Check in role manager archive (#695)

- Remove role manager dependencies from source control - Add role manager archive to source control - Add make command for building role manager archive - Add documentation on how to update role manager ## Context The “check in role manager dependencies” change in [PR 493](#493) does not function as desired. The role manager lambda still shows a diff on the source_code_hash on a clean checkout of the repo. This change removes the archive_file data source altogether, and checks in the zip archive directly into the codebase. Benefits include: - We no longer need to check in the python dependencies into source control, which is a ton of files including binary files - There’s nothing nondeterministic for project teams, the archive file is exactly the zip package that gets deployed to lambda The downside is that updating the role manager is more manual. So this change also adds a `make infra-module-database-role-manager-archive` to rebuild the role manager package and adds instructions for doing that.
navapbc · Jul 18, 2024 · dd4f11f · dd4f11f
1 parent 2514d1c
commit dd4f11f
Show file tree

Hide file tree

Showing 112 changed files with 31 additions and 37,506 deletions.
diff --git a/Makefile b/Makefile
@@ -43,6 +43,7 @@ __check_defined = \
 	infra-lint-scripts \
 	infra-lint-terraform \
 	infra-lint-workflows \
+	infra-module-database-role-manager \
 	infra-set-up-account \
 	infra-test-service \
 	infra-update-app-build-repository \
@@ -108,6 +109,10 @@ infra-update-app-database: ## Create or update $APP_NAME's database module for $
 	terraform -chdir="infra/$(APP_NAME)/database" init -input=false -reconfigure -backend-config="$(ENVIRONMENT).s3.tfbackend"
 	terraform -chdir="infra/$(APP_NAME)/database" apply -var="environment_name=$(ENVIRONMENT)"
 
+infra-module-database-role-manager-archive: ## Build/rebuild role manager code package for Lambda deploys
+	pip3 install -r infra/modules/database/role_manager/requirements.txt -t infra/modules/database/role_manager/vendor --upgrade
+	zip -r infra/modules/database/role_manager.zip infra/modules/database/role_manager
+
 infra-update-app-database-roles: ## Create or update database roles and schemas for $APP_NAME's database in $ENVIRONMENT
 	@:$(call check_defined, APP_NAME, the name of subdirectory of /infra that holds the application's infrastructure code)
 	@:$(call check_defined, ENVIRONMENT, the name of the application environment e.g. "prod" or "staging")

diff --git a/docs/infra/database-access-control.md b/docs/infra/database-access-control.md
@@ -22,3 +22,17 @@ The database authenticates connections with [IAM database authentication](https:
 
 * The system leverages IAM to centrally manage access to the database
 * There are no long-lived user database credentials that need to be stored as database authentication tokens are generated by IAM and have a lifetime of 15 minutes
+
+## Update the role manager
+
+If you need to update the role manager code or dependencies, first build the role manager Lambda zip file by running:
+
+```bash
+make infra-module-database-role-manager-archive
+```
+
+Then deploy the changes to the role manager by running
+
+```bash
+make infra-update-app-database APP_NAME=<APP_NAME> ENVIRONMENT=<ENVIRONMENT>
+```
diff --git a/docs/infra/set-up-database.md b/docs/infra/set-up-database.md
@@ -91,12 +91,16 @@ The Lambda function's response should describe the resulting PostgreSQL roles an
 }
 ```
 
-### Important note on Postgres table permissions
+### Updating the role manager
 
-Before creating migrations that create tables, first create a migration that includes the following SQL command (or equivalent if your migrations are written in a general-purpose programming language):
+To make changes to the role manager such as updating dependencies or adding functionality, see [database access control](./database-access-control.md#update-the-role-manager)
+
+### Note on Postgres table permissions
+
+The role manager executes the following statement as part of database setup:
 
 ```sql
-ALTER DEFAULT PRIVILEGES GRANT ALL ON TABLES TO app
+ALTER DEFAULT PRIVILEGES IN SCHEMA app GRANT ALL ON TABLES TO app
 ```
 
 This will cause all future tables created by the `migrator` user to automatically be accessible by the `app` user. See the [Postgres docs on ALTER DEFAULT PRIVILEGES](https://www.postgresql.org/docs/current/sql-alterdefaultprivileges.html) for more info. As an example see the example app's migrations file [migrations.sql](https://github.com/navapbc/template-infra/blob/main/app/migrations.sql).

diff --git a/infra/.gitignore b/infra/.gitignore
@@ -23,6 +23,3 @@ override.tf.json
 # example: *tfplan*
 *.plan
 *.tfstate
-
-# Ignore archives used for deploying lambdas
-*.zip
diff --git a/infra/modules/database/.gitignore b/infra/modules/database/.gitignore
@@ -1 +1,2 @@
 __pycache__
+vendor/
diff --git a/infra/modules/database/main.tf b/infra/modules/database/main.tf
@@ -5,7 +5,6 @@ locals {
   master_username       = "postgres"
   primary_instance_name = "${var.name}-primary"
   role_manager_name     = "${var.name}-role-manager"
-  role_manager_package  = "${path.root}/role_manager.zip"
   # The ARN that represents the users accessing the database are of the format: "arn:aws:rds-db:<region>:<account-id>:dbuser:<resource-id>/<database-user-name>""
   # See https://aws.amazon.com/blogs/database/using-iam-authentication-to-connect-with-pgadmin-amazon-aurora-postgresql-or-amazon-rds-for-postgresql/
   db_user_arn_prefix = "arn:aws:rds-db:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:dbuser:${aws_rds_cluster.db.cluster_resource_id}"

diff --git a/infra/modules/database/role-manager.tf b/infra/modules/database/role-manager.tf
@@ -6,14 +6,15 @@
 # as well as viewing existing roles
 
 locals {
-  db_password_param_name = "/aws/reference/secretsmanager/${data.aws_secretsmanager_secret.db_password.name}"
+  db_password_param_name    = "/aws/reference/secretsmanager/${data.aws_secretsmanager_secret.db_password.name}"
+  role_manager_archive_path = "${path.module}/role_manager.zip"
 }
 
 resource "aws_lambda_function" "role_manager" {
   function_name = local.role_manager_name
 
-  filename         = local.role_manager_package
-  source_code_hash = data.archive_file.role_manager.output_base64sha256
+  filename         = local.role_manager_archive_path
+  source_code_hash = filebase64sha256(local.role_manager_archive_path)
   runtime          = "python3.9"
   handler          = "role_manager.lambda_handler"
   role             = aws_iam_role.role_manager.arn
@@ -53,12 +54,6 @@ resource "aws_lambda_function" "role_manager" {
   # checkov:skip=CKV_AWS_116:Dead letter queue (DLQ) configuration is only relevant for asynchronous invocations
 }
 
-data "archive_file" "role_manager" {
-  type        = "zip"
-  source_dir  = "${path.module}/role_manager"
-  output_path = local.role_manager_package
-}
-
 data "aws_kms_key" "default_ssm_key" {
   key_id = "alias/aws/ssm"
 }

diff --git a/infra/modules/database/role_manager.zip b/infra/modules/database/role_manager.zip
diff --git a/infra/modules/database/role_manager/vendor/asn1crypto-1.5.1.dist-info/INSTALLER b/infra/modules/database/role_manager/vendor/asn1crypto-1.5.1.dist-info/INSTALLER
diff --git a/infra/modules/database/role_manager/vendor/asn1crypto-1.5.1.dist-info/LICENSE b/infra/modules/database/role_manager/vendor/asn1crypto-1.5.1.dist-info/LICENSE