fix: refactor RDS dump, use custom certs (#156)

agneum · agneum · commit 04573d1664af · 2020-09-02T11:09:25.000Z
diff --git a/configs/config.example.logical_rds_iam.yml b/configs/config.example.logical_rds_iam.yml
@@ -146,20 +146,14 @@ retrieval:
 
           # Optional definition of RDS data source.
           rdsIam:
-            # RDS IAM policy name.
-            iamPolicyName: rds-dblab-retrieval
-
             # AWS Region.
             awsRegion: us-east-2
 
-            # AWS username.
-            username: aws_user
-
             # RDS instance Identifier.
             dbInstanceIdentifier: database-1
 
             # Path to the SSL root certificate: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
-            sslRootCert: "/tmp/rds-combined-ca-bundle.pem"
+            sslRootCert: "/cert/rds-combined-ca-bundle.pem"
 
         # Options for a partial dump.
         # partial:
diff --git a/pkg/retrieval/engine/postgres/logical/dump.go b/pkg/retrieval/engine/postgres/logical/dump.go
@@ -15,7 +15,6 @@ import (
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/client"
 	"github.com/pkg/errors"
@@ -90,9 +89,6 @@ type dumper interface {
 	// GetEnvVariables returns dumper environment variables.
 	GetCmdEnvVariables() []string
 
-	// GetMounts returns dumper volume configurations for mounting.
-	GetMounts() []mount.Mount
-
 	// SetConnectionOptions sets connection options for dumping.
 	SetConnectionOptions(context.Context, *Connection) error
 }
@@ -362,7 +358,6 @@ func (d *DumpJob) buildContainerConfig(password string) *container.Config {
 
 func (d *DumpJob) buildHostConfig(ctx context.Context) (*container.HostConfig, error) {
 	hostConfig := &container.HostConfig{
-		Mounts:      d.dumper.GetMounts(),
 		NetworkMode: d.getContainerNetworkMode(),
 	}
 
diff --git a/pkg/retrieval/engine/postgres/logical/dump_default.go b/pkg/retrieval/engine/postgres/logical/dump_default.go
@@ -6,8 +6,6 @@ package logical
 
 import (
 	"context"
-
-	"github.com/docker/docker/api/types/mount"
 )
 
 type defaultDumper struct{}
@@ -20,10 +18,6 @@ func (d *defaultDumper) GetCmdEnvVariables() []string {
 	return []string{}
 }
 
-func (d *defaultDumper) GetMounts() []mount.Mount {
-	return []mount.Mount{}
-}
-
 func (d *defaultDumper) SetConnectionOptions(_ context.Context, _ *Connection) error {
 	return nil
 }
diff --git a/pkg/retrieval/engine/postgres/logical/dump_rds.go b/pkg/retrieval/engine/postgres/logical/dump_rds.go
@@ -6,32 +6,20 @@ package logical
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 
 	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/arn"
-	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/rds"
 	"github.com/aws/aws-sdk-go/service/rds/rdsutils"
-	"github.com/docker/docker/api/types/mount"
 	"github.com/pkg/errors"
 
 	"gitlab.com/postgres-ai/database-lab/pkg/log"
 )
 
 const (
 	sslRootCert = "/cert/ssl-combined-ca-bundle.pem"
-
-	// AWS service names.
-	serviceIAM   = "iam"
-	serviceRDSDB = "rds-db"
-
-	// RDS policy option values.
-	rdsDocPolicyVersion = "2012-10-17"
-	rdsDBConnectAction  = "rds-db:connect"
 )
 
 type rdsDumper struct {
@@ -42,22 +30,9 @@ type rdsDumper struct {
 
 // RDSConfig describes configuration of an RDS instance.
 type RDSConfig struct {
-	IamPolicyName string `yaml:"iamPolicyName"`
-	AWSRegion     string `yaml:"awsRegion"`
-	DBInstance    string `yaml:"dbInstanceIdentifier"`
-	Username      string `yaml:"username"`
-	SSLRootCert   string `yaml:"sslRootCert"`
-}
-
-type policyDocument struct {
-	Version   string            `json:"Version"`
-	Statement []policyStatement `json:"Statement"`
-}
-
-type policyStatement struct {
-	Effect   string   `json:"Effect"`
-	Action   []string `json:"Action"`
-	Resource []string `json:"Resource"`
+	AWSRegion   string `yaml:"awsRegion"`
+	DBInstance  string `yaml:"dbInstanceIdentifier"`
+	SSLRootCert string `yaml:"sslRootCert"`
 }
 
 func newRDSDumper(rdsCfg *RDSConfig) (*rdsDumper, error) {
@@ -85,30 +60,20 @@ Set up valid environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY`)
 
 // GetEnvVariables returns dumper environment variables.
 func (r *rdsDumper) GetCmdEnvVariables() []string {
+	cert := sslRootCert
+
+	if r.rdsCfg.SSLRootCert != "" {
+		cert = r.rdsCfg.SSLRootCert
+	}
+
 	execEnvs := []string{
-		"PGSSLROOTCERT=" + sslRootCert,
+		"PGSSLROOTCERT=" + cert,
 		"PGSSLMODE=verify-ca",
 	}
 
 	return execEnvs
 }
 
-// GetMounts returns dumper volume configurations for mounting.
-func (r *rdsDumper) GetMounts() []mount.Mount {
-	mounts := []mount.Mount{}
-
-	if r.rdsCfg != nil && r.rdsCfg.SSLRootCert != "" {
-		// TODO (akartasov): Remove mounting after the image contains a built-in certificate.
-		mounts = append(mounts, mount.Mount{
-			Type:   mount.TypeBind,
-			Source: r.rdsCfg.SSLRootCert,
-			Target: sslRootCert,
-		})
-	}
-
-	return mounts
-}
-
 // SetConnectionOptions sets connection options for dumping.
 func (r *rdsDumper) SetConnectionOptions(ctx context.Context, c *Connection) error {
 	dbInstancesOutput, err := r.rdsSvc.DescribeDBInstancesWithContext(ctx, &rds.DescribeDBInstancesInput{
@@ -126,28 +91,6 @@ func (r *rdsDumper) SetConnectionOptions(ctx context.Context, c *Connection) err
 
 	dbInstance := dbInstancesOutput.DBInstances[0]
 
