Merge pull request #70 from Virtual-Finland-Development/VFD-289-aurora-rds-postgresql-serverless-v-2-pystytys

Database setup for production-like live environments

Author: lsipii

VirtualFinland.UsersAPI.Deployment/Common/Environments.cs

@@ -5,5 +5,6 @@ public enum Environments
     Dev,
     Test,
     Staging,
-    Production
+    MvpStaging,
+    MvpProduction
 }

VirtualFinland.UsersAPI.Deployment/Common/Models/StackSetup.cs

@@ -2,13 +2,14 @@
 
 namespace VirtualFinland.UsersAPI.Deployment.Common.Models;
 
-public record StackSetup
+public class StackSetup
 {
     public InputMap<string> Tags = default!;
     public bool IsProductionEnvironment;
     public string Environment = default!;
     public string ProjectName = default!;
     public string Organization = default!;
     public string Region = default!;
+    public string CreateResourceName(string name) => $"{ProjectName}-{name}-{Environment}".ToLower();
     public string GetInfrastructureStackName() => $"{Organization}/infrastructure/{Environment}";
 }

VirtualFinland.UsersAPI.Deployment/Features/DatabaseMigratorLambda.cs

@@ -2,7 +2,6 @@
 using System.Collections.Generic;
 using System.Text.Json;
 using Pulumi;
-using Pulumi.Aws.Ec2;
 using Pulumi.Aws.Iam;
 using Pulumi.Aws.Lambda;
 using Pulumi.Aws.Lambda.Inputs;
@@ -15,7 +14,7 @@ class DatabaseMigratorLambda
     public DatabaseMigratorLambda(Config config, StackSetup stackSetup, VpcSetup vpcSetup, SecretsManager secretsManager)
     {
         // Lambda function
-        var execRole = new Role($"{stackSetup.ProjectName}-DatabaseMigratorLambdaRole-{stackSetup.Environment}", new RoleArgs
+        var execRole = new Role(stackSetup.CreateResourceName("DatabaseMigratorLambdaRole"), new RoleArgs
         {
             AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary<string, object?>
             {
@@ -41,53 +40,26 @@ public DatabaseMigratorLambda(Config config, StackSetup stackSetup, VpcSetup vpc
             Tags = stackSetup.Tags
         });
 
-        var rolePolicyAttachment = new RolePolicyAttachment($"{stackSetup.ProjectName}-DatabaseMigratorLambdaRoleAttachment-{stackSetup.Environment}", new RolePolicyAttachmentArgs
+        new RolePolicyAttachment(stackSetup.CreateResourceName("DatabaseMigratorLambdaRoleAttachment"), new RolePolicyAttachmentArgs
         {
             Role = Output.Format($"{execRole.Name}"),
             PolicyArn = ManagedPolicy.AWSLambdaVPCAccessExecutionRole.ToString()
         });
 
-        var secretsManagerReadPolicy = new Policy($"{stackSetup.ProjectName}-DatabaseMigratorLambdaSecretManagerPolicy-{stackSetup.Environment}", new()
-        {
-            Description = "Users-API Migration Runner Secrets Get Policy",
-            PolicyDocument = Output.Format($@"{{
-                ""Version"": ""2012-10-17"",
-                ""Statement"": [
-                    {{
-                        ""Effect"": ""Allow"",
-                        ""Action"": [
-                            ""secretsmanager:GetSecretValue"",
-                            ""secretsmanager:DescribeSecret""
-                        ],
-                        ""Resource"": [
-                            ""{secretsManager.Arn}""
-                        ]
-                    }}
-                ]
-            }}"),
-            Tags = stackSetup.Tags,
-        });
-
-        new RolePolicyAttachment($"{stackSetup.ProjectName}-DatabaseMigratorLambdaRoleAttachment-SecretManager-{stackSetup.Environment}", new RolePolicyAttachmentArgs
+        new RolePolicyAttachment(stackSetup.CreateResourceName("DatabaseMigratorLambdaRoleAttachment-SecretManager"), new RolePolicyAttachmentArgs
         {
             Role = execRole.Name,
-            PolicyArn = secretsManagerReadPolicy.Arn
-        });
-
-        var defaultSecurityGroup = Pulumi.Aws.Ec2.GetSecurityGroup.Invoke(new GetSecurityGroupInvokeArgs()
-        {
-            VpcId = vpcSetup.VpcId,
-            Name = "default"
+            PolicyArn = secretsManager.ReadPolicy.Arn
         });
 
