dbt-platform-helper 12.1.0__tar.gz → 12.2.1__tar.gz

{dbt_platform_helper-12.1.0 → dbt_platform_helper-12.2.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dbt-platform-helper
-Version: 12.1.0
+Version: 12.2.1
 Summary: Set of tools to help transfer applications/services from GOV.UK PaaS to DBT PaaS augmenting AWS Copilot.
 License: MIT
 Author: Department for Business and Trade Platform Team
@@ -12,6 +12,7 @@ Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Requires-Dist: Jinja2 (==3.1.4)
 Requires-Dist: PyYAML (==6.0.1)
 Requires-Dist: aiohttp (>=3.8.4,<4.0.0)

{dbt_platform_helper-12.1.0 → dbt_platform_helper-12.2.1}/dbt_platform_helper/COMMANDS.md

@@ -256,7 +256,8 @@ platform-helper codebase deploy --app <application> --env <environment> --codeba
 
 [↩ Parent](#platform-helper)
 
-    Create a conduit connection to an addon.
+    Opens a shell for a given addon_name create a conduit connection to
+    interact with postgres, opensearch or redis.
 
 ## Usage
 
@@ -272,11 +273,11 @@ platform-helper conduit <addon_name>
 ## Options
 
 - `--app <text>`
-  - AWS application name
+  - Application name
 - `--env <text>`
-  - AWS environment name
+  - Environment name
 - `--access <choice>` _Defaults to read._
-  - Allow write or admin access to database addons
+  - Allow read, write or admin access to the database addons.
 - `--help <boolean>` _Defaults to False._
   - Show this message and exit.
 

{dbt_platform_helper-12.1.0 → dbt_platform_helper-12.2.1}/dbt_platform_helper/commands/application.py

@@ -1,6 +1,7 @@
 #!/usr/bin/env python
 
 # application commands are deprecated, do not spend time refactoring them
+# Service teams are trained to use them as a replacement for cf app(s)
 
 import time
 from datetime import datetime

{dbt_platform_helper-12.1.0 → dbt_platform_helper-12.2.1}/dbt_platform_helper/commands/codebase.py

@@ -30,7 +30,7 @@ def prepare():
     try:
         Codebase().prepare()
     except NotInCodeBaseRepositoryError:
-        # TODO print error attached to exception
+        # TODO: Set exception message in the exceptions and just output the message in the command code
         click.secho(
             "You are in the deploy repository; make sure you are in the application codebase repository.",
             fg="red",
@@ -109,6 +109,7 @@ def deploy(app, env, codebase, commit):
     try:
         Codebase().deploy(app, env, codebase, commit)
     except ApplicationNotFoundError:
+        # TODO: Set exception message in the exceptions and just output the message in the command code
         click.secho(
             f"""The account "{os.environ.get("AWS_PROFILE")}" does not contain the application "{app}"; ensure you have set the environment variable "AWS_PROFILE" correctly.""",
             fg="red",
@@ -120,9 +121,9 @@ def deploy(app, env, codebase, commit):
             fg="red",
         )
         raise click.Abort
-    # TODO: don't hide json decode error
     except (
         CopilotCodebaseNotFoundError,
+        # TODO: Catch this error earlier and throw a more meaningful error, maybe it's CopilotCodebaseNotFoundError?
         json.JSONDecodeError,
     ):
         click.secho(

