npm - @govuk-pay/cli - Versions diffs - 0.0.27 → 0.0.29 - Mend

@govuk-pay/cli 0.0.27 → 0.0.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +1 -1
package/resources/legacy-ruby-cli/config/secrets.yml +4 -0
package/resources/legacy-ruby-cli/config/service_secrets.yml +2 -0
package/src/commands/tunnel.js +65 -12

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@govuk-pay/cli",
-  "version": "0.0.27",
+  "version": "0.0.29",
   "description": "GOV.UK Pay Command Line Interface",
   "bin": {
     "pay": "bin/cli.js",

package/resources/legacy-ruby-cli/config/secrets.yml CHANGED Viewed

@@ -65,6 +65,7 @@ pay-low-pass:
       master_db_password:                           aws/rds/superuser/deploy-tooling/pact-broker/password # pragma: allowlist secret
       db_user:                                      aws/rds/application_users/deploy/pact_broker_db_username
       db_password:                                  aws/rds/application_users/deploy/pact_broker_db_password # pragma: allowlist secret
+      DB_SUPPORT_PASSWORD_READONLY:                 aws/rds/support_readonly_users/deploy/pact_broker_support_readonly # pragma: allowlist secret
     stubs:
       smartpay-expected-password:          pay-stubs/smartpay/expected-password
       smartpay-expected-user:              pay-stubs/smartpay/expected-user
@@ -498,6 +499,9 @@ value:
       LEDGER_RDS_PASSWORD: "/"        # pragma: allowlist secret
       PRODUCTS_RDS_PASSWORD: "/"      # pragma: allowlist secret
       PUBLICAUTH_RDS_PASSWORD: "/"    # pragma: allowlist secret
+  deploy-tooling:
+    pact-broker:
+      DB_SUPPORT_USER_READONLY: "pact_broker_support_readonly"
   test-12:
     adminusers:
       DB_USER: "adminusers1"

package/resources/legacy-ruby-cli/config/service_secrets.yml CHANGED Viewed

@@ -41,6 +41,8 @@ pact-broker:
   - master_db_password
   - db_user
   - db_password
+  - DB_SUPPORT_USER_READONLY
+  - DB_SUPPORT_PASSWORD_READONLY
 pact-broker-auth:
   - pact-broker-basic-auth-password
   - pact-broker-basic-auth-username

