AAI-119 Initialize user management database

.env.example

@@ -15,3 +15,10 @@ GALAXY_API_KEY=api-key
 #   don't process this with pydantic-settings as it needs
 #   to be used before the FastAPI app loads
 CORS_ALLOWED_ORIGINS=http://localhost:8000
+# Database config: we do this differently for local dev vs. on AWS
+# NOTE: DB_HOST is used first if present, so don't include it
+# if you want a local DB
+# Local dev: supply the full DB connection string as DB_URL
+DB_URL=sqlite:///mydatabase.db
+# AWS: supply DB_HOST, with the host name and port
+# DB_HOST=mydb.amazonaws.com:5432

.github/workflows/deploy.yml

@@ -55,6 +55,7 @@ jobs:
           AWS_CERTIFICATE_ARN=${{ secrets.AWS_CERTIFICATE_ARN }}
           AWS_ZONE_ID=${{ secrets.AWS_ZONE_ID }}
           AWS_ZONE_DOMAIN=${{ secrets.AWS_ZONE_DOMAIN }}
+          AWS_DB_HOST=${{ secrets.AWS_DB_HOST }}
           EOF
 
       - name: CDK Deploy

alembic.ini

@@ -0,0 +1,118 @@
+# A generic, single database configuration.
+
+[alembic]
+# path to migration scripts
+script_location = migrations
+
+# template used to generate migration file names; The default value is %%(rev)s_%%(slug)s
+# Uncomment the line below if you want the files to be prepended with date and time
+# see https://alembic.sqlalchemy.org/en/latest/tutorial.html#editing-the-ini-file
+# for all available tokens
+# file_template = %%(year)d_%%(month).2d_%%(day).2d_%%(hour).2d%%(minute).2d-%%(rev)s_%%(slug)s
+
+# sys.path path, will be prepended to sys.path if present.
+# defaults to the current working directory.
+prepend_sys_path = .
+
+# timezone to use when rendering the date within the migration file
+# as well as the filename.
+# If specified, requires the python>=3.9 or backports.zoneinfo library.
+# Any required deps can installed by adding `alembic[tz]` to the pip requirements
+# string value is passed to ZoneInfo()
+# leave blank for localtime
+# timezone =
+
+# max length of characters to apply to the
+# "slug" field
+# truncate_slug_length = 40
+
+# set to 'true' to run the environment during
+# the 'revision' command, regardless of autogenerate
+# revision_environment = false
+
+# set to 'true' to allow .pyc and .pyo files without
+# a source .py file to be detected as revisions in the
+# versions/ directory
+# sourceless = false
+
+# version location specification; This defaults
+# to migrations/versions.  When using multiple version
+# directories, initial revisions must be specified with --version-path.
+# The path separator used here should be the separator specified by "version_path_separator" below.
+# version_locations = %(here)s/bar:%(here)s/bat:migrations/versions
+
+# version path separator; As mentioned above, this is the character used to split
+# version_locations. The default within new alembic.ini files is "os", which uses os.pathsep.
+# If this key is omitted entirely, it falls back to the legacy behavior of splitting on spaces and/or commas.
+# Valid values for version_path_separator are:
+#
+# version_path_separator = :
+# version_path_separator = ;
+# version_path_separator = space
+version_path_separator = os  # Use os.pathsep. Default configuration used for new projects.
+
+# set to 'true' to search source files recursively
+# in each "version_locations" directory
+# new in Alembic version 1.10
+# recursive_version_locations = false
+
+# the output encoding used when revision files
+# are written from script.py.mako
+# output_encoding = utf-8
+
+# NOTE: we set the sqlalchemy URL in migrations/env.py
+#  as we need to set it dynamically based on environment
+#sqlalchemy.url = driver://user:pass@localhost/dbname
+
+
+[post_write_hooks]
+# post_write_hooks defines scripts or Python functions that are run
+# on newly generated revision scripts.  See the documentation for further
+# detail and examples
+
+# format using "black" - use the console_scripts runner, against the "black" entrypoint
+# hooks = black
+# black.type = console_scripts
+# black.entrypoint = black
+# black.options = -l 79 REVISION_SCRIPT_FILENAME
+
+# lint with attempts to fix using "ruff" - use the exec runner, execute a binary
+# hooks = ruff
+# ruff.type = exec
+# ruff.executable = %(here)s/.venv/bin/ruff
+# ruff.options = --fix REVISION_SCRIPT_FILENAME
+
+# Logging configuration
+[loggers]
+keys = root,sqlalchemy,alembic
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = WARN
+handlers = console
+qualname =
+
+[logger_sqlalchemy]
+level = WARN
+handlers =
+qualname = sqlalchemy.engine
+
+[logger_alembic]
+level = INFO
+handlers =
+qualname = alembic
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S

