Skip to content

Introduce a read-only user for data-replication #4551

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: next
Choose a base branch
from
Open

Introduce a read-only user for data-replication #4551

wants to merge 1 commit into from

Conversation

TheOneFromNorway
Copy link
Contributor

@TheOneFromNorway TheOneFromNorway commented Sep 8, 2025
edited
Loading

  • User must be created within aws account due to database living in private subnet
  • For simplicity just create user on startup of application if does not already exist
  • Password is managed via terraform and injected into container

Ticket: MAV-1941

@TheOneFromNorway TheOneFromNorway requested review from a team as code owners September 8, 2025 15:54
@TheOneFromNorway TheOneFromNorway force-pushed the ro_user_for_data_replication branch from 287fe11 to b07f54f Compare September 9, 2025 09:09
thomasleese
thomasleese reviewed Sep 9, 2025
View reviewed changes
terraform/data_replication/variables.tf Outdated
@@ -124,6 +124,10 @@ locals {
{
name = "RAILS_MASTER_KEY"
valueFrom = var.rails_master_key_path
},
{
name = "RO_DB_PASSWORD"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
name = "RO_DB_PASSWORD"
name = "READ_ONLY_DB_PASSWORD"

Is there any reason not to use the full name? It took me a while to work out what "ro" stood for reading this!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ro is standard abbreviation for denoting read-only in the dba world but I have expanded it here for clarity (readonly_user was changed to grafana_ro to reflect reader scope more accurately)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a few other places where we've still got ro (grafana_ro, ro_db_password, ro-db-password for example). I think it be worth updating these too for consistency.

@TheOneFromNorway TheOneFromNorway force-pushed the ro_user_for_data_replication branch from b07f54f to 5610a96 Compare September 9, 2025 11:00
@TheOneFromNorway
Introduce a read-only user for data-replication
e50a8b4 
- User must be created within aws account due to database living in
  private subnet
- For simplicity just create user on startup of application if does not
  already exist
- Password is managed via terraform and injected into container
@TheOneFromNorway TheOneFromNorway force-pushed the ro_user_for_data_replication branch from 5610a96 to e50a8b4 Compare September 9, 2025 11:14
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Sep 9, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

bogsi17
bogsi17 reviewed Sep 9, 2025
View reviewed changes
terraform/data_replication/rds.tf
@@ -36,7 +36,7 @@ resource "aws_rds_cluster" "cluster" {
}

lifecycle {
ignore_changes = [cluster_identifier]
ignore_changes = [cluster_identifier, snapshot_identifier]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is that really what we want? I would imagine the cluster should be recreated if the snapshot_identifier changes

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As we have an option in the workflow to decide whether or not we actually want to recreate the database I would only want to trigger the recreation when that option is specified, otherwise we will recreate every deploy that is 12 hours apart regardless of this option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bogsi17 bogsi17 bogsi17 left review comments

@thomasleese thomasleese Awaiting requested review from thomasleese

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@TheOneFromNorway @thomasleese @bogsi17