dbt_platform_helper-12.2.1/dbt_platform_helper/commands/conduit.py

@@ -0,0 +1,78 @@
+import click
+
+from dbt_platform_helper.constants import CONDUIT_ADDON_TYPES
+from dbt_platform_helper.domain.conduit import Conduit
+from dbt_platform_helper.exceptions import AddonNotFoundError
+from dbt_platform_helper.exceptions import AddonTypeMissingFromConfigError
+from dbt_platform_helper.exceptions import CreateTaskTimeoutError
+from dbt_platform_helper.exceptions import InvalidAddonTypeError
+from dbt_platform_helper.exceptions import NoClusterError
+from dbt_platform_helper.exceptions import ParameterNotFoundError
+from dbt_platform_helper.providers.secrets import SecretNotFoundError
+from dbt_platform_helper.utils.application import load_application
+from dbt_platform_helper.utils.click import ClickDocOptCommand
+from dbt_platform_helper.utils.versioning import (
+    check_platform_helper_version_needs_update,
+)
+
+CONDUIT_ACCESS_OPTIONS = ["read", "write", "admin"]
+
+
+@click.command(cls=ClickDocOptCommand)
+@click.argument("addon_name", type=str, required=True)
+@click.option("--app", help="Application name", required=True)
+@click.option("--env", help="Environment name", required=True)
+@click.option(
+    "--access",
+    default="read",
+    type=click.Choice(CONDUIT_ACCESS_OPTIONS),
+    help="Allow read, write or admin access to the database addons.",
+)
+def conduit(addon_name: str, app: str, env: str, access: str):
+    """Opens a shell for a given addon_name create a conduit connection to
+    interact with postgres, opensearch or redis."""
+    check_platform_helper_version_needs_update()
+    application = load_application(app)
+
+    try:
+        Conduit(application).start(env, addon_name, access)
+    except NoClusterError:
+        # TODO: Set exception message in the exceptions and just output the message in the command code, should be able to catch all errors in one block
+        click.secho(f"""No ECS cluster found for "{app}" in "{env}" environment.""", fg="red")
+        exit(1)
+    except SecretNotFoundError as err:
+        click.secho(
+            f"""No secret called "{err}" for "{app}" in "{env}" environment.""",
+            fg="red",
+        )
+        exit(1)
+    except CreateTaskTimeoutError:
+        click.secho(
+            f"""Client ({addon_name}) ECS task has failed to start for "{app}" in "{env}" environment.""",
+            fg="red",
+        )
+        exit(1)
+    except ParameterNotFoundError:
+        click.secho(
+            f"""No parameter called "/copilot/applications/{app}/environments/{env}/addons". Try deploying the "{app}" "{env}" environment.""",
+            fg="red",
+        )
+        exit(1)
+    except AddonNotFoundError:
+        click.secho(
+            f"""Addon "{addon_name}" does not exist.""",
+            fg="red",
+        )
+        exit(1)
+    except InvalidAddonTypeError as err:
+        click.secho(
+            f"""Addon type "{err.addon_type}" is not supported, we support: {", ".join(CONDUIT_ADDON_TYPES)}.""",
+            fg="red",
+        )
+        exit(1)
+    except AddonTypeMissingFromConfigError:
+        click.secho(
+            f"""The configuration for the addon {addon_name}, is missconfigured and missing the addon type.""",
+            fg="red",
+        )
+        exit(1)

{dbt_platform_helper-12.1.0 → dbt_platform_helper-12.2.1}/dbt_platform_helper/commands/secrets.py

@@ -102,7 +102,7 @@ def list(app, env):
     params = dict(Path=path, Recursive=False, WithDecryption=True, MaxResults=10)
     secrets = []
 
-    # TODO: refactor shared code with get_ssm_secret_names
+    # TODO: refactor shared code with get_ssm_secret_names - Check if this is still valid
     while True:
         response = client.get_parameters_by_path(**params)
 

{dbt_platform_helper-12.1.0 → dbt_platform_helper-12.2.1}/dbt_platform_helper/constants.py

@@ -1,6 +1,16 @@
 PLATFORM_CONFIG_FILE = "platform-config.yml"
 PLATFORM_HELPER_VERSION_FILE = ".platform-helper-version"
-CODEBASE_PIPELINES_KEY = "codebase_pipelines"
-ENVIRONMENTS_KEY = "environments"
 DEFAULT_TERRAFORM_PLATFORM_MODULES_VERSION = "5"
 PLATFORM_HELPER_CACHE_FILE = ".platform-helper-config-cache.yml"
+
+# Keys
+CODEBASE_PIPELINES_KEY = "codebase_pipelines"
+ENVIRONMENTS_KEY = "environments"
+
+# Conduit
+CONDUIT_ADDON_TYPES = [
+    "opensearch",
+    "postgres",
+    "redis",
+]
+CONDUIT_DOCKER_IMAGE_LOCATION = "public.ecr.aws/uktrade/tunnel"

{dbt_platform_helper-12.1.0 → dbt_platform_helper-12.2.1}/dbt_platform_helper/domain/codebase.py

@@ -195,7 +195,6 @@ class Codebase:
 
         self.echo_fn("")
 