         var functionVpcArgs = new FunctionVpcConfigArgs()
         {
-            SecurityGroupIds = defaultSecurityGroup.Apply(o => $"{o.Id}"),
+            SecurityGroupIds = new[] { vpcSetup.SecurityGroupId },
             SubnetIds = vpcSetup.PrivateSubnetIds
         };
 
         var appArtifactPath = Environment.GetEnvironmentVariable("DB_MIGRATOR_ARTIFACT_PATH") ?? config.Require("dbMigratorArtifactPath");
-        var lambdaFunction = new Function($"{stackSetup.ProjectName}-DatabaseMigrationRunner-{stackSetup.Environment}", new FunctionArgs
+        var lambdaFunction = new Function(stackSetup.CreateResourceName("DatabaseMigrationRunner"), new FunctionArgs
         {
             Role = execRole.Arn,
             Runtime = "dotnet6",

VirtualFinland.UsersAPI.Deployment/Features/LambdaFunctionUrl.cs

@@ -10,7 +10,7 @@ class LambdaFunctionUrl
     public LambdaFunctionUrl(StackSetup stackSetup, UsersApiLambdaFunction lambdaFunction)
     {
 
-        var functionUrl = new FunctionUrl($"{stackSetup.ProjectName}-FunctionUrl-{stackSetup.Environment}", new FunctionUrlArgs
+        var functionUrl = new FunctionUrl(stackSetup.CreateResourceName("FunctionUrl"), new FunctionUrlArgs
         {
             FunctionName = lambdaFunction.LambdaFunctionArn,
             AuthorizationType = "NONE"

