Creating the ATAT database requires a separate connection to one of the
default Postgres databases, like `postgres`. This updates the scripts
and secrets-tool command to handle creating the database. It also
removes database creation from Terraform and updates the documentation.
This additional secrets-tool command can be used to run the database
bootsrapping script (`script/database_setup.py`) inside an ATAT docker
container against the Azure database. It sources the necessary keys from
Key Vault.
This script is for bootstrapping the initial database. It can be run via
a container, but requires that a Postgres superuser's credentials be
provided via our normal config. That way the superuser can provision a
less-privileged user for the application's database connection.
Having `get_stage_csp_class` in the csp module meant that any file that interacted with that import path would throw an error in a REPL. This will allow importing of the Azure and Mock providers for interactive dev.
Move cloud.py to a module init. Move policy with it. Update related unit tests. Also adds a patch to state machine test to prevent randomness in mock from failing test.
This finally fixes the output coming from the vpc module so that it
returns a full list of subnets. Now they can be referenced just like the
redis module is using in this commit.
This sets up the rest of the service endpoints on the subnets. It also
adds a variable map specifically to grant IP access to the storage
buckets. This new variable map is necessary since the azure storage ip
rules do not accept /32 CIDR ranges. The rest of the services do support
cidr ranges.
To comply with security guidelines, we need to destroy the session when
a user logs out. This means that the session's key in the Redis cache
needs to be deleted. Flask expects to _always_ have a session object. If
the current session object does not exist in the Redis cache, Flask will
reserialize and store it at the end of the request. In order for
session deletion to work, we need to delete the key for the existing
session and then replace the session object with a new, empty one.
This also updates the SessionLimiter class so that the session prefix is
configurable.
Since we're using non-native enums for our model, alembic has some issues knowing what the previous "type" actually was, and not specifying it correctly causes a bad constraint.
