Configure account_api_db_admin machine class

This creates a dedicated database admin machine for the Account API, following the content_data_api_db_admin convention. This is in order to facilitate the implementation of [RFC-143][], which concludes that every GOV.UK relational database should have its own RDS instance. [RFC-143]: https://github.com/alphagov/govuk-rfcs/blob/main/rfc-143-split-database-instances.md
alphagov · Dec 10, 2021 · 4e0cb1d · 4e0cb1d
1 parent 9b78501
commit 4e0cb1d
Show file tree

Hide file tree

Showing 7 changed files with 145 additions and 2 deletions.
diff --git a/hieradata_aws/class/integration/account_api_db_admin.yaml b/hieradata_aws/class/integration/account_api_db_admin.yaml
@@ -0,0 +1,23 @@
+govuk_env_sync::tasks:
+  "pull_account_api_production_daily":
+    ensure: "present"
+    hour: "0"
+    minute: "0"
+    action: "pull"
+    dbms: "postgresql"
+    storagebackend: "s3"
+    database: "account-api_production"
+    temppath: "/tmp/account_api_production"
+    url: "govuk-production-database-backups"
+    path: "account-api-postgresql"
+  "push_account_api_production_daily":
+    ensure: "present"
+    hour: "5"
+    minute: "0"
+    action: "push"
+    dbms: "postgresql"
+    storagebackend: "s3"
+    database: "account-api_production"
+    temppath: "/tmp/account_api_production"
+    url: "govuk-integration-database-backups"
+    path: "account-api-postgresql"
diff --git a/hieradata_aws/class/production/account_api_db_admin.yaml b/hieradata_aws/class/production/account_api_db_admin.yaml
@@ -0,0 +1,12 @@
+govuk_env_sync::tasks:
+  "push_account_api_production_daily":
+    ensure: "present"
+    hour: "23"
+    minute: "0"
+    action: "push"
+    dbms: "postgresql"
+    storagebackend: "s3"
+    database: "account-api_production"
+    temppath: "/tmp/account_api_production"
+    url: "govuk-production-database-backups"
+    path: "account-api-postgresql"
diff --git a/hieradata_aws/class/staging/account_api_db_admin.yaml b/hieradata_aws/class/staging/account_api_db_admin.yaml
@@ -0,0 +1,23 @@
+govuk_env_sync::tasks:
+  "pull_account_api_production_daily":
+    ensure: "present"
+    hour: "0"
+    minute: "0"
+    action: "pull"
+    dbms: "postgresql"
+    storagebackend: "s3"
+    database: "account-api_production"
+    temppath: "/tmp/account_api_production"
+    url: "govuk-production-database-backups"
+    path: "account-api-postgresql"
+  "push_account_api_production_daily":
+    ensure: "present"
+    hour: "5"
+    minute: "0"
+    action: "push"
+    dbms: "postgresql"
+    storagebackend: "s3"
+    database: "account-api_production"
+    temppath: "/tmp/account_api_production"
+    url: "govuk-staging-database-backups"
+    path: "account-api-postgresql"
diff --git a/hieradata_aws/common.yaml b/hieradata_aws/common.yaml
@@ -782,7 +782,7 @@ govuk::apps::transition::redis_port: "%{hiera('sidekiq_port')}"
 govuk::apps::travel_advice_publisher::redis_host: "%{hiera('sidekiq_host')}"
 govuk::apps::travel_advice_publisher::redis_port: "%{hiera('sidekiq_port')}"
 
-govuk::apps::account_api::db_hostname: "postgresql-primary"
+govuk::apps::account_api::db_hostname: "account-api-postgresql-primary"
 govuk::apps::account_api::db::backend_ip_range: "%{hiera('environment_ip_prefix')}.3.0/24"
 govuk::apps::account_api::db::allow_auth_from_lb: true
 govuk::apps::account_api::db::lb_ip_range: "%{hiera('environment_ip_prefix')}.0.0/16"
@@ -857,6 +857,7 @@ govuk::node::s_base::log_remote: false
 govuk::node::s_db_admin::apt_mirror_hostname: "%{hiera('apt_mirror_hostname')}"
 govuk::node::s_db_admin::apt_mirror_gpg_key_fingerprint: "%{hiera('apt_mirror_fingerprint')}"
 