-	dbARN := dbInstancesOutput.DBInstances[0].DBInstanceArn
-	parsedDBArn, err := arn.Parse(aws.StringValue(dbARN))
-
-	if err != nil {
-		return errors.Wrap(err, "failed to parse a database ARN")
-	}
-
-	policy, err := r.getPolicy(r.getPolicyARN(parsedDBArn).String(), parsedDBArn, dbInstance)
-	if err != nil {
-		return errors.Wrap(err, "failed to get a policy")
-	}
-
-	_, err = r.iamSvc.AttachUserPolicy(&iam.AttachUserPolicyInput{
-		PolicyArn: policy.Arn,
-		UserName:  aws.String(r.rdsCfg.Username),
-	})
-	if err != nil {
-		return errors.Wrap(err, "failed to attach policy to a user")
-	}
-
-	log.Msg(fmt.Sprintf("Policy %q has been attached to %s", aws.StringValue(policy.Arn), r.rdsCfg.Username))
-
 	dbAuthToken, err := rdsutils.BuildAuthToken(
 		fmt.Sprintf("%s:%d", aws.StringValue(dbInstance.Endpoint.Address), int(aws.Int64Value(dbInstance.Endpoint.Port))),
 		r.rdsCfg.AWSRegion,
@@ -164,67 +107,3 @@ func (r *rdsDumper) SetConnectionOptions(ctx context.Context, c *Connection) err
 
 	return nil
 }
-
-func (r *rdsDumper) getPolicyARN(parsedDBArn arn.ARN) arn.ARN {
-	policyARN := arn.ARN{
-		Partition: parsedDBArn.Partition,
-		Service:   serviceIAM,
-		AccountID: parsedDBArn.AccountID,
-		Resource:  "policy/" + r.rdsCfg.IamPolicyName,
-	}
-
-	return policyARN
-}
-
-func (r *rdsDumper) getPolicy(policyARN string, parsedDBArn arn.ARN, dbInstance *rds.DBInstance) (*iam.Policy, error) {
-	policyOutput, err := r.iamSvc.GetPolicy(&iam.GetPolicyInput{
-		PolicyArn: aws.String(policyARN),
-	})
-	if err == nil {
-		return policyOutput.Policy, nil
-	}
-
-	if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() != iam.ErrCodeNoSuchEntityException {
-		return nil, errors.Wrap(err, "failed to get policy")
-	}
-
-	policyDocumentData, err := json.Marshal(r.buildPolicyDocument(parsedDBArn, dbInstance))
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to marshal a policy document")
-	}
-
-	createPolicyOutput, err := r.iamSvc.CreatePolicy(&iam.CreatePolicyInput{
-		PolicyDocument: aws.String(string(policyDocumentData)),
-		PolicyName:     aws.String(r.rdsCfg.IamPolicyName),
-	})
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to create a policy")
-	}
-
-	log.Msg(fmt.Sprintf("Policy has been created: %v", aws.StringValue(createPolicyOutput.Policy.Arn)))
-
-	return createPolicyOutput.Policy, nil
-}
-
-func (r *rdsDumper) buildPolicyDocument(parsedDBArn arn.ARN, dbInstance *rds.DBInstance) policyDocument {
-	dbPolicyARN := arn.ARN{
-		Partition: parsedDBArn.Partition,
-		Service:   serviceRDSDB,
-		Region:    parsedDBArn.Region,
-		AccountID: parsedDBArn.AccountID,
-		Resource:  fmt.Sprintf("dbuser:%s/*", aws.StringValue(dbInstance.DbiResourceId)),
-	}
-
-	policyDocument := policyDocument{
-		Version: rdsDocPolicyVersion,
-		Statement: []policyStatement{
-			{
-				Effect:   "Allow",
-				Action:   []string{rdsDBConnectAction},
-				Resource: []string{dbPolicyARN.String()},
-			},
-		},
-	}
-
-	return policyDocument
-}

Original file line number	Diff line number	Diff line change
`@@ -6,8 +6,6 @@ package logical`
`6`	`6`
`7`	`7`	`import (`
`8`	`8`	`"context"`
`9`		`-`
`10`		`- "github.com/docker/docker/api/types/mount"`
`11`	`9`	`)`
`12`	`10`
`13`	`11`	`type defaultDumper struct{}`
`@@ -20,10 +18,6 @@ func (d *defaultDumper) GetCmdEnvVariables() []string {`
`20`	`18`	`return []string{}`
`21`	`19`	`}`
`22`	`20`
`23`		`-func (d *defaultDumper) GetMounts() []mount.Mount {`
`24`		`- return []mount.Mount{}`
`25`		`-}`
`26`		`-`
`27`	`21`	`func (d defaultDumper) SetConnectionOptions(_ context.Context, _ Connection) error {`
`28`	`22`	`return nil`
`29`	`23`	`}`