Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: DBTP-1010 Readonly postgres user doesn't have read perms #140

Merged
merged 32 commits into from
May 30, 2024
Merged

fix: DBTP-1010 Readonly postgres user doesn't have read perms #140

merged 32 commits into from
May 30, 2024

Conversation

gabelton
Copy link
Contributor

@gabelton gabelton commented May 29, 2024
edited
Loading

Currently the lambda runs ALTER DEFAULT PRIVILEGES FOR USER readonly_user IN SCHEMA public GRANT SELECT ON TABLES TO readonly_user;. This grants read permissions to the readonly user on future tables, but ONLY those created by the readonly_user. We're moving to use application_user to perform migrations, so the necessary command is now ALTER DEFAULT PRIVILEGES FOR USER application_user IN SCHEMA public GRANT SELECT ON TABLES TO readonly_user;

gabelton added 30 commits May 23, 2024 08:40
@gabelton
remove comma
d3e48cb
@gabelton
remove invocation
1e8e3f1
@gabelton
remove lambda code
bd32de8
@gabelton
restore lambda
6a5e395
@gabelton
add another read only lambda invocation
3525e03
@gabelton
remove invocations
db30be1
@gabelton
add invocation again
2075137
@gabelton
add comma to list
033406b
@gabelton
remove invocation
adeb195
@gabelton
restore invocation
8ff93dc
@gabelton
remove read only invocation
aab4aaa
@gabelton
add read only invocation
d759a8c
@gabelton
Merge branch 'main' into testing-postgres-lambda
be8c7b3
@gabelton
remove read only invocation
a88f78e
@gabelton
add read only invocation
63e40fa
@gabelton
update secret description
5449a62
@gabelton
remove invocation
7a49243
@gabelton
add back
6daa4d1
@gabelton
remove comma
e00dbf3
@gabelton
remove invocation
b649f28
@gabelton
add back
e68a2ff
@gabelton
remove comma
a1e2b73
@gabelton
add back with comma
a6bb8c1
@gabelton
restore
aebd99c
@gabelton
restore
e71b708
@gabelton
remove
4933c75
@gabelton
restore with comma
ed1ae35
@gabelton
add dependency
e524fbf
@gabelton
add print statements
9fbf1b8
@gabelton
update lambda code to specify privileges on tables created by app user
2bd6e3c
@gabelton gabelton requested a review from a team May 30, 2024 10:30
WillGibson
WillGibson approved these changes May 30, 2024
View reviewed changes
postgres/lambda.tf
@@ -119,11 +119,11 @@ resource "aws_lambda_invocation" "create-readonly-user" {
CopilotApplication = var.application
CopilotEnvironment = var.environment
MasterUserSecretArn = aws_db_instance.default.master_user_secret[0].secret_arn
SecretDescription = "RDS application user secret for ${local.name}"
SecretDescription = "RDS readonly user secret for ${local.name}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good spot!

@gabelton gabelton merged commit 1628440 into main May 30, 2024
6 checks passed
@gabelton gabelton deleted the testing-postgres-lambda branch May 30, 2024 13:00
This was referenced May 30, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@WillGibson WillGibson WillGibson approved these changes

@samuele-mattiuzzo samuele-mattiuzzo samuele-mattiuzzo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gabelton @samuele-mattiuzzo @WillGibson