db/models.py

@@ -0,0 +1,22 @@
+import uuid
+from datetime import datetime, timezone
+from typing import Literal
+
+from pydantic import AwareDatetime
+from sqlmodel import AutoString, DateTime, Field, SQLModel
+
+ApprovalStatus = Literal["approved", "pending", "revoked"]
+
+
+class GroupMembership(SQLModel, table=True):
+    id: uuid.UUID = Field(default_factory=uuid.uuid4, primary_key=True)
+    # TODO: May want to constrain the types of strings
+    #   given they have a specific format
+    # TODO: May want to make group and/or user_id indexes?
+    group: str
+    user_id: str
+    user_email: str
+    approval_status: ApprovalStatus = Field(sa_type=AutoString)
+    updated_at: AwareDatetime = Field(default_factory=lambda: datetime.now(timezone.utc), sa_type=DateTime)
+    updated_by_id: str
+    updated_by_email: str

db/setup.py

@@ -0,0 +1,48 @@
+import os
+from typing import Tuple
+
+from dotenv import dotenv_values
+from sqlmodel import Session, SQLModel, create_engine
+
+
+def get_db_config() -> Tuple[str, dict]:
+    """
+    Get database configuration from environment variables
+    or the .env file
+    """
+    # Get database URL
+    # Case 1: AWS: we need to assemble the DB url from different
+    #   environment variables (as these need to be populated from
+    #   secrets)
+    host = os.getenv("DB_HOST", None)
+    if host is not None:
+        user = os.getenv("DB_USER")
+        password = os.getenv("DB_PASSWORD")
+        db_url = f"postgresql+psycopg://{user}:{password}@{host}"
+        return db_url, {}
+    # Case 2: we have DB_URL set in the .env file, or we just want
+    #   an in-memory DB for dev/testing
+    # Doing this separately from pydantic-settings as we
+    # need this before loading the FastAPI app
+    env_values = dotenv_values(".env")
+    # Prefer the explicitly set value in .env, then environment variable,
+    #   fallback to in-memory DB
+    db_url = env_values.get("DB_URL") or os.getenv("DB_URL") or "sqlite://"
+    if db_url.startswith("sqlite://"):
+        connect_args = {"check_same_thread": False}
+    else:
+        connect_args = {}
+    return db_url, connect_args
+
+
+DB_URL, db_connect_args = get_db_config()
+engine = create_engine(DB_URL, connect_args=db_connect_args)
+
+
+def create_db_and_tables():
+    SQLModel.metadata.create_all(engine)
+
+
+def get_db_session():
+    with Session(engine) as session:
+        yield session

deploy/aai_backend_deploy/aai_backend_deploy_stack.py

@@ -25,6 +25,9 @@
 from aws_cdk import (
     aws_route53 as route53,
 )
+from aws_cdk import (
+    aws_secretsmanager as secretsmanager,
+)
 from constructs import Construct
 
 
@@ -36,9 +39,14 @@ def __init__(self, scope: Construct, construct_id: str, config: dict, **kwargs)
             self.certificate_arn = config["AWS_CERTIFICATE_ARN"]
             self.zone_id = config["AWS_ZONE_ID"]
             self.zone_domain = config["AWS_ZONE_DOMAIN"]
+            self.db_host = config["AWS_DB_HOST"]
         except KeyError as e:
             raise ValueError(f"Missing required configuration: {e}. These should be set in .env locally, or GitHub Secrets.")
 
+        db_secret = secretsmanager.Secret.from_secret_name_v2(
+            self, "DbCredentials", "aai-backend-db-credentials"
+        )
+
         # VPC
         vpc = ec2.Vpc(self, "AaiBackendVPC", max_azs=2)
 