-    # TODO return empty list without exception
     def __get_codebases(self, application, ssm_client):
         parameters = ssm_client.get_parameters_by_path(
             Path=f"/copilot/applications/{application.name}/codebases",
@@ -205,6 +204,7 @@ class Codebase:
         codebases = [json.loads(p["Value"]) for p in parameters]
 
         if not codebases:
+            # TODO Is this really an error? Or just no codebases so we could return an empty list?
             raise NoCopilotCodebasesFoundError
         return codebases
 

dbt_platform_helper-12.2.1/dbt_platform_helper/domain/conduit.py

@@ -0,0 +1,172 @@
+import subprocess
+from collections.abc import Callable
+
+import click
+
+from dbt_platform_helper.exceptions import ECSAgentNotRunning
+from dbt_platform_helper.providers.cloudformation import (
+    add_stack_delete_policy_to_task_role,
+)
+from dbt_platform_helper.providers.cloudformation import update_conduit_stack_resources
+from dbt_platform_helper.providers.cloudformation import (
+    wait_for_cloudformation_to_reach_status,
+)
+from dbt_platform_helper.providers.copilot import connect_to_addon_client_task
+from dbt_platform_helper.providers.copilot import create_addon_client_task
+from dbt_platform_helper.providers.copilot import create_postgres_admin_task
+from dbt_platform_helper.providers.ecs import ecs_exec_is_available
+from dbt_platform_helper.providers.ecs import get_cluster_arn
+from dbt_platform_helper.providers.ecs import get_ecs_task_arns
+from dbt_platform_helper.providers.ecs import get_or_create_task_name
+from dbt_platform_helper.providers.secrets import get_addon_type
+from dbt_platform_helper.providers.secrets import get_parameter_name
+from dbt_platform_helper.utils.application import Application
+from dbt_platform_helper.utils.messages import abort_with_error
+
+
+class Conduit:
+    def __init__(
+        self,
+        application: Application,
+        echo_fn: Callable[[str], str] = click.secho,
+        subprocess_fn: subprocess = subprocess,
+        get_ecs_task_arns_fn=get_ecs_task_arns,
+        connect_to_addon_client_task_fn=connect_to_addon_client_task,
+        create_addon_client_task_fn=create_addon_client_task,
+        create_postgres_admin_task_fn=create_postgres_admin_task,
+        get_addon_type_fn=get_addon_type,
+        ecs_exec_is_available_fn=ecs_exec_is_available,
+        get_cluster_arn_fn=get_cluster_arn,
+        get_parameter_name_fn=get_parameter_name,
+        get_or_create_task_name_fn=get_or_create_task_name,
+        add_stack_delete_policy_to_task_role_fn=add_stack_delete_policy_to_task_role,
+        update_conduit_stack_resources_fn=update_conduit_stack_resources,
+        wait_for_cloudformation_to_reach_status_fn=wait_for_cloudformation_to_reach_status,
+        abort_fn=abort_with_error,
+    ):
+
+        self.application = application
+        self.subprocess_fn = subprocess_fn
+        self.echo_fn = echo_fn
+        self.get_ecs_task_arns_fn = get_ecs_task_arns_fn
+        self.connect_to_addon_client_task_fn = connect_to_addon_client_task_fn
+        self.create_addon_client_task_fn = create_addon_client_task_fn
+        self.create_postgres_admin_task = create_postgres_admin_task_fn
+        self.get_addon_type_fn = get_addon_type_fn
+        self.ecs_exec_is_available_fn = ecs_exec_is_available_fn
+        self.get_cluster_arn_fn = get_cluster_arn_fn
+        self.get_parameter_name_fn = get_parameter_name_fn
+        self.get_or_create_task_name_fn = get_or_create_task_name_fn
+        self.add_stack_delete_policy_to_task_role_fn = add_stack_delete_policy_to_task_role_fn
+        self.update_conduit_stack_resources_fn = update_conduit_stack_resources_fn
+        self.wait_for_cloudformation_to_reach_status_fn = wait_for_cloudformation_to_reach_status_fn
+        self.abort_fn = abort_fn
+
+    def start(self, env: str, addon_name: str, access: str = "read"):
+        clients = self._initialise_clients(env)
