Skip to content

BAU: Create data api secrets with correct names#2117

Merged
whi-tw merged 3 commits into
mainfrom
whi-tw/do-data-api-better
May 15, 2026
Merged

BAU: Create data api secrets with correct names#2117
whi-tw merged 3 commits into
mainfrom
whi-tw/do-data-api-better

Conversation

@whi-tw
Copy link
Copy Markdown
Contributor

@whi-tw whi-tw commented May 12, 2026
edited
Loading

What problem does this pull request solve?

Trello card: https://trello.com/c/NKwHyKNP/3100-fix-rds-data-api

Previously, we created our own secrets for the Data API with a custom
name format. The Query Editor Console can find secrets with the name
format rds-db-credentials/cluster-*/<credential-reference>, so if we
create our secrets with that format, this will be a better experience
for engineers using the Query Editor Console.

The Query editor console will automatically create a secret with this
format if someone uses the Add new database credentials option in the
console. We should clean these up, so as not to pollute the credentials
list with potentially outdated secrets. A better long-term solution
would be to prevent engineers from creating secrets in the first place,
but this is a good interim step.

I've also drive-by fixed an annoyance with the specs - happy to move this to a new PR if it's too chunky for this one.

  • Create secrets with the correct name format
  • Allow engineer access to secrets with the new name format
  • Update forms-cli to use the new secrets
  • Add a post-apply script to delete any user-created secrets

Testing

You can test in dev where it's currently deployed:

gds aws forms-dev-admin -- forms data_api -c aurora-v2-cluster-forms-runner-dev -d forms-runner -u root -s 'select 1;'
{
  "updated": 0,
  "records": [
    {
      "?column?": 1
    }
  ]
}
gds aws forms-dev-admin -- forms data_api -c aurora-v2-cluster-forms-runner-dev -d forms-runner -s 'select 1;'
{
  "updated": 0,
  "records": [
    {
      "?column?": 1
    }
  ]
}

Reminders

If you've made changes to the deployer role (files in modules/deployer-access):

  • Remember to run make <environment> forms/account apply on the relevant environments (dev, staging and/or prod)
  • Check the #govuk-forms-deployment-notifications Slack channel to ensure the apply-forms-terraform-<environment> pipelines have run successfully

whi-tw added 2 commits May 12, 2026 13:02
@whi-tw
BAU: Create data api secrets with correct names
9fbfcab 
Previously, we created our own secrets for the Data API with a custom
name format. The Query Editor Console can find secrets with the name
format `rds-db-credentials/cluster-*/<credential-reference>`, so if we
create our secrets with that format, this will be a better experience
for engineers using the Query Editor Console.

The Query editor console will automatically create a secret with this
format if someone uses the `Add new database credentials` option in the
console. We should clean these up, so as not to pollute the credentials
list with potentially outdated secrets. A better long-term solution
would be to prevent engineers from creating secrets in the first place,
but this is a good interim step.

- Create secrets with the correct name format
- Allow engineer access to secrets with the new name format
- Update forms-cli to use the new secrets
- Add a post-apply script to delete any user-created secrets
@whi-tw
BAU: allow forms data_api to specify db user
a7702ec
@whi-tw whi-tw force-pushed the whi-tw/do-data-api-better branch from d387e34 to 9a528eb Compare May 12, 2026 13:48
@whi-tw
BAU: drive-by fix for unhandled stdout
1310a03 
We had two tests which checked that the `aws_authenticated?` method
returned false when not authenticated, and that it printed a warning to
stdout. Instead, do it as one test, and eat the output in the test, so
that it doesn't pollute the test output when running the full suite.

Also, generally configure rspec to block writes to stdout - if we're
trying to match output in a test, we use `expect { ... }.to output(...)`
if we're not trying to match it, it's just unnecessary noise in the test
output.
@whi-tw whi-tw force-pushed the whi-tw/do-data-api-better branch from 9a528eb to 1310a03 Compare May 12, 2026 13:51
@whi-tw whi-tw requested a review from cadmiumcat May 12, 2026 13:52
cadmiumcat
cadmiumcat approved these changes May 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cadmiumcat cadmiumcat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This works well and makes more sense 🙌

@whi-tw whi-tw added this pull request to the merge queue May 15, 2026
Merged via the queue into main with commit eac99bb May 15, 2026
22 checks passed
@whi-tw whi-tw deleted the whi-tw/do-data-api-better branch May 15, 2026 08:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cadmiumcat cadmiumcat cadmiumcat approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@whi-tw @cadmiumcat