Introduce a read-only user for data-replication

- User must be created within aws account due to database living in
  private subnet
- For simplicity just create user on startup of application if does not
  already exist
- Password is managed via terraform and injected into container

Author: TheOneFromNorway

bin/data-replication

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Data replication script - creates read-only database role and keeps container running
+
+set -e
+
+echo "Starting data replication setup..."
+
+if [ -z "$RO_DB_PASSWORD" ]; then
+  echo "Error: RO_DB_PASSWORD environment variable is not set"
+  exit 1
+fi
+
+echo "Creating read-only database role..."
+
+bundle exec rails runner "
+begin
+  ActiveRecord::Base.connection.execute(\"
+    DO \$\$
+    BEGIN
+      IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'readonly_user') THEN
+        CREATE ROLE readonly_user WITH LOGIN PASSWORD '#{ENV['RO_DB_PASSWORD']}';
+      ELSE
+        ALTER ROLE readonly_user WITH PASSWORD '#{ENV['RO_DB_PASSWORD']}';
+      END IF;
+    END
+    \$\$;
+  \")
+  
+  ActiveRecord::Base.connection.execute(\"
+    GRANT CONNECT ON DATABASE #{ActiveRecord::Base.connection.current_database} TO readonly_user;
+    GRANT USAGE ON SCHEMA public TO readonly_user;
+    GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly_user;
+    ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonly_user;
+  \")
+  
+  puts 'Read-only role created/updated successfully'
+rescue => e
+  puts \"Error creating read-only role: \#{e.message}\"
+  exit 1
+end
+"
+
+echo "Data replication setup completed. Keeping container running..."
+
+exec tail -f /dev/null

bin/docker-start

@@ -11,10 +11,13 @@ elif [ "$SERVER_TYPE" == "good-job" ]; then
 elif [ "$SERVER_TYPE" == "sidekiq" ]; then
   echo "Starting sidekiq server..."
   exec "$BIN_DIR"/sidekiq
+elif [ "$SERVER_TYPE" == "data-replication" ]; then
+  echo "Starting data replication server..."
+  exec "$BIN_DIR"/data-replication
 elif [ "$SERVER_TYPE" == "none" ]; then
   echo "No server started"
   exec tail -f /dev/null  # Keep container running
 else
-  echo "SERVER_TYPE variable: '$SERVER_TYPE' unknown. Allowed values ['web','good-job', 'none']"
+  echo "SERVER_TYPE variable: '$SERVER_TYPE' unknown. Allowed values ['web','good-job', 'sidekiq', 'data-replication', 'none']"
   exit 1
 fi

terraform/data_replication/ssm_parameters.tf

@@ -0,0 +1,22 @@
+# Create a password that is automatically populated in secrets manager using the random password generator for aws
+
+# Generate a random password for the read-only database user
+ephemeral "aws_secretsmanager_random_password" "ro_db_password" {
+}
+
+# Store the generated password in AWS Secrets Manager
+resource "aws_secretsmanager_secret" "ro_db_password" {
+  name                    = "${local.name_prefix}-ro-db-password-${substr(uuid(), 0, 4)}"
+  description             = "Read-only database user password for data replication"
+  recovery_window_in_days = 7
+
+  tags = {
+    Name = "${local.name_prefix}-ro-db-password"
+  }
+}
+
+resource "aws_secretsmanager_secret_version" "ro_db_password" {
+  secret_id                = aws_secretsmanager_secret.ro_db_password.id
+  secret_string_wo         = ephemeral.aws_secretsmanager_random_password.ro_db_password.random_password
+  secret_string_wo_version = 1
+}

terraform/data_replication/variables.tf

@@ -124,6 +124,10 @@ locals {
     {
       name      = "RAILS_MASTER_KEY"
       valueFrom = var.rails_master_key_path
+    },
+    {
+      name      = "RO_DB_PASSWORD"
+      valueFrom = aws_secretsmanager_secret.ro_db_password.arn
     }
   ]
 }