+        addon_type, cluster_arn, parameter_name, task_name = self._get_addon_details(
+            env, addon_name, access
+        )
+
+        self.echo_fn(f"Checking if a conduit task is already running for {addon_type}")
+        task_arn = self.get_ecs_task_arns_fn(clients["ecs"], cluster_arn, task_name)
+        if not task_arn:
+            self.echo_fn("Creating conduit task")
+            self.create_addon_client_task_fn(
+                clients["iam"],
+                clients["ssm"],
+                clients["secrets_manager"],
+                self.subprocess_fn,
+                self.application,
+                env,
+                addon_type,
+                addon_name,
+                task_name,
+                access,
+            )
+
+            self.echo_fn("Updating conduit task")
+            self._update_stack_resources(
+                clients["cloudformation"],
+                clients["iam"],
+                clients["ssm"],
+                self.application.name,
+                env,
+                addon_type,
+                addon_name,
+                task_name,
+                parameter_name,
+                access,
+            )
+
+            task_arn = self.get_ecs_task_arns_fn(clients["ecs"], cluster_arn, task_name)
+
+        else:
+            self.echo_fn("Conduit task already running")
+
+        self.echo_fn(f"Checking if exec is available for conduit task...")
+
+        try:
+            self.ecs_exec_is_available_fn(clients["ecs"], cluster_arn, task_arn)
+        except ECSAgentNotRunning:
+            self.abort_fn('ECS exec agent never reached "RUNNING" status')
+
+        self.echo_fn("Connecting to conduit task")
+        self.connect_to_addon_client_task_fn(
+            clients["ecs"], self.subprocess_fn, self.application.name, env, cluster_arn, task_name
+        )
+
+    def _initialise_clients(self, env):
+        return {
+            "ecs": self.application.environments[env].session.client("ecs"),
+            "iam": self.application.environments[env].session.client("iam"),
+            "ssm": self.application.environments[env].session.client("ssm"),
+            "cloudformation": self.application.environments[env].session.client("cloudformation"),
+            "secrets_manager": self.application.environments[env].session.client("secretsmanager"),
+        }
+
+    def _get_addon_details(self, env, addon_name, access):
+        ssm_client = self.application.environments[env].session.client("ssm")
+        ecs_client = self.application.environments[env].session.client("ecs")
+
+        addon_type = self.get_addon_type_fn(ssm_client, self.application.name, env, addon_name)
+        cluster_arn = self.get_cluster_arn_fn(ecs_client, self.application.name, env)
+        parameter_name = self.get_parameter_name_fn(
+            self.application.name, env, addon_type, addon_name, access
+        )
+        task_name = self.get_or_create_task_name_fn(
+            ssm_client, self.application.name, env, addon_name, parameter_name
+        )
+
+        return addon_type, cluster_arn, parameter_name, task_name
+
+    def _update_stack_resources(
+        self,
+        cloudformation_client,
+        iam_client,
+        ssm_client,
+        app_name,
+        env,
+        addon_type,
+        addon_name,
+        task_name,
+        parameter_name,
+        access,
+    ):
+        self.add_stack_delete_policy_to_task_role_fn(cloudformation_client, iam_client, task_name)
+        stack_name = self.update_conduit_stack_resources_fn(
+            cloudformation_client,
+            iam_client,
+            ssm_client,
+            app_name,
+            env,
+            addon_type,
+            addon_name,
+            task_name,
+            parameter_name,
+            access,
+        )
+        self.echo_fn("Waiting for conduit task update to complete...")
+        self.wait_for_cloudformation_to_reach_status_fn(
+            cloudformation_client, "stack_update_complete", stack_name
+        )