VirtualFinland.UsersAPI.Deployment/Features/PostgresDatabase.cs

@@ -1,7 +1,7 @@
-using System.Collections.Immutable;
-using System.Linq;
 using Pulumi;
+using Pulumi.Aws.Kms;
 using Pulumi.Aws.Rds;
+using Pulumi.Aws.Rds.Inputs;
 using Pulumi.Random;
 using VirtualFinland.UsersAPI.Deployment.Common.Models;
 using Instance = Pulumi.Aws.Rds.Instance;
@@ -15,7 +15,96 @@ public class PostgresDatabase
 {
     public PostgresDatabase(Config config, StackSetup stackSetup, VpcSetup vpcSetup)
     {
-        var dbSubNetGroup = new Pulumi.Aws.Rds.SubnetGroup($"{stackSetup.ProjectName}-dbsubnets-{stackSetup.Environment}", new()
+        if (stackSetup.IsProductionEnvironment)
+        {
+            SetupProductionPostgresDatabase(config, stackSetup, vpcSetup);
+        }
+        else
+        {
+            SetupDevelopmentPostgresDatabase(config, stackSetup, vpcSetup);
+        }
+
+        if (config.GetBoolean("useRdsProxy") == true)
+        {
+            var rdsProxy = new RDSProxy(config, stackSetup, this, vpcSetup);
+            DatabaseConnectionString = rdsProxy.DatabaseConnectionString; // Override the connection string with one from the proxy
+        }
+    }
+
+    /// <summary>
+    ///  Setup AWS Aurora RDS Serverless V2 for postgresql
+    /// </summary>
+    public void SetupProductionPostgresDatabase(Config config, StackSetup stackSetup, VpcSetup vpcSetup)
+    {
+        var dbSubNetGroup = new SubnetGroup(stackSetup.CreateResourceName("database-subnets"), new()
+        {
+            SubnetIds = vpcSetup.PrivateSubnetIds,
+        });
+
+        var password = new RandomPassword(stackSetup.CreateResourceName("database-password"), new()
+        {
+            Length = 16,
+            Special = false,
+            OverrideSpecial = "_%@",
+        });
+
+        // Encryption key (KMS)
+        var encryptionKey = new Key(stackSetup.CreateResourceName("database-encryption-key"), new()
+        {
+            Description = "Encryption key for the database",
+            Tags = stackSetup.Tags,
+            DeletionWindowInDays = 90, // On deletion, the key will be retained for 30 days before being deleted permanently
+        });
+
+        // AWS Aurora RDS Serverless V2 for postgresql
+        var auroraCluster = new Cluster(stackSetup.CreateResourceName("database-cluster"), new ClusterArgs()
+        {
+            Engine = "aurora-postgresql",
+            EngineVersion = "13.6",
+            EngineMode = "provisioned", // serverless v2
+            Serverlessv2ScalingConfiguration = new ClusterServerlessv2ScalingConfigurationArgs
+            {
+                MaxCapacity = 4,
+                MinCapacity = 0.5,
+            },
+
+            DatabaseName = config.Require("dbName"),
+            MasterUsername = config.Require("dbAdmin"),
+            MasterPassword = password.Result,
+
+            SkipFinalSnapshot = false,
+            DeletionProtection = true,
+            StorageEncrypted = true,
+            KmsKeyId = encryptionKey.Arn,
+
+            DbSubnetGroupName = dbSubNetGroup.Name,
+            Tags = stackSetup.Tags,
+        });
+
+        new ClusterInstance(stackSetup.CreateResourceName("database-instance"), new()
+        {
+            ClusterIdentifier = auroraCluster.ClusterIdentifier,
+            InstanceClass = "db.serverless",
+            Engine = "aurora-postgresql",
+            EngineVersion = auroraCluster.EngineVersion,
+            Tags = stackSetup.Tags,
+        });
+
+        var DbName = config.Require("dbName");
+        var DbUsername = config.Require("dbAdmin");
+        var DbHostName = auroraCluster.Endpoint;
+        var DbPassword = password.Result;
+
+        DatabaseConnectionString = Output.Format($"Host={DbHostName};Database={DbName};Username={DbUsername};Password={DbPassword}");
+        DBIdentifier = auroraCluster.ClusterIdentifier;
+    }
+
+    /// <summary>
+    /// Setup AWS RDS for postgresql
+    /// </summary>
+    public void SetupDevelopmentPostgresDatabase(Config config, StackSetup stackSetup, VpcSetup vpcSetup)
+    {
+        var dbSubNetGroup = new SubnetGroup($"{stackSetup.ProjectName}-dbsubnets-{stackSetup.Environment}", new()
         {
             SubnetIds = vpcSetup.PrivateSubnetIds,
         });
@@ -27,7 +116,7 @@ public PostgresDatabase(Config config, StackSetup stackSetup, VpcSetup vpcSetup)
             OverrideSpecial = "_%@",
         });
 
-        var rdsPostGreInstance = new Instance($"{stackSetup.ProjectName}-postgres-db-{stackSetup.Environment}", new InstanceArgs()
+        var rdsPostGreInstance = new Instance(stackSetup.CreateResourceName("postgres-db"), new InstanceArgs()
         {
             Engine = "postgres",
             InstanceClass = "db.t3.micro",
@@ -46,11 +135,11 @@ public PostgresDatabase(Config config, StackSetup stackSetup, VpcSetup vpcSetup)
         var DbName = config.Require("dbName");
         var DbUsername = config.Require("dbAdmin");
         var DbHostName = rdsPostGreInstance.Endpoint;
-        DBIdentifier = rdsPostGreInstance.Identifier;
         var DbPassword = password.Result;
-        DbConnectionString = Output.Format($"Host={DbHostName};Database={DbName};Username={DbUsername};Password={DbPassword}");
+        DatabaseConnectionString = Output.Format($"Host={DbHostName};Database={DbName};Username={DbUsername};Password={DbPassword}");
+        DBIdentifier = rdsPostGreInstance.Identifier;
     }
 
-    public Output<string> DbConnectionString = default!;
     public Output<string> DBIdentifier = default!;
+    public Output<string> DatabaseConnectionString = default!;
 }

