Getting Started

AWS RDS and Aurora setup

Use staging first, least-privilege read-only credentials, SSL, low row limits, and source health checks before connecting RDS or Aurora databases.

Overview

For RDS or Aurora, start with a staging database. Create a least-privilege read-only user, expose only the needed tables or safe views, require SSL, and keep row/time/result limits low until the capability behavior is proven.

If your database is public, allow only the minimum network path needed for Synapsor controlled beta. Private networking, VPC peering, and PrivateLink are roadmap items, so do not connect sensitive production databases until your network and security posture are reviewed.

Proposal writeback should run from a trusted worker in your environment with your normal database transaction rules. Synapsor records the proposal, approval, audit, and replay state; the worker applies the approved change with a separate write credential. Do not give the normal Synapsor source connector production write credentials.

CDC/mirrored subsets are private preview/hardening work and are not the current public RDS connector path. Do not enable CDC for customer production data until production-readiness signoff is approved; use live-read external mappings today.

Developer notes

Use staging first and seed a realistic but non-sensitive workflow.
Review security group and database user scope before connecting a remote source.
Monitor database load after enabling a source; keep row/time limits conservative.
Use safe views when raw tables contain sensitive or irrelevant columns.
Do not enable proposal writeback until the worker has idempotency, tenant, primary-key, and conflict guards.
Do not show or use admin database credentials in the normal Synapsor connection path.
Use live-read external mappings today; CDC/mirrored subsets remain private preview/hardening work.
Keep CDC smoke commands in the dev-only runbook, not in the normal public RDS setup path.
RDS smoke is dev/test only, disabled by default, and can cost money if left running.
Destroy dev/test RDS smoke resources back to zero after tests, verify cleanup. Do not run broad terraform destroy from production or staging environments.

Connection checklist

rds-checklist.txt

1. Use staging first; do not test new agent workflows against production first.
2. Create a dedicated read-only source user.
3. Prefer safe views over raw application tables.
4. Require SSL/TLS for remote database connections.
5. Import only selected schemas/tables/views and allowed columns.
6. Set low row, timeout, and result-size limits first.
7. Run source doctor after every schema or credential change.
8. Use a trusted writeback worker for approved proposal writes.
9. Use live-read external mappings today.
10. Treat CDC/mirrored subsets as private preview/hardening work until production monitoring, cleanup, restore validation, and signoff are approved.

Examples

bash

export RUN_AWS_EXTERNAL_DB_TESTS=1
export SYNAPSOR_AWS_BASE_URL="https://synapsor.ai"
export SYNAPSOR_AWS_API_KEY="<database-scoped Synapsor API key>"
export SYNAPSOR_AWS_PROJECT_ID="<project id>"
export SYNAPSOR_AWS_DATABASE_ID="<database id>"
export AWS_POSTGRES_URL="postgres://synapsor_reader:<password>@rds-hostname:5432/appdb?sslmode=require"
export AWS_MYSQL_URL="mysql://synapsor_reader:<password>@rds-hostname:3306/shopdb?ssl-mode=REQUIRED"

# Optional: set table lists to exercise import and generation after connection/inspection.
export AWS_POSTGRES_TABLES="tickets,customers,policy_chunks"
export AWS_MYSQL_TABLES="orders,customers,refund_policies"

scripts/smoke-external-db-aws.py