{dbt_platform_helper-12.1.0 → dbt_platform_helper-12.2.1}/dbt_platform_helper/exceptions.py

@@ -20,6 +20,31 @@ class IncompatibleMinorVersion(ValidationException):
         self.check_version = check_version
 
 
+class NoClusterError(AWSException):
+    pass
+
+
+class CreateTaskTimeoutError(AWSException):
+    pass
+
+
+class ParameterNotFoundError(AWSException):
+    pass
+
+
+class AddonNotFoundError(AWSException):
+    pass
+
+
+class InvalidAddonTypeError(AWSException):
+    def __init__(self, addon_type):
+        self.addon_type = addon_type
+
+
+class AddonTypeMissingFromConfigError(AWSException):
+    pass
+
+
 class CopilotCodebaseNotFoundError(Exception):
     pass
 
@@ -46,3 +71,11 @@ class ApplicationNotFoundError(Exception):
 
 class ApplicationEnvironmentNotFoundError(Exception):
     pass
+
+
+class SecretNotFoundError(AWSException):
+    pass
+
+
+class ECSAgentNotRunning(AWSException):
+    pass

dbt_platform_helper-12.2.1/dbt_platform_helper/providers/cloudformation.py

@@ -0,0 +1,105 @@
+import json
+
+from cfn_tools import dump_yaml
+from cfn_tools import load_yaml
+
+
+def add_stack_delete_policy_to_task_role(cloudformation_client, iam_client, task_name: str):
+
+    stack_name = f"task-{task_name}"
+    stack_resources = cloudformation_client.list_stack_resources(StackName=stack_name)[
+        "StackResourceSummaries"
+    ]
+
+    for resource in stack_resources:
+        if resource["LogicalResourceId"] == "DefaultTaskRole":
+            task_role_name = resource["PhysicalResourceId"]
+            iam_client.put_role_policy(
+                RoleName=task_role_name,
+                PolicyName="DeleteCloudFormationStack",
+                PolicyDocument=json.dumps(
+                    {
+                        "Version": "2012-10-17",
+                        "Statement": [
+                            {
+                                "Action": ["cloudformation:DeleteStack"],
+                                "Effect": "Allow",
+                                "Resource": f"arn:aws:cloudformation:*:*:stack/{stack_name}/*",
+                            },
+                        ],
+                    },
+                ),
+            )
+
+
+def update_conduit_stack_resources(
+    cloudformation_client,
+    iam_client,
+    ssm_client,
+    application_name: str,
+    env: str,
+    addon_type: str,
+    addon_name: str,
+    task_name: str,
+    parameter_name: str,
+    access: str,
+):
+
+    conduit_stack_name = f"task-{task_name}"
+    template = cloudformation_client.get_template(StackName=conduit_stack_name)
+    template_yml = load_yaml(template["TemplateBody"])
+    template_yml["Resources"]["LogGroup"]["DeletionPolicy"] = "Retain"
+    template_yml["Resources"]["TaskNameParameter"] = load_yaml(
+        f"""
+        Type: AWS::SSM::Parameter
+        Properties:
+          Name: {parameter_name}
+          Type: String
+          Value: {task_name}
+        """
+    )
+
+    log_filter_role_arn = iam_client.get_role(RoleName="CWLtoSubscriptionFilterRole")["Role"]["Arn"]
+
+    destination_log_group_arns = json.loads(
+        ssm_client.get_parameter(Name="/copilot/tools/central_log_groups")["Parameter"]["Value"]
+    )
+
+    destination_arn = destination_log_group_arns["dev"]
+    if env.lower() in ("prod", "production"):
+        destination_arn = destination_log_group_arns["prod"]
+
+    template_yml["Resources"]["SubscriptionFilter"] = load_yaml(
+        f"""
+        Type: AWS::Logs::SubscriptionFilter
+        DeletionPolicy: Retain
+        Properties:
+          RoleArn: {log_filter_role_arn}
+          LogGroupName: /copilot/{task_name}
+          FilterName: /copilot/conduit/{application_name}/{env}/{addon_type}/{addon_name}/{task_name.rsplit("-", 1)[1]}/{access}
+          FilterPattern: ''
+          DestinationArn: {destination_arn}
+        """
+    )
+
+    params = []
+    if "Parameters" in template_yml:
+        for param in template_yml["Parameters"]:
+            # TODO testing missed in codecov, update test to assert on method call below with params including ExistingParameter from cloudformation template.
+            params.append({"ParameterKey": param, "UsePreviousValue": True})
+
+    cloudformation_client.update_stack(
+        StackName=conduit_stack_name,
+        TemplateBody=dump_yaml(template_yml),
+        Parameters=params,
+        Capabilities=["CAPABILITY_IAM"],
+    )
+
+    return conduit_stack_name
+
+
+# TODO Catch errors and raise a more human friendly Exception is the CloudFormation stack goes into a "unhappy" state, e.g. ROLLBACK_IN_PROGRESS. Currently we get things like botocore.exceptions.WaiterError: Waiter StackUpdateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "UPDATE_ROLLBACK_COMPLETE" at least once
+def wait_for_cloudformation_to_reach_status(cloudformation_client, stack_status, stack_name):
+
+    waiter = cloudformation_client.get_waiter(stack_status)
+    waiter.wait(StackName=stack_name, WaiterConfig={"Delay": 5, "MaxAttempts": 20})

