diff --git a/hieradata_aws/class/integration/account_api_db_admin.yaml b/hieradata_aws/class/integration/account_api_db_admin.yaml new file mode 100644 index 00000000000..44b6b8d5f6a --- /dev/null +++ b/hieradata_aws/class/integration/account_api_db_admin.yaml @@ -0,0 +1,23 @@ +govuk_env_sync::tasks: + "pull_account_api_production_daily": + ensure: "present" + hour: "0" + minute: "0" + action: "pull" + dbms: "postgresql" + storagebackend: "s3" + database: "account-api_production" + temppath: "/tmp/account_api_production" + url: "govuk-production-database-backups" + path: "account-api-postgresql" + "push_account_api_production_daily": + ensure: "present" + hour: "5" + minute: "0" + action: "push" + dbms: "postgresql" + storagebackend: "s3" + database: "account-api_production" + temppath: "/tmp/account_api_production" + url: "govuk-integration-database-backups" + path: "account-api-postgresql" diff --git a/hieradata_aws/class/production/account_api_db_admin.yaml b/hieradata_aws/class/production/account_api_db_admin.yaml new file mode 100644 index 00000000000..d43586de1f6 --- /dev/null +++ b/hieradata_aws/class/production/account_api_db_admin.yaml @@ -0,0 +1,12 @@ +govuk_env_sync::tasks: + "push_account_api_production_daily": + ensure: "present" + hour: "23" + minute: "0" + action: "push" + dbms: "postgresql" + storagebackend: "s3" + database: "account-api_production" + temppath: "/tmp/account_api_production" + url: "govuk-production-database-backups" + path: "account-api-postgresql" diff --git a/hieradata_aws/class/staging/account_api_db_admin.yaml b/hieradata_aws/class/staging/account_api_db_admin.yaml new file mode 100644 index 00000000000..6c771a6ad54 --- /dev/null +++ b/hieradata_aws/class/staging/account_api_db_admin.yaml @@ -0,0 +1,23 @@ +govuk_env_sync::tasks: + "pull_account_api_production_daily": + ensure: "present" + hour: "0" + minute: "0" + action: "pull" + dbms: "postgresql" + storagebackend: "s3" + database: "account-api_production" + temppath: "/tmp/account_api_production" + url: "govuk-production-database-backups" + path: "account-api-postgresql" + "push_account_api_production_daily": + ensure: "present" + hour: "5" + minute: "0" + action: "push" + dbms: "postgresql" + storagebackend: "s3" + database: "account-api_production" + temppath: "/tmp/account_api_production" + url: "govuk-staging-database-backups" + path: "account-api-postgresql" diff --git a/hieradata_aws/common.yaml b/hieradata_aws/common.yaml index 37028a43b08..995cc448565 100644 --- a/hieradata_aws/common.yaml +++ b/hieradata_aws/common.yaml @@ -782,7 +782,7 @@ govuk::apps::transition::redis_port: "%{hiera('sidekiq_port')}" govuk::apps::travel_advice_publisher::redis_host: "%{hiera('sidekiq_host')}" govuk::apps::travel_advice_publisher::redis_port: "%{hiera('sidekiq_port')}" -govuk::apps::account_api::db_hostname: "postgresql-primary" +govuk::apps::account_api::db_hostname: "account-api-postgresql-primary" govuk::apps::account_api::db::backend_ip_range: "%{hiera('environment_ip_prefix')}.3.0/24" govuk::apps::account_api::db::allow_auth_from_lb: true govuk::apps::account_api::db::lb_ip_range: "%{hiera('environment_ip_prefix')}.0.0/16" @@ -857,6 +857,7 @@ govuk::node::s_base::log_remote: false govuk::node::s_db_admin::apt_mirror_hostname: "%{hiera('apt_mirror_hostname')}" govuk::node::s_db_admin::apt_mirror_gpg_key_fingerprint: "%{hiera('apt_mirror_fingerprint')}" +govuk::node::s_account_api_db_admin::apt_mirror_hostname: "%{hiera('apt_mirror_hostname')}" govuk::node::s_content_data_api_db_admin::apt_mirror_hostname: "%{hiera('apt_mirror_hostname')}" govuk::node::s_gatling::apt_mirror_hostname: "%{hiera('apt_mirror_hostname')}" diff --git a/modules/govuk/manifests/node/s_account_api_db_admin.pp b/modules/govuk/manifests/node/s_account_api_db_admin.pp new file mode 100644 index 00000000000..e253a300e60 --- /dev/null +++ b/modules/govuk/manifests/node/s_account_api_db_admin.pp @@ -0,0 +1,81 @@ +# == Class: