feat: configureable use of RDS Proxy

Author: lsipii

VirtualFinland.UsersAPI.Deployment/Common/Models/VpcSetup.cs

@@ -5,6 +5,7 @@ namespace VirtualFinland.UsersAPI.Deployment.Common.Models;
 
 public record VpcSetup
 {
-    public Input<string>? VpcId = default!;
+    public Input<string> VpcId = default!;
     public Output<IEnumerable<string>> PrivateSubnetIds = default!;
+    public Input<string> SecurityGroupId = default!;
 }

VirtualFinland.UsersAPI.Deployment/Features/LambdaFunctionUrl.cs

@@ -49,48 +49,21 @@ public LambdaFunctionUrl(Config config, StackSetup stackSetup, SecretsManager se
             Tags = stackSetup.Tags
         });
 
-        var rolePolicyAttachment = new RolePolicyAttachment($"{stackSetup.ProjectName}-LambdaRoleAttachment-{stackSetup.Environment}", new RolePolicyAttachmentArgs
+        new RolePolicyAttachment($"{stackSetup.ProjectName}-LambdaRoleAttachment-{stackSetup.Environment}", new RolePolicyAttachmentArgs
         {
             Role = Output.Format($"{execRole.Name}"),
             PolicyArn = ManagedPolicy.AWSLambdaVPCAccessExecutionRole.ToString()
         });
 
-        var secretsManagerReadPolicy = new Policy($"{stackSetup.ProjectName}-LambdaSecretManagerPolicy-{stackSetup.Environment}", new()
-        {
-            Description = "Users-API Secret Get Policy",
-            PolicyDocument = Output.Format($@"{{
-                ""Version"": ""2012-10-17"",
-                ""Statement"": [
-                    {{
-                        ""Effect"": ""Allow"",
-                        ""Action"": [
-                            ""secretsmanager:GetSecretValue"",
-                            ""secretsmanager:DescribeSecret""
-                        ],
-                        ""Resource"": [
-                            ""{secretsManager.Arn}""
-                        ]
-                    }}
-                ]
-            }}"),
-            Tags = stackSetup.Tags,
-        });
-
         new RolePolicyAttachment($"{stackSetup.ProjectName}-LambdaRoleAttachment-SecretManager-{stackSetup.Environment}", new RolePolicyAttachmentArgs
         {
             Role = execRole.Name,
-            PolicyArn = secretsManagerReadPolicy.Arn
-        });
-
-        var defaultSecurityGroup = Pulumi.Aws.Ec2.GetSecurityGroup.Invoke(new GetSecurityGroupInvokeArgs()
-        {
-            VpcId = stackSetup.VpcSetup.VpcId,
-            Name = "default"
+            PolicyArn = secretsManager.ReadPolicy.Arn
         });
 
         var functionVpcArgs = new FunctionVpcConfigArgs()
         {
-            SecurityGroupIds = defaultSecurityGroup.Apply(o => $"{o.Id}"),
+            SecurityGroupIds = new[] { stackSetup.VpcSetup.SecurityGroupId },
             SubnetIds = stackSetup.VpcSetup.PrivateSubnetIds
         };
 

VirtualFinland.UsersAPI.Deployment/Features/PostgresDatabase.cs

@@ -23,6 +23,12 @@ public PostgresDatabase(Config config, StackSetup stackSetup)
         {
             SetupDevelopmentPostgresDatabase(config, stackSetup);
         }
+
+        if (config.GetBoolean("useRdsProxy") == true)
+        {
+            var rdsProxy = new RDSProxy(config, stackSetup, this);
+            DatabaseConnectionString = rdsProxy.DatabaseConnectionString; // Override the connection string with one from the proxy
+        }
     }
 
     /// <summary>
@@ -75,7 +81,7 @@ public void SetupProductionPostgresDatabase(Config config, StackSetup stackSetup
             Tags = stackSetup.Tags,
         });
 