dbt_platform_helper-12.2.1/dbt_platform_helper/providers/copilot.py

@@ -0,0 +1,144 @@
+import json
+import time
+
+from botocore.exceptions import ClientError
+
+from dbt_platform_helper.constants import CONDUIT_DOCKER_IMAGE_LOCATION
+from dbt_platform_helper.exceptions import CreateTaskTimeoutError
+from dbt_platform_helper.providers.ecs import get_ecs_task_arns
+from dbt_platform_helper.providers.secrets import get_connection_secret_arn
+from dbt_platform_helper.providers.secrets import (
+    get_postgres_connection_data_updated_with_master_secret,
+)
+from dbt_platform_helper.utils.application import Application
+from dbt_platform_helper.utils.messages import abort_with_error
+
+
+def create_addon_client_task(
+    iam_client,
+    ssm_client,
+    secrets_manager_client,
+    subprocess,
+    application: Application,
+    env: str,
+    addon_type: str,
+    addon_name: str,
+    task_name: str,
+    access: str,
+):
+    secret_name = f"/copilot/{application.name}/{env}/secrets/{_normalise_secret_name(addon_name)}"
+
+    if addon_type == "postgres":
+        if access == "read":
+            secret_name += "_READ_ONLY_USER"
+        elif access == "write":
+            secret_name += "_APPLICATION_USER"
+        elif access == "admin":
+            create_postgres_admin_task(
+                ssm_client,
+                secrets_manager_client,
+                subprocess,
+                application,
+                addon_name,
+                addon_type,
+                env,
+                secret_name,
+                task_name,
+            )
+            return
+    elif addon_type == "redis" or addon_type == "opensearch":
+        secret_name += "_ENDPOINT"
+
+    role_name = f"{addon_name}-{application.name}-{env}-conduitEcsTask"
+
+    try:
+        iam_client.get_role(RoleName=role_name)
+        execution_role = f"--execution-role {role_name} "
+    except ClientError as ex:
+        execution_role = ""
+        # We cannot check for botocore.errorfactory.NoSuchEntityException as botocore generates that class on the fly as part of errorfactory.
+        # factory. Checking the error code is the recommended way of handling these exceptions.
+        if ex.response.get("Error", {}).get("Code", None) != "NoSuchEntity":
+            # TODO Raise an exception to be caught at the command layer
+            abort_with_error(
+                f"cannot obtain Role {role_name}: {ex.response.get('Error', {}).get('Message', '')}"
+            )
+
+    subprocess.call(
+        f"copilot task run --app {application.name} --env {env} "
+        f"--task-group-name {task_name} "
+        f"{execution_role}"
+        f"--image {CONDUIT_DOCKER_IMAGE_LOCATION}:{addon_type} "
+        f"--secrets CONNECTION_SECRET={get_connection_secret_arn(ssm_client,secrets_manager_client, secret_name)} "
+        "--platform-os linux "
+        "--platform-arch arm64",
+        shell=True,
+    )
+
+
+def create_postgres_admin_task(
+    ssm_client,
+    secrets_manager_client,
+    subprocess,
+    app: Application,
+    addon_name: str,
+    addon_type: str,
+    env: str,
+    secret_name: str,
+    task_name: str,
+):
+    read_only_secret_name = secret_name + "_READ_ONLY_USER"
+    master_secret_name = (
+        f"/copilot/{app.name}/{env}/secrets/{_normalise_secret_name(addon_name)}_RDS_MASTER_ARN"
+    )
+    master_secret_arn = ssm_client.get_parameter(Name=master_secret_name, WithDecryption=True)[
+        "Parameter"
+    ]["Value"]
+    connection_string = json.dumps(
+        get_postgres_connection_data_updated_with_master_secret(
+            ssm_client, secrets_manager_client, read_only_secret_name, master_secret_arn
+        )
+    )
+
+    subprocess.call(
+        f"copilot task run --app {app.name} --env {env} "
+        f"--task-group-name {task_name} "
+        f"--image {CONDUIT_DOCKER_IMAGE_LOCATION}:{addon_type} "
+        f"--env-vars CONNECTION_SECRET='{connection_string}' "
+        "--platform-os linux "
+        "--platform-arch arm64",
+        shell=True,
+    )
+
+
+def connect_to_addon_client_task(
+    ecs_client,
+    subprocess,
+    application_name,
+    env,
+    cluster_arn,
+    task_name,
+    addon_client_is_running_fn=get_ecs_task_arns,
+):
+    running = False
+    tries = 0
+    while tries < 15 and not running:
+        tries += 1
+        if addon_client_is_running_fn(ecs_client, cluster_arn, task_name):
+            subprocess.call(
+                "copilot task exec "
+                f"--app {application_name} --env {env} "
+                f"--name {task_name} "
+                f"--command bash",
+                shell=True,
+            )
+            running = True
+
+        time.sleep(1)
+
+    if not running:
+        raise CreateTaskTimeoutError
+
+
+def _normalise_secret_name(addon_name: str) -> str:
+    return addon_name.replace("-", "_").upper()