@@ -64,6 +72,11 @@ def __init__(self, scope: Construct, construct_id: str, config: dict, **kwargs)
             environment={
                 "FORCE_REDEPLOY": str(datetime.datetime.now())
             },
+            secrets={
+                "DB_USER": ecs.Secret.from_secrets_manager(db_secret, field="username"),
+                "DB_PASSWORD": ecs.Secret.from_secrets_manager(db_secret, field="password"),
+                "DB_HOST": self.db_host,
+            },
             logging=ecs.LogDrivers.aws_logs(stream_prefix="FastAPI"),
         )
 

deploy/app.py

@@ -12,6 +12,7 @@ def get_dotenv_config():
         "AWS_CERTIFICATE_ARN": os.getenv("AWS_CERTIFICATE_ARN"),
         "AWS_ZONE_ID": os.getenv("AWS_ZONE_ID"),
         "AWS_ZONE_DOMAIN": os.getenv("AWS_ZONE_DOMAIN"),
+        "AWS_DB_HOST": os.getenv("AWS_DB_HOST"),
     }
 
 config = get_dotenv_config()

main.py

@@ -1,8 +1,12 @@
+from contextlib import asynccontextmanager
 
 from dotenv import dotenv_values
 from fastapi import FastAPI
 from starlette.middleware.cors import CORSMiddleware
 
+# This has to be imported even if unused
+from db import models  # noqa: F401
+from db.setup import create_db_and_tables
 from routers import admin, bpa_register, galaxy_register, user, utils
 
 # Load .env to get CORS_ALLOWED_ORIGINS.
@@ -14,7 +18,13 @@
     origin.strip() for origin in env_values.get("CORS_ALLOWED_ORIGINS", "").split(",")
 ]
 
-app = FastAPI()
+
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+    create_db_and_tables()
+    yield
+
+app = FastAPI(lifespan=lifespan)
 app.add_middleware(
     CORSMiddleware,
     allow_origins=ALLOWED_ORIGINS,

migrations/README

@@ -0,0 +1 @@
+Generic single-database configuration.

migrations/env.py

@@ -0,0 +1,82 @@
+from logging.config import fileConfig
+
+from sqlalchemy import engine_from_config
+from sqlalchemy import pool
+from sqlmodel import SQLModel
+
+from alembic import context
+
+from db import models
+from db.setup import get_db_config
+
+# this is the Alembic Config object, which provides
+# access to the values within the .ini file in use.
+config = context.config
+db_url, _ = get_db_config()
+config.set_main_option("sqlalchemy.url", db_url)
+
+# Interpret the config file for Python logging.
+# This line sets up loggers basically.
+if config.config_file_name is not None:
+    fileConfig(config.config_file_name)
+
+# add your model's MetaData object here
+# for 'autogenerate' support
+target_metadata = SQLModel.metadata
+
+# other values from the config, defined by the needs of env.py,
+# can be acquired:
+# my_important_option = config.get_main_option("my_important_option")
+# ... etc.
+
+
+def run_migrations_offline() -> None:
+    """Run migrations in 'offline' mode.
+
+    This configures the context with just a URL
+    and not an Engine, though an Engine is acceptable
+    here as well.  By skipping the Engine creation
+    we don't even need a DBAPI to be available.
+
+    Calls to context.execute() here emit the given string to the
+    script output.
+
+    """
+    url = config.get_main_option("sqlalchemy.url")
+    context.configure(
+        url=url,
+        target_metadata=target_metadata,
+        literal_binds=True,
+        dialect_opts={"paramstyle": "named"},
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def run_migrations_online() -> None:
+    """Run migrations in 'online' mode.
+
+    In this scenario we need to create an Engine
+    and associate a connection with the context.
+
+    """
+    connectable = engine_from_config(
+        config.get_section(config.config_ini_section, {}),
+        prefix="sqlalchemy.",
+        poolclass=pool.NullPool,
+    )
+
+    with connectable.connect() as connection:
+        context.configure(
+            connection=connection, target_metadata=target_metadata
+        )
+
+        with context.begin_transaction():
+            context.run_migrations()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()

migrations/script.py.mako

@@ -0,0 +1,27 @@
+"""${message}
+
+Revision ID: ${up_revision}
+Revises: ${down_revision | comma,n}
+Create Date: ${create_date}
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+import sqlmodel
+${imports if imports else ""}
+
+# revision identifiers, used by Alembic.
+revision: str = ${repr(up_revision)}
+down_revision: Union[str, None] = ${repr(down_revision)}
+branch_labels: Union[str, Sequence[str], None] = ${repr(branch_labels)}
+depends_on: Union[str, Sequence[str], None] = ${repr(depends_on)}
+
+
+def upgrade() -> None:
+    ${upgrades if upgrades else "pass"}
+
+
+def downgrade() -> None:
+    ${downgrades if downgrades else "pass"}