-        var auroraInstance = new ClusterInstance(stackSetup.CreateResourceName("database-instance"), new()
+        new ClusterInstance(stackSetup.CreateResourceName("database-instance"), new()
         {
             ClusterIdentifier = auroraCluster.ClusterIdentifier,
             InstanceClass = "db.serverless",
@@ -87,9 +93,10 @@ public void SetupProductionPostgresDatabase(Config config, StackSetup stackSetup
         var DbName = config.Require("dbName");
         var DbUsername = config.Require("dbAdmin");
         var DbHostName = auroraCluster.Endpoint;
-        DBIdentifier = auroraInstance.Identifier;
         var DbPassword = password.Result;
-        DbConnectionString = Output.Format($"Host={DbHostName};Database={DbName};Username={DbUsername};Password={DbPassword}");
+
+        DatabaseConnectionString = Output.Format($"Host={DbHostName};Database={DbName};Username={DbUsername};Password={DbPassword}");
+        DBIdentifier = auroraCluster.ClusterIdentifier;
     }
 
     /// <summary>
@@ -127,11 +134,12 @@ public void SetupDevelopmentPostgresDatabase(Config config, StackSetup stackSetu
         var DbName = config.Require("dbName");
         var DbUsername = config.Require("dbAdmin");
         var DbHostName = rdsPostGreInstance.Endpoint;
-        DBIdentifier = rdsPostGreInstance.Identifier;
         var DbPassword = password.Result;
-        DbConnectionString = Output.Format($"Host={DbHostName};Database={DbName};Username={DbUsername};Password={DbPassword}");
+        DatabaseConnectionString = Output.Format($"Host={DbHostName};Database={DbName};Username={DbUsername};Password={DbPassword}");
+        DBIdentifier = rdsPostGreInstance.Identifier;
     }
 
-    public Output<string> DbConnectionString = default!;
+    public SecretsManager SecretsManager = default!;
     public Output<string> DBIdentifier = default!;
+    public Output<string> DatabaseConnectionString = default!;
 }

