, in-transit communication.
+
+---
+
+## ✅ Best Practices for Amazon Keyspaces
+
+- Uses **port 9142** for CQL over TLS as required by Amazon Keyspaces.
+- Supports **DNS-based discovery** of Amazon Keyspaces via `entrypoint.sh`.
+- Deployable **entirely within a VPC** for added security and compliance.
+
+---
+
+## 🧪 Testing & Validation
+
+Once deployed:
+
+- Point your application to the NLB DNS created by the CloudFormation stack.
+- Test dual writes by verifying data in both origin and target clusters.
+
+---
+
+## 📚 References
+
+- [Amazon Keyspaces Developer Guide](https://docs.aws.amazon.com/keyspaces/latest/devguide/)
+- [Official ZDM Proxy Repo](https://github.com/datastax/zdm-proxy)
+

migration/online/zdm-proxy/aws-ecs-zdm.drawio.png

@@ -0,0 +1,57 @@
+#!/bin/sh
+set -ex
+
+# Resolve Cassandra IP
+REGION=${AWS_REGION:-"us-east-1"}
+ENPOINT="cassandra.${REGION}.amazonaws.com"
+CASSANDRA_PORT=9142
+
+CASSANDRA_IP=$(dig +short "$ENPOINT" | head -n 1)
+
+if [ -z "$CASSANDRA_IP" ]; then
+  echo "❌ Failed to resolve $ENPOINT"
+  exit 1
+fi
+
+echo "✅ Resolved $ENPOINT → $CASSANDRA_IP"
+
+# Start local proxy (e.g. socat)
+socat TCP-LISTEN:9142,bind=127.0.0.1,reuseaddr,fork TCP:$CASSANDRA_IP:$CASSANDRA_PORT &
+
+if [ -n "$AWS_NLB_DNS" ]; then
+  echo "✅ AWS_NLB_DNS is set: $AWS_NLB_DNS"
+
+  # Read IPs into a space-separated string
+  ALL_IPS=$(dig +short "$AWS_NLB_DNS" | tr '\n' ' ')
+  
+  if [ -n "$ALL_IPS" ]; then
+    echo "AWS_NLB_DNS IPs found: $ALL_IPS"
+
+    # Convert space-separated list to comma-separated
+    ZDM_PROXY_TOPOLOGY_ADDRESSES=$(echo "$ALL_IPS" | sed 's/ /, /g' | sed 's/, $//')
+
+    export ZDM_PROXY_TOPOLOGY_ADDRESSES
+
+    # Count IPs (words in string)
+    IP_COUNT=$(echo "$ALL_IPS" | wc -w)
+
+    # Generate a random number 0 <= n < IP_COUNT
+    RAND=$(awk -v max="$IP_COUNT" 'BEGIN { srand(); print int(rand() * max) }')
+
+    # Get selected IP
+    SELECTED_IP=$(echo "$ALL_IPS" | awk -v n=$((RAND + 1)) '{ print $n }')
+
+    export ZDM_PROXY_TOPOLOGY_INDEX=$RAND
+    export ZDM_PROXY_TOPOLOGY_ADDRESS=$SELECTED_IP
+
+    echo "ZDM_PROXY_TOPOLOGY_INDEX: $ZDM_PROXY_TOPOLOGY_INDEX"
+    echo "ZDM_PROXY_TOPOLOGY_ADDRESS: $ZDM_PROXY_TOPOLOGY_ADDRESS"
+  else
+    echo "AWS_NLB_DNS No IPs returned."
+  fi
+else
+  echo "❌ AWS_NLB_DNS is not set"
+fi
+
+# Hand off to ZDM proxy main binary
+exec /main "$@"

migration/online/zdm-proxy/entrypoint.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e  # Exit immediately if any command fails
+
+REGION="us-east-1"
+ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+DOCKER_REPO_NAME="datastax/zdm-proxy"
+AWS_REPO_NAME="zdm-proxy"
+IMAGE_TAG="latest"
+
+
+# Authenticate with ECR
+aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin ${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com
+
+# Create ECR repository (ignore error if it already exists)
+aws ecr create-repository --repository-name ${AWS_REPO_NAME} --region ${REGION} || echo "ECR repo already exists"
+
+# Pull image from Docker Hub
+docker pull --platform linux/amd64 ${DOCKER_REPO_NAME}:${IMAGE_TAG}
+
+mkdir -p certs
+
+curl -o certs/sf-class2-root.crt https://certs.secureserver.net/repository/sf-class2-root.crt
+
+# Build locally
+docker build -f Dockerfile --platform linux/amd64 -t zdm-proxy-custom:latest .
+
+docker tag zdm-proxy-custom:${IMAGE_TAG} ${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com/zdm-proxy:latest
+
+# Push to ECR
+docker push ${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com/${AWS_REPO_NAME}:${IMAGE_TAG}