Add a tool to initialize new RDS databases #16
Conversation
cmd/rds-init/README.md
Outdated
| ## When to Run | ||
|
|
||
| - **Initial provisioning** — Run after creating a new RDS instance | ||
| - **Password rotation** — Run after manually updating the password in the `{db-identifier}_nessus` Secrets Manager secret to sync it to the database |
There was a problem hiding this comment.
I don't really understand how this is a use case, since presumably this will happen after the first run so it won't work because no more password auth
cmd/rds-init/main.go
Outdated
| max := big.NewInt(int64(len(passwordCharset))) | ||
| out := make([]byte, n) | ||
|
|
||
| for i := 0; i < n; i++ { |
There was a problem hiding this comment.
optional: as we discussed, just reading random bytes and using Sprintf("%x") is even simpler. feel free to do whichever one you prefer
hundt-corbalt
left a comment
hundt-corbalt
left a comment
There was a problem hiding this comment.
Approved but please respond to comment on line 47
https://github.com/corbaltcode/go-libraries/pull/16/changes#r2632615561
Removed that line completely as we never supported an RDS IAM approach of running this script since it wasn't needed as part of the reprovisioning of test dbs. |
PR Description
This PR adds a tool that accepts a postgres connection string with admin permissions. It sets up a nessus_scan_user and a secret in secrets manager for SecOPS to use for scanning. (If the secret already exists, it will use the password already there to update the nessus_scan_user to ensure they match)
Then it sets the admin user to RDS IAM auth mode which in turn disables password auth.
Tests:
Ran against a dev db and verified the secret and user was updated as expected in each case
PR Checklist
Examples:
To provide feedback on this template, visit https://docs.google.com/document/d/1YfTv7Amyop5G_8w1c2GJ_Mu-70L0KkZHhm9f9umDi3U/edit