VirtualFinland.UsersAPI.Deployment/Features/RDSProxy.cs

@@ -0,0 +1,105 @@
+using Pulumi;
+using VirtualFinland.UsersAPI.Deployment.Common.Models;
+using Pulumi.Aws.Iam;
+using System.Text.Json;
+using System.Collections.Generic;
+using Pulumi.Aws.Rds;
+using Pulumi.Aws.Rds.Inputs;
+using Pulumi.Random;
+
+namespace VirtualFinland.UsersAPI.Deployment.Features;
+
+public class RDSProxy
+{
+    public RDSProxy(Config config, StackSetup stackSetup, PostgresDatabase database)
+    {
+        // RDS proxy access secret
+        var username = new RandomPassword(stackSetup.CreateResourceName("rdsproxy-username"), new()
+        {
+            Length = 16,
+            Special = false,
+            OverrideSpecial = "_%@",
+        });
+        var password = new RandomPassword(stackSetup.CreateResourceName("rdsproxy-password"), new()
+        {
+            Length = 16,
+            Special = false,
+            OverrideSpecial = "_%@",
+        });
+        var rdsProxySecretString = Output.Format($"{{\"username\":\"{username.Result}\",\"password\":\"{password.Result}\"}}");
+        var rdsProxySecret = new SecretsManager(config, stackSetup, "rdsProxySecret", rdsProxySecretString);
+
+        // Create role for rds proxy
+        var rdsProxyRole = new Role(stackSetup.CreateResourceName("database-proxy-role"), new RoleArgs()
+        {
+            AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary<string, object?>
+            {
+                { "Version", "2012-10-17" },
+                {
+                    "Statement", new[]
+                    {
+                        new Dictionary<string, object?>
+                        {
+                            { "Action", "sts:AssumeRole" },
+                            { "Effect", "Allow" },
+                            { "Sid", "" },
+                            {
+                                "Principal", new Dictionary<string, object?>
+                                {
+                                    { "Service", "rds.amazonaws.com" }
+                                }
+                            }
+                        }
+                    }
+                }
+            }),
+            Tags = stackSetup.Tags
+        });
+
+        new RolePolicyAttachment($"{stackSetup.ProjectName}-RdsProxy-SecretManager-{stackSetup.Environment}", new RolePolicyAttachmentArgs
+        {
+            Role = rdsProxyRole.Name,
+            PolicyArn = rdsProxySecret.Arn
+        });
+
+        // AWS RDS Proxy
+        var rdsProxy = new Proxy(stackSetup.CreateResourceName("database-proxy"), new()
+        {
+            DebugLogging = false,
+            EngineFamily = "POSTGRESQL",
+            RequireTls = true,
+            RoleArn = rdsProxyRole.Arn,
+            VpcSubnetIds = stackSetup.VpcSetup.PrivateSubnetIds,
+            VpcSecurityGroupIds = new[] { stackSetup.VpcSetup.SecurityGroupId },
+            Auths = new[] {
+                new ProxyAuthArgs
+                {
+                    AuthScheme = "SECRETS",
+                    Description = "Secrets authentication",
+                    SecretArn = rdsProxySecret.Arn,
+                    IamAuth = "DISABLED"
+                }
+            },
+            Tags = stackSetup.Tags,
+        });
+
+        // RDS Proxy Target
+        new ProxyTarget(stackSetup.CreateResourceName("database-proxy-target"), new ProxyTargetArgs()
+        {
+            DbProxyName = rdsProxy.Name,
+            DbInstanceIdentifier = database.DBIdentifier,
+        });
+
+        // Set outputs
+        ProxyEndpoint = rdsProxy.Endpoint;
+        ProxyIdentifier = rdsProxy.Id;
+
+        var DbName = config.Require("dbName");
+        DatabaseConnectionString = Output.Format($"Host={rdsProxy.Endpoint};Database={DbName};Username={username.Result};Password={password.Result}");
+    }
+
+    [Output]
+    public Output<string> ProxyEndpoint { get; set; }
+    public Output<string> ProxyIdentifier { get; set; }
+    public Output<string> DatabaseConnectionString { get; set; }
+}

VirtualFinland.UsersAPI.Deployment/Features/SecretsManager.cs

@@ -1,25 +1,47 @@
 using Pulumi;
 using Pulumi.Aws.SecretsManager;
 using VirtualFinland.UsersAPI.Deployment.Common.Models;
+using Pulumi.Aws.Iam;
 
 namespace VirtualFinland.UsersAPI.Deployment.Features;
 
-/// <summary>
-/// Creates the users-api database credentials in AWS Secrets Manager
-/// </summary>
 public class SecretsManager
 {
-    public SecretsManager(Config config, StackSetup stackSetup, PostgresDatabase dbConfigs)
+    public SecretsManager(Config config, StackSetup stackSetup, string secretName, Output<string> secretValue)
     {
-        var secret = new Secret($"{stackSetup.ProjectName}-dbConnectionStringSecret-{stackSetup.Environment}");
-        new SecretVersion($"{stackSetup.ProjectName}-dbConnectionStringSecretVersion-{stackSetup.Environment}", new()
+        var secret = new Secret($"{stackSetup.ProjectName}-{secretName}-{stackSetup.Environment}");
+        new SecretVersion($"{stackSetup.ProjectName}-{secretName}Version-{stackSetup.Environment}", new()
         {
             SecretId = secret.Id,
-            SecretString = dbConfigs.DbConnectionString,
+            SecretString = secretValue,
         });
+
+        ReadPolicy = new Policy($"{stackSetup.ProjectName}-${secretName}-SecretManagerPolicy-{stackSetup.Environment}", new()
+        {
+            Description = "Users-API Secret Get Policy",
+            PolicyDocument = Output.Format($@"{{
+                ""Version"": ""2012-10-17"",
+                ""Statement"": [
+                    {{
+                        ""Effect"": ""Allow"",
+                        ""Action"": [
+                            ""secretsmanager:GetSecretValue"",
+                            ""secretsmanager:DescribeSecret""
+                        ],
+                        ""Resource"": [
+                            ""{secret.Arn}""
+                        ]
+                    }}
+                ]
+            }}"),
+            Tags = stackSetup.Tags,
+        });
+
         Name = secret.Name;
         Arn = secret.Arn;
     }
+
     public Output<string> Name = default!;
     public Output<string> Arn = default!;
+    public Policy ReadPolicy = default!;
 }