VirtualFinland.UsersAPI.Deployment/Features/RDSProxy.cs

@@ -0,0 +1,105 @@
+using Pulumi;
+using VirtualFinland.UsersAPI.Deployment.Common.Models;
+using Pulumi.Aws.Iam;
+using System.Text.Json;
+using System.Collections.Generic;
+using Pulumi.Aws.Rds;
+using Pulumi.Aws.Rds.Inputs;
+using Pulumi.Random;
+
+namespace VirtualFinland.UsersAPI.Deployment.Features;
+
+public class RDSProxy
+{
+    public RDSProxy(Config config, StackSetup stackSetup, PostgresDatabase database, VpcSetup vpcSetup)
+    {
+        // RDS proxy access secret
+        var username = new RandomPassword(stackSetup.CreateResourceName("rdsproxy-username"), new()
+        {
+            Length = 16,
+            Special = false,
+            OverrideSpecial = "_%@",
+        });
+        var password = new RandomPassword(stackSetup.CreateResourceName("rdsproxy-password"), new()
+        {
+            Length = 16,
+            Special = false,
+            OverrideSpecial = "_%@",
+        });
+        var rdsProxySecretString = Output.Format($"{{\"username\":\"{username.Result}\",\"password\":\"{password.Result}\"}}");
+        var rdsProxySecret = new SecretsManager(stackSetup, "rdsProxySecret", rdsProxySecretString);
+
+        // Create role for rds proxy
+        var rdsProxyRole = new Role(stackSetup.CreateResourceName("database-proxy-role"), new RoleArgs()
+        {
+            AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary<string, object?>
+            {
+                { "Version", "2012-10-17" },
+                {
+                    "Statement", new[]
+                    {
+                        new Dictionary<string, object?>
+                        {
+                            { "Action", "sts:AssumeRole" },
+                            { "Effect", "Allow" },
+                            { "Sid", "" },
+                            {
+                                "Principal", new Dictionary<string, object?>
+                                {
+                                    { "Service", "rds.amazonaws.com" }
+                                }
+                            }
+                        }
+                    }
+                }
+            }),
+            Tags = stackSetup.Tags
+        });
+
+        new RolePolicyAttachment(stackSetup.CreateResourceName("RdsProxy-SecretManager"), new RolePolicyAttachmentArgs
+        {
+            Role = rdsProxyRole.Name,
+            PolicyArn = rdsProxySecret.Arn
+        });
+
+        // AWS RDS Proxy
+        var rdsProxy = new Proxy(stackSetup.CreateResourceName("database-proxy"), new()
+        {
+            DebugLogging = false,
+            EngineFamily = "POSTGRESQL",
+            RequireTls = true,
+            RoleArn = rdsProxyRole.Arn,
+            VpcSubnetIds = vpcSetup.PrivateSubnetIds,
+            VpcSecurityGroupIds = new[] { vpcSetup.SecurityGroupId },
+            Auths = new[] {
+                new ProxyAuthArgs
+                {
+                    AuthScheme = "SECRETS",
+                    Description = "Secrets authentication",
+                    SecretArn = rdsProxySecret.Arn,
+                    IamAuth = "DISABLED"
+                }
+            },
+            Tags = stackSetup.Tags,
+        });
+
+        // RDS Proxy Target
+        new ProxyTarget(stackSetup.CreateResourceName("database-proxy-target"), new ProxyTargetArgs()
+        {
+            DbProxyName = rdsProxy.Name,
+            DbInstanceIdentifier = database.DBIdentifier,
+        });
+
+        // Set outputs
+        ProxyEndpoint = rdsProxy.Endpoint;
+        ProxyIdentifier = rdsProxy.Id;
+
+        var DbName = config.Require("dbName");
+        DatabaseConnectionString = Output.Format($"Host={rdsProxy.Endpoint};Database={DbName};Username={username.Result};Password={password.Result}");
+    }
+
+    [Output]
+    public Output<string> ProxyEndpoint { get; set; }
+    public Output<string> ProxyIdentifier { get; set; }
+    public Output<string> DatabaseConnectionString { get; set; }
+}