+govuk::node::s_account_api_db_admin::apt_mirror_hostname: "%{hiera('apt_mirror_hostname')}"
 govuk::node::s_content_data_api_db_admin::apt_mirror_hostname: "%{hiera('apt_mirror_hostname')}"
 
 govuk::node::s_gatling::apt_mirror_hostname: "%{hiera('apt_mirror_hostname')}"

diff --git a/modules/govuk/manifests/node/s_account_api_db_admin.pp b/modules/govuk/manifests/node/s_account_api_db_admin.pp
@@ -0,0 +1,81 @@
+# == Class: govuk_node::s_account_api_db_admin
+#
+# This machine class is used to administer the Account API
+# PostgreSQL RDS instances.
+#
+# === Parameters
+#
+# [*postgres_host*]
+#   Hostname of the RDS database to use.
+#   Default: undef
+#
+# [*postgres_user*]
+#   The PostgreSQL user to use for admisistering the database.
+#   Default: undef
+#
+# [*postgres_password*]
+#   The password corresponding to the above `postgres_user`.
+#   Default: undef
+#
+# [*postgres_port*]
+#   The port with which to connect to the `postgres_host`.
+#   Default: '5432'
+#
+class govuk::node::s_account_api_db_admin(
+  $postgres_host        = undef,
+  $postgres_user        = undef,
+  $postgres_password    = undef,
+  $postgres_port        = '5432',
+  $apt_mirror_hostname,
+) {
+  include govuk_env_sync
+  include ::govuk::node::s_base
+
+  # This allows easy administration of the PostgreSQL backend:
+  # https://www.postgresql.org/docs/9.3/static/libpq-pgpass.html
+  file { '/root/.pgpass':
+    ensure  => present,
+    mode    => '0600',
+    content => "${postgres_host}:5432:*:${postgres_user}:${postgres_password}",
+  }
+
+  # Unfortunately, the prior art for configuring db-admin style
+  # machines seems to involve a redundant PostgreSQL service, just to
+  # satisfy the Puppet module used to configure PostgreSQL running on
+  # the RDS instance. Some of the below configuration relates to this.
+
+  # Connect to the RDS instance when performing Puppet operations
+  $default_connect_settings = {
+    'PGUSER'     => $postgres_user,
+    'PGPASSWORD' => $postgres_password,
+    'PGHOST'     => $postgres_host,
+    'PGPORT'     => $postgres_port,
+  }
+
+  apt::source { 'postgresql':
+    ensure       => present,
+    location     => "http://${apt_mirror_hostname}/postgresql",
+    release      => "${::lsbdistcodename}-pgdg",
+    architecture => $::architecture,
+    key          => 'B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8',
+  } ->
+
+  # We don't actually want to run a local PostgreSQL server, just
+  # configure the RDS one
+  class { '::postgresql::server':
+    default_connect_settings => $default_connect_settings,
+    service_manage           => false,
+  } ->
+
+  service { 'postgresql':
+    ensure  => stopped,
+  }
+
+  include ::govuk_postgresql::server::not_slave
+
+  # Ensure the client class is installed
+  class { '::govuk_postgresql::client': } ->
+
+  # include all PostgreSQL classes that create databases and users
+  class { '::govuk::apps::account_api::db': }
+}
diff --git a/modules/govuk_env_sync/files/govuk_env_sync.sh b/modules/govuk_env_sync/files/govuk_env_sync.sh
@@ -338,7 +338,9 @@ function restore_elasticsearch {
 
 function dump_postgresql {
   # Check which postgres instance the database needs to restore into
-  if [ "${database}" == 'content_data_api_production' ]; then
+  if [ "${database}" == 'account-api_production' ]; then
+    db_hostname='account-api-postgresql-primary'
+  elif [ "${database}" == 'content_data_api_production' ]; then
     db_hostname='content-data-api-postgresql-primary'
   elif [ "${database}" == 'content_performance_manager_production' ]; then
     db_hostname='content-data-api-postgresql-primary'

diff --git a/spec/fixtures/hieradata/common.yaml b/spec/fixtures/hieradata/common.yaml
@@ -34,6 +34,7 @@ govuk::deploy::sync::auth_token: "example-auth-token"
 
 govuk::node::s_db_admin::apt_mirror_hostname: "%{hiera('apt_mirror_hostname')}"
 govuk::node::s_db_admin::apt_mirror_gpg_key_fingerprint: "%{hiera('apt_mirror_fingerprint')}"
+govuk::node::s_account_api_db_admin::apt_mirror_hostname: "%{hiera('apt_mirror_hostname')}"
 govuk::node::s_content_data_api_db_admin::apt_mirror_hostname: "%{hiera('apt_mirror_hostname')}"
 govuk::node::s_graphite::apt_mirror_hostname: "%{hiera('apt_mirror_hostname')}"
 govuk::node::s_graphite::apt_mirror_gpg_key_fingerprint: "%{hiera('apt_mirror_fingerprint')}"