fix: DBTP-1010 Readonly postgres user doesn't have read perms (#140)

application-load-balancer/main.tf

@@ -45,6 +45,7 @@ resource "aws_lb_listener" "alb-listener" {
 }
 
 resource "aws_security_group" "alb-security-group" {
+  # checkov:skip=CKV2_AWS_5:Security group is used by VPC. Ticket to investigate: https://uktrade.atlassian.net/browse/DBTP-1039
   for_each = local.protocols
   name     = "${var.application}-${var.environment}-alb-${each.key}"
   vpc_id   = data.aws_vpc.vpc.id

postgres/lambda.tf

@@ -119,11 +119,11 @@ resource "aws_lambda_invocation" "create-readonly-user" {
     CopilotApplication  = var.application
     CopilotEnvironment  = var.environment
     MasterUserSecretArn = aws_db_instance.default.master_user_secret[0].secret_arn
-    SecretDescription   = "RDS application user secret for ${local.name}"
+    SecretDescription   = "RDS readonly user secret for ${local.name}"
     SecretName          = "/copilot/${var.application}/${var.environment}/secrets/${local.read_only_secret_name}"
     Username            = "readonly_user"
     Permissions = [
-      "SELECT",
+      "SELECT"
     ],
     DbHost               = aws_db_instance.default.address,
     DbPort               = aws_db_instance.default.port,

postgres/manage_users.py

@@ -18,7 +18,7 @@ def create_db_user(conn, cursor, username, password, permissions):
     cursor.execute(f"CREATE USER {username} WITH ENCRYPTED PASSWORD '%s'" % password)
     cursor.execute(f"GRANT {username} to postgres;")
     cursor.execute(f"GRANT {', '.join(permissions)} ON ALL TABLES IN SCHEMA public TO {username};")
-    cursor.execute(f"ALTER DEFAULT PRIVILEGES FOR USER {username} IN SCHEMA public GRANT {', '.join(permissions)} ON TABLES TO {username};")
+    cursor.execute(f"ALTER DEFAULT PRIVILEGES FOR USER application_user IN SCHEMA public GRANT {', '.join(permissions)} ON TABLES TO {username};")
 
     if 'INSERT' in permissions:
         cursor.execute(f"GRANT CREATE ON SCHEMA public TO {username};")