VirtualFinland.UsersAPI.Deployment/Pulumi.yaml

@@ -9,3 +9,4 @@ config:
   users-api:infraStackReferenceName: infrastructure
   users-api:appArtifactPath: ../VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/bin/Release/net6.0/VirtualFinland.UsersAPI.zip
   users-api:dbMigratorArtifactPath: ../VirtualFinland.UsersAPI.DatabaseMigrationRunner/bin/Release/net6.0/VirtualFinland.UsersAPI.DatabaseMigrationRunner.zip
+  users-api:useRdsProxy: false

VirtualFinland.UsersAPI.Deployment/UsersAPIStack.cs

@@ -2,6 +2,7 @@
 using System.Collections.Immutable;
 using System.Linq;
 using Pulumi;
+using Pulumi.Aws.Ec2;
 using VirtualFinland.UsersAPI.Deployment.Common;
 using VirtualFinland.UsersAPI.Deployment.Common.Models;
 using VirtualFinland.UsersAPI.Deployment.Features;
@@ -32,6 +33,12 @@ public UsersApiStack()
             }
         };
 
+        var defaultSecurityGroup = GetSecurityGroup.Invoke(new GetSecurityGroupInvokeArgs()
+        {
+            VpcId = Output.Format($"{infraStackReferenceVpcId}"),
+            Name = "default"
+        });
+
         var stackSetup = new StackSetup()
         {
             ProjectName = projectName,
@@ -41,19 +48,20 @@ public UsersApiStack()
             VpcSetup = new VpcSetup()
             {
                 VpcId = Output.Format($"{infraStackReferenceVpcId}"),
-                PrivateSubnetIds = infraStackReferencePrivateSubnetIdsAsList as Output<IEnumerable<string>>
+                PrivateSubnetIds = infraStackReferencePrivateSubnetIdsAsList as Output<IEnumerable<string>>,
+                SecurityGroupId = defaultSecurityGroup.Apply(o => o.Id)
             }
         };
 
-        var dbConfigs = new PostgresDatabase(config, stackSetup);
-        var secretManagerSecret = new SecretsManager(config, stackSetup, dbConfigs);
+        var database = new PostgresDatabase(config, stackSetup);
+        var secretsManager = new SecretsManager(config, stackSetup, "dbConnectionStringSecret", database.DatabaseConnectionString);
 
-        var lambdaFunctionConfigs = new LambdaFunctionUrl(config, stackSetup, secretManagerSecret);
+        var lambdaFunctionConfigs = new LambdaFunctionUrl(config, stackSetup, secretsManager);
         ApplicationUrl = lambdaFunctionConfigs.ApplicationUrl;
         LambdaId = lambdaFunctionConfigs.LambdaFunctionId;
-        DBIdentifier = dbConfigs.DBIdentifier;
+        DBIdentifier = database.DBIdentifier;
 
-        var databaseMigratorLambda = new DatabaseMigratorLambda(config, stackSetup, secretManagerSecret);
+        var databaseMigratorLambda = new DatabaseMigratorLambda(config, stackSetup, secretsManager);
         DatabaseMigratorLambdaArn = databaseMigratorLambda.LambdaFunctionArn;
     }