refactor(filemanager): database property links using names, security …

…groups and pre-compiled sqlx queries

.secrets.baseline

@@ -75,6 +75,10 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -109,10 +113,10 @@
     {
       "path": "detect_secrets.filters.regex.should_exclude_file",
       "pattern": [
-        "^(yarn.lock|.yarn/|.local/|openapi/)"
+        "^(yarn.lock|.yarn/|.local/|openapi/)|.sqlx/"
       ]
     }
   ],
   "results": {},
-  "generated_at": "2023-05-24T11:39:46Z"
+  "generated_at": "2024-02-18T03:27:13Z"
 }

config/constants.ts

@@ -36,6 +36,7 @@ const orcaBusStatefulConfig = {
       cloudwatchLogsExports: ['orcabus-postgresql'],
     },
     databaseSecurityGroupName: 'database-security-group',
+    inboundSecurityGroupName: 'inbound-database-security-group',
   },
   securityGroupProps: {
     securityGroupName: lambdaSecurityGroupName,
@@ -82,7 +83,7 @@ const filemanagerDependencies: FilemanagerDependencies = {
   eventSourceBuckets: ['umccr-temp-dev'],
   eventSourceQueueName: eventSourceConfig.queueName,
   databaseSecretName: orcaBusStatefulConfig.databaseProps.masterSecretName,
-  databaseSecurityGroupName: orcaBusStatefulConfig.databaseProps.databaseSecurityGroupName,
+  databaseSecurityGroupName: orcaBusStatefulConfig.databaseProps.inboundSecurityGroupName,
 };
 
 interface EnvironmentConfig {

lib/workload/orcabus-stateful-stack.ts

@@ -2,15 +2,15 @@ import * as cdk from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 import { getVpc } from './stateful/vpc/component';
 import { EventBusConstruct, EventBusProps } from './stateful/eventbridge/component';
-import { Database, DatabasePropsNoVPC } from './stateful/database/component';
+import { Database, ConfigurableDatabaseProps } from './stateful/database/component';
 import { SecurityGroupConstruct, SecurityGroupProps } from './stateful/securitygroup/component';
 import { SchemaRegistryConstruct, SchemaRegistryProps } from './stateful/schemaregistry/component';
 import { EventSource, EventSourceProps } from './stateful/event_source/component';
 
 export interface OrcaBusStatefulConfig {
   schemaRegistryProps: SchemaRegistryProps;
   eventBusProps: EventBusProps;
-  databaseProps: DatabasePropsNoVPC;
+  databaseProps: ConfigurableDatabaseProps;
   securityGroupProps: SecurityGroupProps;
   eventSourceProps?: EventSourceProps;
 }

lib/workload/orcabus-stateless-stack.ts

@@ -78,7 +78,7 @@ export class OrcaBusStatelessStack extends cdk.Stack {
     // Opting to reconstruct the dependencies here, and pass them into the service as constructs.
     const queue = Queue.fromQueueArn(
       this,
-      'Filemanager Queue',
+      'FilemanagerQueue',
       Arn.format(
         {
           resource: dependencies.eventSourceQueueName,
@@ -87,23 +87,23 @@ export class OrcaBusStatelessStack extends cdk.Stack {
         this
       )
     );
-    const securityGroup = SecurityGroup.fromLookupByName(
+    const databaseSecurityGroup = SecurityGroup.fromLookupByName(
       this,
-      'Filemanager Database Security Group',
+      'FilemanagerDatabaseSecurityGroup',
       dependencies.databaseSecurityGroupName,
       vpc
     );
     const databaseSecret = Secret.fromSecretNameV2(
       this,
-      'Filemanager Database Secret',
+      'FilemanagerDatabaseSecret',
       dependencies.databaseSecretName
     );
 
     new Filemanager(this, 'Filemanager', {
       buckets: dependencies.eventSourceBuckets,
       buildEnvironment: {},
-      databaseSecret: databaseSecret,
-      databaseSecurityGroup: securityGroup,
+      databaseSecret,
+      databaseSecurityGroup,
       eventSources: [queue],
       migrateDatabase: true,
       vpc: vpc,

lib/workload/stateful/database/component.ts

@@ -2,6 +2,8 @@ import { Construct } from 'constructs';
 import { RemovalPolicy, Duration } from 'aws-cdk-lib';
 import * as rds from 'aws-cdk-lib/aws-rds';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { SecurityGroup } from 'aws-cdk-lib/aws-ec2';
+import { DatabaseCluster } from 'aws-cdk-lib/aws-rds';
 
 /**
  * Props for enabling enhanced monitoring.
@@ -28,7 +30,7 @@ type MonitoringProps = {
 /**
  * Database props without a VPC.
  */
-export type DatabasePropsNoVPC = MonitoringProps & {
+export type ConfigurableDatabaseProps = MonitoringProps & {
   /**
    * The cluster identifier.
    */
@@ -78,24 +80,26 @@ export type DatabasePropsNoVPC = MonitoringProps & {
    */
   removalPolicy: RemovalPolicy;
   /**
-   * Inbound security groups that are allowed to connect to the database.
+   * Create an inbound security group that can connect to the database. Stateless resources can recreate
+   * this security group to access the database.
    */
-  allowedInboundSG?: ec2.SecurityGroup;
+  inboundSecurityGroupName: string;
 };
 
 /**
  * Database props with a vpc.
  */
-export type DatabaseProps = DatabasePropsNoVPC & {
+export type DatabaseProps = ConfigurableDatabaseProps & {
   /**
    * The database VPC.
    */
   vpc: ec2.IVpc;
 };
 
 export class Database extends Construct {
-  readonly securityGroup: ec2.SecurityGroup;
-  readonly cluster: rds.DatabaseCluster;
+  readonly securityGroup: SecurityGroup;
+  readonly inboundSecurityGroup: SecurityGroup;
+  readonly cluster: DatabaseCluster;
 
   constructor(scope: Construct, id: string, props: DatabaseProps) {
     super(scope, id);
@@ -113,14 +117,19 @@ export class Database extends Construct {
       description: 'security group for OrcaBus RDS',
     });
 
-    // give compute sg to access the rds
-    if (props.allowedInboundSG) {
-      this.securityGroup.addIngressRule(
-        props.allowedInboundSG,
-        ec2.Port.tcp(props.dbPort),
-        'allow the OrcaBus compute sg to access db'
-      );
-    }
+    this.inboundSecurityGroup = new ec2.SecurityGroup(this, 'DbInboundSecurityGroup', {
+      vpc: props.vpc,
+      allowAllOutbound: false,
+      allowAllIpv6Outbound: false,
+      securityGroupName: props.inboundSecurityGroupName,
+      description: 'an inbound security group to connect to the OrcaBus RDS',
+    });
+
+    this.securityGroup.addIngressRule(
+      this.inboundSecurityGroup,
+      ec2.Port.tcp(props.dbPort),
+      'allow the OrcaBus security group to access db'
+    );
 
     this.cluster = new rds.DatabaseCluster(this, id + 'Cluster', {
       engine: rds.DatabaseClusterEngine.auroraPostgres({ version: props.version }),