From 275b0834314c9e9cdbd36bea8b4a5eacf691c732 Mon Sep 17 00:00:00 2001 From: Ed Olivares <34591886+eudoroolivares2016@users.noreply.github.com> Date: Thu, 7 Mar 2024 06:32:38 -0800 Subject: [PATCH] EDSC-3967: Update variables to use new encrypted database - Add secret for new encrypted database - restore old database configuration to serverless --- README.md | 2 +- .../aws-infrastructure-resources.yml | 40 ++++++++++++++++++- serverless.yml | 10 ++++- .../__tests__/getDbConnectionConfig.test.js | 4 +- .../util/database/getDbConnectionConfig.js | 8 ++-- static.config.json | 2 +- 6 files changed, 54 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 3c4574e537..8d77416aa7 100644 --- a/README.md +++ b/README.md @@ -95,7 +95,7 @@ For local development Earthdata Search uses a json configuration file to store s cp secret.config.json.example secret.config.json -In order to operate against a local database this file will need `dbUsername` and `dbPassword` values set (you may need to update `dbHost`, `dbName` or `dbPort` in `static.config.json` if you have custom configuration locally). +In order to operate against a local database this file will need `dbUsername` and `dbPassword` values set (you may need to update `dbHost`, `dbName` or `databasePort` in `static.config.json` if you have custom configuration locally). If you created the `postgres` user after a new PostgreSQL install as described above, both `dbUsername` and `dbPassword` will be the username you use to log into your computer. diff --git a/serverless-configs/aws-infrastructure-resources.yml b/serverless-configs/aws-infrastructure-resources.yml index 0a7821eeb9..3d591dd294 100644 --- a/serverless-configs/aws-infrastructure-resources.yml +++ b/serverless-configs/aws-infrastructure-resources.yml @@ -30,6 +30,26 @@ Resources: Ref: Database TargetType: AWS::RDS::DBInstance + # Encrypted Database password secret storage + EncryptedDbPasswordSecret: + Type: AWS::SecretsManager::Secret + Properties: + Description: "EDSC Encrypted RDS database master password" + GenerateSecretString: + SecretStringTemplate: "{\"username\":\"edsc\"}" + GenerateStringKey: "password" + PasswordLength: 30 + ExcludeCharacters: "\"@/\\" + + SecretEncryptedRDSInstanceAttachment: + Type: "AWS::SecretsManager::SecretTargetAttachment" + Properties: + SecretId: + Ref: EncryptedDbPasswordSecret + TargetId: + Ref: EncryptedDatabase + TargetType: AWS::RDS::DBInstance + # RDS database Database: Type: AWS::RDS::DBInstance @@ -229,10 +249,26 @@ Outputs: Export: Name: ${self:provider.stage}-EDSCServerlessAppRole - DatabaseEndpoint: + EncryptedDatabaseEndpoint: + Value: + Fn::GetAtt: + - EncryptedDatabase + - Endpoint.Address + Export: + Name: ${self:provider.stage}-EncryptedDatabaseEndpoint + + EncryptedDatabasePort: Value: Fn::GetAtt: - EncryptedDatabase + - Endpoint.Port + Export: + Name: ${self:provider.stage}-EncryptedDatabasePort + + DatabaseEndpoint: + Value: + Fn::GetAtt: + - Database - Endpoint.Address Export: Name: ${self:provider.stage}-DatabaseEndpoint @@ -240,7 +276,7 @@ Outputs: DatabasePort: Value: Fn::GetAtt: - - EncryptedDatabase + - Database - Endpoint.Port Export: Name: ${self:provider.stage}-DatabasePort diff --git a/serverless.yml b/serverless.yml index e9ae4ef424..484397a1b6 100644 --- a/serverless.yml +++ b/serverless.yml @@ -13,6 +13,12 @@ provider: Fn::ImportValue: ${self:provider.stage}-DatabaseEndpoint dbPort: Fn::ImportValue: ${self:provider.stage}-DatabasePort + # Variables for new Encrypted database + databaseEndpoint: + Fn::ImportValue: ${self:provider.stage}-EncryptedDatabaseEndpoint + databasePort: + Fn::ImportValue: ${self:provider.stage}-EncryptedDatabasePort + dbUsername: edsc dbName: edsc_${self:provider.stage} @@ -103,8 +109,8 @@ custom: # When invoking an offline lambda with `npm run invoke-local` this condition will disable serverless components that need to import or reference cloudformation values - If: '"${self:provider.stage}" == "invokeLocal"' Exclude: - - provider.environment.dbEndpoint - - provider.environment.dbPort + - provider.environment.databaseEndpoint + - provider.environment.databasePort - provider.environment.colorMapQueueUrl - provider.environment.tagQueueUrl - provider.environment.cmrOrderingOrderQueueUrl diff --git a/serverless/src/util/database/__tests__/getDbConnectionConfig.test.js b/serverless/src/util/database/__tests__/getDbConnectionConfig.test.js index c3090ebc73..b66c6ca9ac 100644 --- a/serverless/src/util/database/__tests__/getDbConnectionConfig.test.js +++ b/serverless/src/util/database/__tests__/getDbConnectionConfig.test.js @@ -18,9 +18,9 @@ describe('getDbConnectionConfig', () => { }) test('fetches urs credentials from secrets manager', async () => { - process.env.dbEndpoint = 'db://endpoint.com' + process.env.databaseEndpoint = 'db://endpoint.com' process.env.dbName = 'test-db' - process.env.dbPort = 1234 + process.env.databasePort = 1234 jest.spyOn(getDbCredentials, 'getDbCredentials').mockImplementationOnce(() => ({ username: 'username', diff --git a/serverless/src/util/database/getDbConnectionConfig.js b/serverless/src/util/database/getDbConnectionConfig.js index ac62f3cbe9..8845d431c7 100644 --- a/serverless/src/util/database/getDbConnectionConfig.js +++ b/serverless/src/util/database/getDbConnectionConfig.js @@ -16,21 +16,21 @@ export const getDbConnectionConfig = async () => { } if (process.env.NODE_ENV === 'development') { - const { dbHost, dbName, dbPort } = getEnvironmentConfig() + const { dbHost, dbName, databasePort } = getEnvironmentConfig() return { ...configObject, host: dbHost, database: dbName, - port: dbPort + port: databasePort } } connectionConfig = { ...configObject, - host: process.env.dbEndpoint, + host: process.env.databaseEndpoint, database: process.env.dbName, - port: process.env.dbPort + port: process.env.databasePort } } diff --git a/static.config.json b/static.config.json index 9ae803a80a..3c6eff4c34 100644 --- a/static.config.json +++ b/static.config.json @@ -60,7 +60,7 @@ "development": { "dbHost": "127.0.0.1", "dbName": "edsc_dev", - "dbPort": 5432, + "databasePort": 5432, "apiHost": "http://localhost:3001/dev", "edscHost": "http://localhost:8080" },