package/src/commands/tunnel.js CHANGED Viewed

@@ -10,6 +10,7 @@ const client_ecs_1 = require("@aws-sdk/client-ecs");
 const client_rds_1 = require("@aws-sdk/client-rds");
 const client_ssm_1 = require("@aws-sdk/client-ssm");
 const readline_1 = __importDefault(require("readline"));
+const promises_1 = __importDefault(require("node:readline/promises"));
 const child_process_1 = require("child_process");
 const constants_js_1 = require("../core/constants.js");
 let ec2;
@@ -29,6 +30,30 @@ function logTunnelCommands() {
     pay tunnel help                     # Describe tunnel command`);
 }
 exports.logTunnelCommands = logTunnelCommands;
+async function readInputForReadOrWriteDBAccess() {
+    const rl = promises_1.default.createInterface({
+        input: process.stdin,
+        output: process.stdout
+    });
+    let answer = await rl.question('Do you require read-only access, or write-access to the database? [R/w]: ');
+    rl.close();
+    if (answer === undefined || answer === '') {
+        answer = 'R';
+        console.log('No option entered. Defaulting to read-only');
+    }
+    if (answer === 'R' || answer === 'r') {
+        printGreen('Database read-only access requested');
+        return 'read-only';
+    }
+    else if (answer === 'w') {
+        printGreen('Database write access requested');
+        return 'write';
+    }
+    else {
+        printError('Invalid option entered. Exiting..');
+        process.exit(1);
+    }
+}
 async function tunnelHandler(options) {
     await (0, standardContent_js_1.showHeader)();
     const { environment, application } = parseArguments(options);
@@ -39,10 +64,11 @@ async function tunnelHandler(options) {
     let bastionTask = null;
     try {
         printWarningToUser();
+        const dbAccessType = await readInputForReadOrWriteDBAccess();
         const database = await getDatabaseDetails(environment, application);
         bastionTask = await startBastion(environment);
         openTunnel(bastionTask, database, environment);
-        printHowToTunnelText(application, environment, database.EngineVersion);
+        await printHowToTunnelText(application, environment, database.EngineVersion, dbAccessType);
         await waitForExit();
         await shutdown(environment, bastionTask);
     }
@@ -345,10 +371,10 @@ async function terminateSession(task, environment) {
         }
     }
 }
-function printHowToTunnelText(application, environment, dbEngineVersion) {
-    const dbUser = getDbUser(application);
-    const payLowPassDbSecretName = getPayLowPassDbSecretname(environment, dbUser);
-    const paySecretsPasswordName = getPaySecretsPasswordName();
+async function printHowToTunnelText(application, environment, dbEngineVersion, dbAccessType) {
+    const dbUser = await getDbUser(environment, application, dbAccessType);
+    const payLowPassDbSecretName = getPayLowPassDbSecretName(environment, dbUser, dbAccessType);
+    const paySecretsPasswordName = getPaySecretsPasswordName(dbAccessType);
     printGreen(`\nConnected tunnel to ${application} RDS database in ${environment} on port 65432\n`);
     printGreen('Copy DB credentials to clipboard (in another window) using pay-low-pass:');
     printGreen(`  pay-low-pass ${payLowPassDbSecretName} | pbcopy`);
@@ -361,15 +387,42 @@ function printHowToTunnelText(application, environment, dbEngineVersion) {
     printGreen('Or even more conveniently connect using a docker container and set the password automatically using pay-low-pass:');
     printGreen(`   docker run -e "PGPASSWORD=$(pay-low-pass ${payLowPassDbSecretName})" --rm -ti postgres:${dbEngineVersion}-alpine psql --host docker.for.mac.localhost --port 65432 --user ${dbUser} --dbname ${application}\n`);
 }
-// TODO: add a write flag. Default to readonly.
-function getDbUser(application) {
-    return `${application}_support_readonly`;
+async function getDbUser(environment, application, dbAccessType) {
+    let paramName;
+    if (dbAccessType === 'write') {
+        paramName = `${environment}_${application}.db_user`;
+    }
+    else {
+        paramName = `${environment}_${application}.db_support_user_readonly`;
+    }
+    const ssmClient = new client_ssm_1.SSMClient();
+    const input = { Names: [paramName], WithDecryption: true };
+    const command = new client_ssm_1.GetParametersCommand(input);
+    const response = await ssmClient.send(command);
+    if (response?.Parameters?.length !== undefined && response?.Parameters?.length > 0 &&
+        response?.Parameters[0]?.Value !== undefined) {
+        return response.Parameters[0].Value;
+    }
+    else {
+        printError('Unable to get database username from Parameter Store');
+        return '';
+    }
 }
-function getPayLowPassDbSecretname(environment, user) {
-    return `aws/rds/support_readonly_users/${environment.split('-')[0]}/${user}`;
+function getPayLowPassDbSecretName(environment, user, dbAccessType) {
+    if (dbAccessType === 'write') {
+        return `aws/rds/application_users/${environment.split('-')[0]}/${user}`;
+    }
+    else {
+        return `aws/rds/support_readonly_users/${environment.split('-')[0]}/${user}`;
+    }
 }
-function getPaySecretsPasswordName() {
-    return 'DB_SUPPORT_PASSWORD_READONLY';
+function getPaySecretsPasswordName(dbAccessType) {
+    if (dbAccessType === 'write') {
+        return 'DB_PASSWORD';
+    }
+    else {
+        return 'DB_SUPPORT_PASSWORD_READONLY';
+    }
 }
 function printWarningToUser() {
     console.log(FORMAT.yellow, '⚠️  WARNING: When using SSM, any and all activity you perform may be getting logged for security auditing purposes (think PCI).', FORMAT.reset);