@govuk-pay/cli 0.0.27 → 0.0.28

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@govuk-pay/cli",
-  "version": "0.0.27",
+  "version": "0.0.28",
   "description": "GOV.UK Pay Command Line Interface",
   "bin": {
     "pay": "bin/cli.js",

package/src/commands/tunnel.js

@@ -10,6 +10,7 @@ const client_ecs_1 = require("@aws-sdk/client-ecs");
 const client_rds_1 = require("@aws-sdk/client-rds");
 const client_ssm_1 = require("@aws-sdk/client-ssm");
 const readline_1 = __importDefault(require("readline"));
+const promises_1 = __importDefault(require("node:readline/promises"));
 const child_process_1 = require("child_process");
 const constants_js_1 = require("../core/constants.js");
 let ec2;
@@ -29,6 +30,30 @@ function logTunnelCommands() {
     pay tunnel help                     # Describe tunnel command`);
 }
 exports.logTunnelCommands = logTunnelCommands;
+async function readInputForReadOrWriteDBAccess() {
+    const rl = promises_1.default.createInterface({
+        input: process.stdin,
+        output: process.stdout
+    });
+    let answer = await rl.question('Do you require read-only access, or write-access to the database? [R/w]: ');
+    rl.close();
+    if (answer === undefined || answer === '') {
+        answer = 'R';
+        console.log('No option entered. Defaulting to read-only');
+    }
+    if (answer === 'R' || answer === 'r') {
+        printGreen('Database read-only access requested');
+        return 'read-only';
+    }
+    else if (answer === 'w') {
+        printGreen('Database write access requested');
+        return 'write';
+    }
+    else {
+        printError('Invalid option entered. Exiting..');
+        process.exit(1);
+    }
+}
 async function tunnelHandler(options) {
     await (0, standardContent_js_1.showHeader)();
     const { environment, application } = parseArguments(options);
@@ -39,10 +64,11 @@ async function tunnelHandler(options) {
     let bastionTask = null;
     try {
         printWarningToUser();
+        const dbAccessType = await readInputForReadOrWriteDBAccess();
         const database = await getDatabaseDetails(environment, application);
         bastionTask = await startBastion(environment);
         openTunnel(bastionTask, database, environment);
-        printHowToTunnelText(application, environment, database.EngineVersion);
+        await printHowToTunnelText(application, environment, database.EngineVersion, dbAccessType);
         await waitForExit();
         await shutdown(environment, bastionTask);
     }
@@ -345,10 +371,10 @@ async function terminateSession(task, environment) {
         }
     }
 }
-function printHowToTunnelText(application, environment, dbEngineVersion) {
-    const dbUser = getDbUser(application);
-    const payLowPassDbSecretName = getPayLowPassDbSecretname(environment, dbUser);
-    const paySecretsPasswordName = getPaySecretsPasswordName();
+async function printHowToTunnelText(application, environment, dbEngineVersion, dbAccessType) {
+    const dbUser = await getDbUser(environment, application, dbAccessType);
+    const payLowPassDbSecretName = getPayLowPassDbSecretName(environment, dbUser, dbAccessType);
+    const paySecretsPasswordName = getPaySecretsPasswordName(dbAccessType);
     printGreen(`\nConnected tunnel to ${application} RDS database in ${environment} on port 65432\n`);
     printGreen('Copy DB credentials to clipboard (in another window) using pay-low-pass:');
     printGreen(`  pay-low-pass ${payLowPassDbSecretName} | pbcopy`);
@@ -361,15 +387,42 @@ function printHowToTunnelText(application, environment, dbEngineVersion) {
     printGreen('Or even more conveniently connect using a docker container and set the password automatically using pay-low-pass:');
     printGreen(`   docker run -e "PGPASSWORD=$(pay-low-pass ${payLowPassDbSecretName})" --rm -ti postgres:${dbEngineVersion}-alpine psql --host docker.for.mac.localhost --port 65432 --user ${dbUser} --dbname ${application}\n`);
 }
-// TODO: add a write flag. Default to readonly.
-function getDbUser(application) {
-    return `${application}_support_readonly`;
+async function getDbUser(environment, application, dbAccessType) {
+    let paramName;
+    if (dbAccessType === 'write') {
+        paramName = `${environment}_${application}.db_user`;
+    }
+    else {
+        paramName = `${environment}_${application}.db_support_user_readonly`;
+    }
+    const ssmClient = new client_ssm_1.SSMClient();
+    const input = { Names: [paramName], WithDecryption: true };
+    const command = new client_ssm_1.GetParametersCommand(input);
+    const response = await ssmClient.send(command);
+    if (response?.Parameters?.length !== undefined && response?.Parameters?.length > 0 &&
+        response?.Parameters[0]?.Value !== undefined) {
+        return response.Parameters[0].Value;
+    }
+    else {
+        printError('Unable to get database username from Parameter Store');
+        return '';
+    }
 }
-function getPayLowPassDbSecretname(environment, user) {
-    return `aws/rds/support_readonly_users/${environment.split('-')[0]}/${user}`;
+function getPayLowPassDbSecretName(environment, user, dbAccessType) {
+    if (dbAccessType === 'write') {
+        return `aws/rds/application_users/${environment.split('-')[0]}/${user}`;
+    }
+    else {
+        return `aws/rds/support_readonly_users/${environment.split('-')[0]}/${user}`;
+    }
 }
-function getPaySecretsPasswordName() {
-    return 'DB_SUPPORT_PASSWORD_READONLY';
+function getPaySecretsPasswordName(dbAccessType) {
+    if (dbAccessType === 'write') {
+        return 'DB_PASSWORD';
+    }
+    else {
+        return 'DB_SUPPORT_PASSWORD_READONLY';
+    }
 }
 function printWarningToUser() {
     console.log(FORMAT.yellow, '⚠️  WARNING: When using SSM, any and all activity you perform may be getting logged for security auditing purposes (think PCI).', FORMAT.reset);