From 7308a18dfc9fc651374ff188869e7aebd7b41f1a Mon Sep 17 00:00:00 2001 From: Cody Seibert Date: Mon, 9 Sep 2024 13:14:05 -0400 Subject: [PATCH] 10391 - improving the create user script --- docs/postgres/deployment.md | 18 +++++++++++ scripts/postgres/.gitignore | 1 + scripts/postgres/create-rds-users.sh | 8 +++++ scripts/postgres/create-user.sql | 22 ------------- scripts/postgres/create-user.ts | 46 ---------------------------- scripts/postgres/create-users.sql | 36 ++++++++++++++++++++++ 6 files changed, 63 insertions(+), 68 deletions(-) create mode 100644 docs/postgres/deployment.md create mode 100644 scripts/postgres/.gitignore create mode 100755 scripts/postgres/create-rds-users.sh delete mode 100644 scripts/postgres/create-user.sql delete mode 100644 scripts/postgres/create-user.ts create mode 100644 scripts/postgres/create-users.sql diff --git a/docs/postgres/deployment.md b/docs/postgres/deployment.md new file mode 100644 index 00000000000..e78b9cbe0aa --- /dev/null +++ b/docs/postgres/deployment.md @@ -0,0 +1,18 @@ + + +# Steps to Deploy + +1. update the environment secrets (aws secrets manager), to include the following + - POSTGRES_USER ${ENV}_dawson + - DATABASE_NAME ${ENV}_dawson + - POSTGRES_MASTER_USERNAME master + - POSTGRES_MASTER_PASSWORD ${GENERATE_A_SECURE_PASS} + - (optional) RDS_MAX_CAPACITY 1 + - (optional) RDS_MIN_CAPACITY 0.5 +2. source scripts/env/set-env.zsh ${ENV} +3. npm run deploy:allColors ${ENV} + - this will create the rds cluster with the master username and password +4. create the database users + - look up rds endpoint for the writer instance + - cd scripts/postgres && DB_HOST=${REPLACE_WITH_RDS_HOST} ./create-rds-users.sh +5. merge PR into your environment and run a deployment. \ No newline at end of file diff --git a/scripts/postgres/.gitignore b/scripts/postgres/.gitignore new file mode 100644 index 00000000000..6afd5cf3e75 --- /dev/null +++ b/scripts/postgres/.gitignore @@ -0,0 +1 @@ +create-users-generated.sql \ No newline at end of file diff --git a/scripts/postgres/create-rds-users.sh b/scripts/postgres/create-rds-users.sh new file mode 100755 index 00000000000..f0027381dc0 --- /dev/null +++ b/scripts/postgres/create-rds-users.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# set DB_HOST before running on your environment +# source your ENV before running this script with the correct environment. + +GENERATED_SQL_FILE="create-users-generated.sql" +sed "s/ENVREPLACEME/${ENV}/g;" create-users.sql > $GENERATED_SQL_FILE +PGPASSWORD=$POSTGRES_MASTER_PASSWORD psql -h $DB_HOST -U $POSTGRES_MASTER_USERNAME -d $DATABASE_NAME -f $GENERATED_SQL_FILE \ No newline at end of file diff --git a/scripts/postgres/create-user.sql b/scripts/postgres/create-user.sql deleted file mode 100644 index fde13eec235..00000000000 --- a/scripts/postgres/create-user.sql +++ /dev/null @@ -1,22 +0,0 @@ -CREATE USER kswann WITH LOGIN; -GRANT rds_iam TO kswann; -GRANT CONNECT ON DATABASE exp4_dawson TO kswann; -GRANT USAGE ON SCHEMA public TO kswann; -GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO kswann; -GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO kswann; -GRANT CREATE ON SCHEMA public TO kswann; -ALTER DEFAULT PRIVILEGES IN SCHEMA public -GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO kswann; -ALTER DEFAULT PRIVILEGES IN SCHEMA public -GRANT USAGE, SELECT ON SEQUENCES TO kswann; - - --- super admin privileges --- CREATE USER kswann WITH LOGIN; --- GRANT rds_iam TO kswann; --- GRANT ALL PRIVILEGES ON DATABASE exp4_dawson TO kswann; --- GRANT ALL PRIVILEGES ON SCHEMA public TO kswann; --- GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO kswann; --- GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO kswann; --- GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO