guardian · akash1810 · Jun 18, 2024 · Jun 14, 2024 · Jun 14, 2024
@@ -0,0 +1,29 @@
+DO
+$do$
+    BEGIN
+        -- Create the `dataaudit` user if it doesn't exist
+        IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE  rolname = 'dataaudit') THEN
+            CREATE USER dataaudit WITH LOGIN;
+        END IF;
+
+        -- The rds_iam role is created by the RDS IAM extension, which is not available in DEV
+        IF EXISTS (select * from pg_roles where rolname='rds_iam') THEN
+            GRANT rds_iam TO dataaudit;
+        END IF;
+
+        GRANT USAGE ON SCHEMA public TO dataaudit;
+        GRANT SELECT ON public.aws_s3_buckets TO dataaudit;
+        GRANT SELECT ON public.aws_lambda_functions TO dataaudit;
+
+        -- These tables...
+        GRANT SELECT ON public.aws_organizations_accounts TO dataaudit;
+        GRANT SELECT ON public.aws_organizations_account_parents TO dataaudit;
+        GRANT SELECT ON public.aws_organizations_organizational_units TO dataaudit;
+
+        -- ...are used in this view
+        GRANT SELECT ON public.aws_accounts TO dataaudit;
+
+        -- The dataaudit user owns this table, so can do full CRUD operations
+        GRANT ALL ON public.audit_results TO dataaudit;
+    END
+$do$;
@@ -0,0 +1,21 @@
+DO
+$do$
+    BEGIN
+        -- Create the `github_actions_usage` user if it doesn't exist
+        IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE  rolname = 'github_actions_usage') THEN
+            CREATE USER github_actions_usage WITH LOGIN;
+        END IF;
+
+        -- The rds_iam role is created by the RDS IAM extension, which is not available in DEV
+        IF EXISTS (select * from pg_roles where rolname='rds_iam') THEN
+            GRANT rds_iam TO github_actions_usage;
+        END IF;
+
+        GRANT USAGE ON SCHEMA public TO github_actions_usage;
+        GRANT SELECT ON public.github_workflows TO github_actions_usage;
+        GRANT SELECT ON public.github_repositories TO github_actions_usage;
+
+        -- The github_actions_usage user owns this table, so can do full CRUD operations
+        GRANT ALL ON public.guardian_github_actions_usage TO github_actions_usage;
+    END
+$do$;
@@ -4,5 +4,50 @@
 SET ROLE repocop;
 SELECT * FROM view_repo_ownership LIMIT 1;
 
+-- Switch to the `dataaudit` user and test access to the tables/views used in the data-audit app
+SET ROLE dataaudit;
+-- It should be able to read from these tables
+SELECT * FROM aws_s3_buckets LIMIT 1;
+SELECT * FROM aws_lambda_functions LIMIT 1;
+SELECT * FROM aws_accounts LIMIT 1;
+
+-- It should be able to read/write from the table audit_results
+INSERT INTO audit_results (
+    evaluated_on
+    , name
+    , success
+    , cloudquery_total
+    , vendor_total
+) VALUES (
+    NOW()
+    , 'test'
+    , TRUE
+    , 1
+    , 1
+);
+SELECT * FROM audit_results LIMIT 1;
+
+-- The user github_actions_usage...
+SET ROLE github_actions_usage;
+
+-- ...should be able to read from these tables
+SELECT * FROM github_workflows LIMIT 1;
+SELECT * FROM github_repositories LIMIT 1;
+
+-- ...and read/write to the table guardian_github_actions_usage
+INSERT INTO guardian_github_actions_usage (
+    evaluated_on
+    , full_name
+    , workflow_path
+    , workflow_uses
+) VALUES (
+    NOW()
+    , 'guardian/service-catalogue'
+    , '.github/workflows/ci.yml'
+    , ARRAY['guardian/actions-riffraff@v4']
+);
+SELECT * FROM guardian_github_actions_usage LIMIT 1;
+
+
 -- Switch back to the original user
 RESET role;