-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PROD-2654 - MySQL on RDS as a detection/discovery source #5275
base: main
Are you sure you want to change the base?
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 1 Skipped Deployment
|
fides Run #10097
Run Properties:
|
Project |
fides
|
Branch Review |
refs/pull/5275/merge
|
Run status |
Passed #10097
|
Run duration | 00m 38s |
Commit |
0e82f1b0bd ℹ️: Merge d588db29ab04c027266ff08c0be3a30ab377afc0 into 41094b7274adb21532c23abbd898...
|
Committer | Andres Torres |
View all properties for this run ↗︎ |
Test results | |
---|---|
Failures |
0
|
Flaky |
0
|
Pending |
0
|
Skipped |
0
|
Passing |
4
|
Upgrade your plan to view test results. | |
View all changes introduced in this branch ↗︎ |
src/fides/api/alembic/migrations/versions/25fe48d56eaa_add_rds_mysql_to_connector_type.py
Outdated
Show resolved
Hide resolved
src/fides/api/alembic/migrations/versions/25fe48d56eaa_add_rds_mysql_to_connector_type.py
Outdated
Show resolved
Hide resolved
src/fides/api/schemas/connection_configuration/connection_secrets_rds_mysql.py
Show resolved
Hide resolved
src/fides/api/schemas/connection_configuration/connection_secrets_rds_mysql.py
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also maybe we can add a test on tests/ops/api/v1/endpoints/test_connection_template_endpoints.py::TestGetConnectionSecretSchema
to test for the added schema
src/fides/api/schemas/connection_configuration/connection_secrets_rds_mysql.py
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@andres-torres-marroquin i think we at least need a bit of a stronger type on the cert URL property here, and may need to think a bit more about the security implications - see my comment below
title="Region", | ||
description="The AWS region where the RDS instances are located.", | ||
) | ||
ca_cert_url: str = Field( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
knowing what i know about how this field is used downstream in the monitor, and the fact that it's user-input data - i think we need some more validation on this field. at a minimum, we should be using the AnyHttpUrl
pydantic class (or even better, using @pattisdr 's AnyHttpUrlString
in `fideslang) to put some bounds on this field.
additionally, we should probably perform some more checks on the URL before we fetch it and save it to the filesystem downstream. i'm not exactly sure the best way to check that, but it feels like it'd be wise...
if you feel like it makes more sense to just hardcode the default value here rather than accept user config for it, that may be OK. i know i'd vouched for a configurable field earlier, since i thought the flexibility would be a good fallback in case a customer isn't using this global AWS cert that we expect, but i hadn't really considered the security implications. sorry to go back and forth on this! i still think the flexibility would be nice, but we need to be able to do it in a reasonably secure way, so let's weigh that accordingly.
if you do decide to remove the flexibility, i think it would be good for us to confirm with our prospective customers of this feature whether the global AWS cert we're defaulting to is one that would work for their use case 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I confirmed with Michael that they use the standard certificate bundle.
Closes #PROD-2654
Description Of Changes
Added model for MySQL on RDS.
Code Changes
Steps to Confirm
Pre-Merge Checklist
CHANGELOG.md
main
downgrade()
migration is correct and works