kswann; --- ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO kswann; \ No newline at end of file diff --git a/scripts/postgres/create-user.ts b/scripts/postgres/create-user.ts deleted file mode 100644 index d256718076a..00000000000 --- a/scripts/postgres/create-user.ts +++ /dev/null @@ -1,46 +0,0 @@ -import { POOL, connect } from '@web-api/database'; -import { sql } from 'kysely'; - -const userToCreate = process.env.USER_TO_CREATE as string; -const databaseName = process.env.DATABASE_NAME as string; - -if (!userToCreate) { - throw new Error('expected USER_TO_CREATE to be defined'); -} - -if (!databaseName) { - throw new Error('expected DATABASE_NAME to be defined'); -} - -async function grantPrivileges() { - const db = await connect({ - ...POOL, - password: process.env.POSTGRES_MASTER_PASSWORD, - user: process.env.POSTGRES_MASTER_USERNAME, - }); - - try { - await sql`CREATE USER ${sql.raw(userToCreate)} WITH LOGIN;`.execute(db); - await sql`GRANT rds_iam TO ${sql.raw(userToCreate)};`.execute(db); - await sql`GRANT CONNECT ON DATABASE ${sql.raw(databaseName)} TO ${sql.raw(userToCreate)};`.execute( - db, - ); - await sql`GRANT USAGE ON SCHEMA public TO ${sql.raw(userToCreate)};`.execute( - db, - ); - await sql`GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO ${sql.raw(userToCreate)};`.execute( - db, - ); - await sql`ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO ${sql.raw(userToCreate)};`.execute( - db, - ); - - console.log(`Privileges granted successfully to user ${userToCreate}.`); - } catch (error) { - console.error('Error granting privileges:', error); - } finally { - await db.destroy(); - } -} - -grantPrivileges().catch(console.error); diff --git a/scripts/postgres/create-users.sql b/scripts/postgres/create-users.sql new file mode 100644 index 00000000000..9e5d175877a --- /dev/null +++ b/scripts/postgres/create-users.sql @@ -0,0 +1,36 @@ +-- RUN BOTH OF THESE STATEMENTS IN SQL AFTER RDS CLUSTER IS CREATED + +CREATE USER ENVREPLACEME_dawson WITH LOGIN; +GRANT rds_iam TO ENVREPLACEME_dawson; +GRANT CONNECT ON DATABASE ENVREPLACEME_dawson TO ENVREPLACEME_dawson; +GRANT USAGE ON SCHEMA public TO ENVREPLACEME_dawson; +GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO ENVREPLACEME_dawson; +GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO ENVREPLACEME_dawson; +GRANT CREATE ON SCHEMA public TO ENVREPLACEME_dawson; +ALTER DEFAULT PRIVILEGES IN SCHEMA public +GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO ENVREPLACEME_dawson; +ALTER DEFAULT PRIVILEGES IN SCHEMA public +GRANT USAGE, SELECT ON SEQUENCES TO ENVREPLACEME_dawson; + +CREATE USER ENVREPLACEME_developers WITH LOGIN; +GRANT rds_iam TO ENVREPLACEME_developers; +GRANT CONNECT ON DATABASE ENVREPLACEME_dawson TO ENVREPLACEME_developers; +GRANT USAGE ON SCHEMA public TO ENVREPLACEME_developers; +GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO ENVREPLACEME_developers; +GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO ENVREPLACEME_developers; +GRANT CREATE ON SCHEMA public TO ENVREPLACEME_developers; +ALTER DEFAULT PRIVILEGES IN SCHEMA public +GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO ENVREPLACEME_developers; +ALTER DEFAULT PRIVILEGES IN SCHEMA public +GRANT USAGE, SELECT ON SEQUENCES TO ENVREPLACEME_developers; + + +-- super admin privileges +-- CREATE USER kswann WITH LOGIN; +-- GRANT rds_iam TO kswann; +-- GRANT ALL PRIVILEGES ON DATABASE exp4_dawson TO kswann; +-- GRANT ALL PRIVILEGES ON SCHEMA public TO kswann; +-- GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO kswann; +-- GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO kswann; +-- GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO kswann; +-- ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO kswann; \ No newline at end of file