Introduce a read-only user for data-replication

TheOneFromNorway · TheOneFromNorway · commit 7709a8d2c126 · 2025-09-22T08:59:31.000+01:00
- User must be created within aws account due to database living in
  private subnet
- For simplicity just create user on startup of application if does not
  already exist
- Password is managed via terraform and injected into container
diff --git a/bin/data-replication b/bin/data-replication
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Data replication script - creates read-only database role and keeps container running
+
+set -e
+
+echo "Starting data replication setup..."
+
+if [ -z "$READ_ONLY_DB_PASSWORD" ]; then
+  echo "Error: READ_ONLY_DB_PASSWORD environment variable is not set"
+  exit 1
+fi
+
+echo "Creating read-only database role..."
+
+bundle exec rails runner "
+begin
+  ActiveRecord::Base.connection.execute(\"
+    DO \$\$
+    BEGIN
+      IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'grafana_ro') THEN
+        CREATE ROLE grafana_ro WITH LOGIN PASSWORD '#{ENV['READ_ONLY_DB_PASSWORD']}';
+      ELSE
+        ALTER ROLE grafana_ro WITH PASSWORD '#{ENV['READ_ONLY_DB_PASSWORD']}';
+      END IF;
+    END
+    \$\$;
+  \")
+  
+  ActiveRecord::Base.connection.execute(\"
+    GRANT CONNECT ON DATABASE #{ActiveRecord::Base.connection.current_database} TO grafana_ro;
+    GRANT USAGE ON SCHEMA public TO grafana_ro;
+    GRANT SELECT ON ALL TABLES IN SCHEMA public TO grafana_ro;
+    ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO grafana_ro;
+  \")
+  
+  puts 'Read-only role created/updated successfully'
+rescue => e
+  puts \"Error creating read-only role: \#{e.message}\"
+  exit 1
+end
+"
+
+echo "Data replication setup completed. Keeping container running..."
+
+exec tail -f /dev/null
diff --git a/bin/docker-start b/bin/docker-start
@@ -8,6 +8,9 @@ if [ "$SERVER_TYPE" == "web" ]; then
 elif [ "$SERVER_TYPE" == "sidekiq" ]; then
   echo "Starting sidekiq server..."
   exec "$BIN_DIR"/sidekiq
+elif [ "$SERVER_TYPE" == "data-replication" ]; then
+  echo "Starting data replication server..."
+  exec "$BIN_DIR"/data-replication
 elif [ "$SERVER_TYPE" == "none" ]; then
   echo "No server started"
   exec tail -f /dev/null  # Keep container running
diff --git a/terraform/data_replication/ecs.tf b/terraform/data_replication/ecs.tf
@@ -26,8 +26,7 @@ module "db_access_service" {
     subnets = local.subnet_list
     vpc_id  = aws_vpc.vpc.id
   }
-  server_type      = "none"
-  server_type_name = "data-replication"
+  server_type = "data-replication"
   task_config = {
     environment          = local.task_envs
     secrets              = local.task_secrets
diff --git a/terraform/data_replication/iam.tf b/terraform/data_replication/iam.tf
@@ -11,7 +11,8 @@ data "aws_iam_policy_document" "ecs_permissions" {
     sid     = "dbSecretSid"
     actions = ["secretsmanager:GetSecretValue"]
     resources = [
-      var.db_secret_arn
+      var.db_secret_arn,
+      aws_secretsmanager_secret.ro_db_password.arn
     ]
     effect = "Allow"
   }
diff --git a/terraform/data_replication/rds.tf b/terraform/data_replication/rds.tf
@@ -36,7 +36,7 @@ resource "aws_rds_cluster" "cluster" {
   }
 
   lifecycle {
-    ignore_changes = [cluster_identifier]
+    ignore_changes = [cluster_identifier, snapshot_identifier]
   }
 }
 
diff --git a/terraform/data_replication/ssm_parameters.tf b/terraform/data_replication/ssm_parameters.tf
@@ -0,0 +1,26 @@
+# Create a password that is automatically populated in secrets manager using the random password generator for aws
+
+# Generate a random password for the read-only database user
+ephemeral "aws_secretsmanager_random_password" "ro_db_password" {
+}
+
+# Store the generated password in AWS Secrets Manager
+resource "aws_secretsmanager_secret" "ro_db_password" {
+  name                    = "${local.name_prefix}-ro-db-password-${substr(uuid(), 0, 4)}"
+  description             = "Read-only database user password for data replication"
+  recovery_window_in_days = 7
+
+  tags = {
+    Name = "${local.name_prefix}-ro-db-password"
+  }
+  lifecycle {
+    ignore_changes       = [name]
+    replace_triggered_by = [aws_rds_cluster.cluster]
+  }
+}
+
+resource "aws_secretsmanager_secret_version" "ro_db_password" {
+  secret_id                = aws_secretsmanager_secret.ro_db_password.id
+  secret_string_wo         = ephemeral.aws_secretsmanager_random_password.ro_db_password.random_password
+  secret_string_wo_version = 1
+}
diff --git a/terraform/data_replication/variables.tf b/terraform/data_replication/variables.tf
@@ -124,6 +124,10 @@ locals {
     {
       name      = "RAILS_MASTER_KEY"
       valueFrom = var.rails_master_key_path
+    },
+    {
+      name      = "READ_ONLY_DB_PASSWORD"
+      valueFrom = aws_secretsmanager_secret.ro_db_password.arn
     }
   ]
 }

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,8 @@ data "aws_iam_policy_document" "ecs_permissions" {`
`11`	`11`	`sid = "dbSecretSid"`
`12`	`12`	`actions = ["secretsmanager:GetSecretValue"]`
`13`	`13`	`resources = [`
`14`		`- var.db_secret_arn`
	`14`	`+ var.db_secret_arn,`
	`15`	`+ aws_secretsmanager_secret.ro_db_password.arn`
`15`	`16`	`]`
`16`	`17`	`effect = "Allow"`
`17`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ resource "aws_rds_cluster" "cluster" {`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`lifecycle {`
`39`		`- ignore_changes = [cluster_identifier]`
	`39`	`+ ignore_changes = [cluster_identifier, snapshot_identifier]`
`40`	`40`	`}`
`41`	`41`	`}`
`42`	`42`
Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,10 @@ locals {`
`124`	`124`	`{`
`125`	`125`	`name = "RAILS_MASTER_KEY"`
`126`	`126`	`valueFrom = var.rails_master_key_path`
	`127`	`+ },`
	`128`	`+ {`
	`129`	`+ name = "READ_ONLY_DB_PASSWORD"`
	`130`	`+ valueFrom = aws_secretsmanager_secret.ro_db_password.arn`
`127`	`131`	`}`
`128`	`132`	`]`
`129`	`133`	`}`