govuk_node::s_account_api_db_admin +# +# This machine class is used to administer the Account API +# PostgreSQL RDS instances. +# +# === Parameters +# +# [*postgres_host*] +# Hostname of the RDS database to use. +# Default: undef +# +# [*postgres_user*] +# The PostgreSQL user to use for admisistering the database. +# Default: undef +# +# [*postgres_password*] +# The password corresponding to the above `postgres_user`. +# Default: undef +# +# [*postgres_port*] +# The port with which to connect to the `postgres_host`. +# Default: '5432' +# +class govuk::node::s_account_api_db_admin( + $postgres_host = undef, + $postgres_user = undef, + $postgres_password = undef, + $postgres_port = '5432', + $apt_mirror_hostname, +) { + include govuk_env_sync + include ::govuk::node::s_base + + # This allows easy administration of the PostgreSQL backend: + # https://www.postgresql.org/docs/9.3/static/libpq-pgpass.html + file { '/root/.pgpass': + ensure => present, + mode => '0600', + content => "${postgres_host}:5432:*:${postgres_user}:${postgres_password}", + } + + # Unfortunately, the prior art for configuring db-admin style + # machines seems to involve a redundant PostgreSQL service, just to + # satisfy the Puppet module used to configure PostgreSQL running on + # the RDS instance. Some of the below configuration relates to this. + + # Connect to the RDS instance when performing Puppet operations + $default_connect_settings = { + 'PGUSER' => $postgres_user, + 'PGPASSWORD' => $postgres_password, + 'PGHOST' => $postgres_host, + 'PGPORT' => $postgres_port, + } + + apt::source { 'postgresql': + ensure => present, + location => "http://${apt_mirror_hostname}/postgresql", + release => "${::lsbdistcodename}-pgdg", + architecture => $::architecture, + key => 'B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8', + } -> + + # We don't actually want to run a local PostgreSQL server, just + # configure the RDS one + class { '::postgresql::server': + default_connect_settings => $default_connect_settings, + service_manage => false, + } -> + + service { 'postgresql': + ensure => stopped, + } + + include ::govuk_postgresql::server::not_slave + + # Ensure the client class is installed + class { '::govuk_postgresql::client': } -> + + # include all PostgreSQL classes that create databases and users + class { '::govuk::apps::account_api::db': } +} diff --git a/modules/govuk_env_sync/files/govuk_env_sync.sh b/modules/govuk_env_sync/files/govuk_env_sync.sh index f338d44225c..367ef35a14b 100644 --- a/modules/govuk_env_sync/files/govuk_env_sync.sh +++ b/modules/govuk_env_sync/files/govuk_env_sync.sh @@ -338,7 +338,9 @@ function restore_elasticsearch { function dump_postgresql { # Check which postgres instance the database needs to restore into - if [ "${database}" == 'content_data_api_production' ]; then + if [ "${database}" == 'account-api_production' ]; then + db_hostname='account-api-postgresql-primary' + elif [ "${database}" == 'content_data_api_production' ]; then db_hostname='content-data-api-postgresql-primary' elif [ "${database}" == 'content_performance_manager_production' ]; then db_hostname='content-data-api-postgresql-primary' diff --git a/spec/fixtures/hieradata/common.yaml b/spec/fixtures/hieradata/common.yaml index d7c46973f9b..c9a0994e4ba 100644 --- a/spec/fixtures/hieradata/common.yaml +++ b/spec/fixtures/hieradata/common.yaml @@ -34,6 +34,7 @@ govuk::deploy::sync::auth_token: "example-auth-token" govuk::node::s_db_admin::apt_mirror_hostname: "%{hiera('apt_mirror_hostname')}" govuk::node::s_db_admin::apt_mirror_gpg_key_fingerprint: "%{hiera('apt_mirror_fingerprint')}" +govuk::node::s_account_api_db_admin::apt_mirror_hostname: "%{hiera('apt_mirror_hostname')}" govuk::node::s_content_data_api_db_admin::apt_mirror_hostname: "%{hiera('apt_mirror_hostname')}" govuk::node::s_graphite::apt_mirror_hostname: "%{hiera('apt_mirror_hostname')}" govuk::node::s_graphite::apt_mirror_gpg_key_fingerprint: "%{hiera('apt_mirror_fingerprint')}"