BAU: allow forms data_api to specify db user

Author: whi-tw

support/forms-cli/lib/commands/data_api.rb

@@ -13,7 +13,7 @@ def run
     parse_options
     return unless aws_authenticated? && valid_options?
 
-    @connection = DataApiConnection.new(fetch_environment, @options[:database], @options[:cluster])
+    @connection = DataApiConnection.new(fetch_environment, @options[:database], @options[:cluster], @options[:user])
 
     begin
       print execute_statement
@@ -74,6 +74,10 @@ def parse_options
       opts.on("-sSTATEMENT", "--statement=STATEMENT", "[Mandatory] The statement to execute") do |statement|
         @options[:statement] = statement
       end
+
+      opts.on("-uUSER", "--user=USER", "The database user to connect as") do |user|
+        @options[:user] = user
+      end
     }.parse!
   end
 

support/forms-cli/lib/utilities/data_api_connection.rb

@@ -9,10 +9,11 @@
 
 # Executes statements on AWS RDS using the Data API.
 class DataApiConnection
-  def initialize(env, database_name, cluster_name)
+  def initialize(env, database_name, cluster_name, database_user = nil)
     @env = env
     @database_name = database_name
     @cluster_name = cluster_name || default_cluster_name
+    @database_user = database_user || database_name
 
     @data_service = Aws::RDSDataService::Client.new
     @rds = Aws::RDS::Client.new
@@ -43,8 +44,7 @@ def default_cluster_name
   end
 
   def query_credential_arn
-    secret_name = "rds-db-credentials/#{query_database_resource_id}/#{@database_name}"
-    # secret_name = "data-api/#{@env}/#{@database_name}/rds-credentials"
+    secret_name = "rds-db-credentials/#{query_database_resource_id}/#{@database_user}"
 
     begin
       secret = @secrets_manager.describe_secret({ secret_id: secret_name })

support/forms-cli/spec/commands/data_api_spec.rb

@@ -38,7 +38,7 @@
 
       expect(DataApiConnection)
         .to have_received(:new)
-        .with("dev", "forms-admin", "cluster-name")
+        .with("dev", "forms-admin", "cluster-name", nil)
         .at_least(:once)
     end
 

support/forms-cli/spec/fixtures/rds.rb

@@ -8,6 +8,6 @@ module RDSFixtures
 
   def self.describe_db_clusters
     @rds_stub.stub_data(:describe_db_clusters,
-                        { db_clusters: [{ db_cluster_arn: "cluster-arn" }] })
+                        { db_clusters: [{ db_cluster_arn: "cluster-arn", db_cluster_resource_id: "cluster-resource-id" }] })
   end
 end

support/forms-cli/spec/fixtures/secretsmanager.rb

@@ -32,8 +32,8 @@ def self.empty_list_secrets
   def self.describe_secret
     @secrets_manager_stub.stub_data(:describe_secret,
                                     {
-                                      arn: "arn:aws:secretsmanager:eu-west-2:123456789012:secret:data-api/dev/forms-admin/rds-credentials-AbCdEf",
-                                      name: "data-api/dev/forms-admin/rds-credentials",
+                                      arn: "arn:aws:secretsmanager:eu-west-2:123456789012:secret:rds-db-credentials/cluster-resource-id/forms-admin-AbCdEf",
+                                      name: "rds-db-credentials/cluster-resource-id/forms-admin",
                                       description: "Data API credentials for forms-admin in dev environment",
                                     })
   end

support/forms-cli/spec/utilities/data_api_connection_spec.rb

@@ -11,7 +11,7 @@
     secrets_manager_mock = instance_double(Aws::SecretsManager::Client)
     allow(secrets_manager_mock)
       .to receive(:describe_secret)
-      .with(hash_including(secret_id: "data-api/dev/forms-admin/rds-credentials"))
+      .with(hash_including(secret_id: "rds-db-credentials/cluster-resource-id/forms-admin"))
       .and_return(SecretsManagerFixtures.describe_secret)
 
     secrets_manager_mock
@@ -56,7 +56,7 @@
       .to have_received(:execute_statement)
       .with(hash_including(
               resource_arn: "cluster-arn",
-              secret_arn: "arn:aws:secretsmanager:eu-west-2:123456789012:secret:data-api/dev/forms-admin/rds-credentials-AbCdEf",
+              secret_arn: "arn:aws:secretsmanager:eu-west-2:123456789012:secret:rds-db-credentials/cluster-resource-id/forms-admin-AbCdEf",
             ))
       .at_least(:once)
   end
@@ -77,7 +77,7 @@
 
     expect(secrets_manager_mock)
       .to have_received(:describe_secret)
-      .with(hash_including(secret_id: "data-api/dev/forms-admin/rds-credentials"))
+      .with(hash_including(secret_id: "rds-db-credentials/cluster-resource-id/forms-admin"))
       .at_least(:once)
   end
 
@@ -111,7 +111,7 @@
       secrets_manager_mock_no_secret = instance_double(Aws::SecretsManager::Client)
       allow(secrets_manager_mock_no_secret)
         .to receive(:describe_secret)
-        .with(hash_including(secret_id: "data-api/dev/forms-admin/rds-credentials"))
+        .with(hash_including(secret_id: "rds-db-credentials/cluster-resource-id/forms-admin"))
         .and_raise(Aws::SecretsManager::Errors::ResourceNotFoundException.new("context", "Secret not found"))
 
       secrets_manager_mock_no_secret
@@ -126,7 +126,7 @@
     it "raises an error about missing secret" do
       expect {
         described_class.new("dev", "forms-admin", "cluster-name").execute_statement("select * from testing;")
-      }.to raise_error(/Data API credential secret 'data-api\/dev\/forms-admin\/rds-credentials' was not found/)
+      }.to raise_error(/Data API credential secret 'rds-db-credentials\/cluster-resource-id\/forms-admin' was not found/)
     end
   end
 end