Moped Documentation
  • Welcome 👋
  • User Guides
    • Getting started
    • Map a project
  • Product Management
    • User communication
    • User management
    • User analytics
    • Local testing
    • Release process
    • Patch release process
    • MUI X Pro License
    • Integrations
      • Dataset documentation
      • ArcGIS Online
      • eCapris
      • Power BI
    • Features
  • Dev Guides
    • DB Docs & Data dictionary
    • Database backup policy
    • Moped Read Replica
    • How-to's
      • How do I start the Hasura cluster locally?
      • How do I launch the Hasura Console?
      • How do I generate an SSH key? (Mac)
      • How do I get a JWT token?
      • How to ping the GraphQL API
      • How to ping the REST API
      • How do I connect a database with Postgres GUIs?
      • How do I connect to the RDS instance?
      • How to load production data into a local instance
      • How do I update seed data?
    • Hasura
      • Hasura Roles
      • Hasura Migrations
        • Getting Started
        • Installing the Hasura CLI
        • Configuration Files
        • Hasura Migration Principles
        • The Migration file format
        • Development
        • Hasura Seed Data
        • Running the Hasura Cluster Locally (video)
        • Create a migration: Exercise 1 (video)
        • Create a migration: Exercise 2 (video)
        • Latest hasura-cluster features
    • User Management
    • Authentication
      • Authentication Architecture
      • DynamoDB & Cognito
      • Secrets Manager & Cognito
      • Hasura & Cognito
      • React & Cognito
      • Flask API & Cognito
      • Single Sign-On with CTM
    • Code organization
    • API
      • Configuration Files
      • Testing
      • User Management API
    • Maps and geospatial data
      • Access tokens and API keys
      • Map libraries
      • Map data
      • Map styles
      • Map layers and basemaps
      • React patterns
      • V1 Archive
        • Map libraries
        • Map data
        • Map custom hooks
        • Map styles
        • Map layers and basemaps
    • UI access control
    • Design system
      • Branding
      • Component styles
      • Text content
    • Activity Log
      • Architecture
      • GitHub Actions and Deployment of Updates
      • Hasura Event Logs and Truncate Cron Job
      • Authentication
  • See also
  • Get Moped support, report a bug, or request an enhancement
  • Data & Technology Services
  • Github repository
Powered by GitBook
On this page
  • Access
  • Account Management
  • staff role management

Was this helpful?

  1. Dev Guides

Moped Read Replica

Information about the Moped Read Replica and how to make new accounts

PreviousDatabase backup policyNextHow-to's

Last updated 2 months ago

Was this helpful?

The Moped Database, which runs in RDS, has been converted into a pair of instances, with the new instance providing a read-only, read replica.

Access

The endpoint for TCP/IP connections on port 5432 is moped-read-replica.austinmobility.io.

Network access to the read replica is accomplished via an which limits inbound traffic to the CTM network block to cover traffic from COA office locations and COA VPN connections plus a number of single addresses associated to developer homes.

Account management access is additionally used with the following naming scheme:

  • Create a new role for each human user, <lastName + firstInitial>, with read only access to atd_moped and atd_moped_staging.

  • Add the new user to the staff role, so that they inherit staff's permissions.

The read replica is inherently read-only, but, just in case, if a developer were to open a tunnel via SSH through the bastion host and connect with these users / roles, accounts intended to be accessed via the read replica are configured to not allow write access.

Account Management

Due to the nature of the read replica, account management is done through primary database. The following is an example of the creation of a new read replica account intended for use by a person:

Creating an account for "John Doe"

create user doej with password '09876543210_strong_password_0987654321';
grant staff to doej;

staff role management

This is for historical documentation; this should not be needed when adding a new user. In the near future, this will be done automatically and on a schedule by an ETL.

-- in staging
GRANT CONNECT ON DATABASE atd_moped_staging TO staff;

grant usage on schema public to staff;
grant usage on schema hdb_catalog to staff;
grant usage on schema deprecated to staff;

GRANT SELECT ON ALL TABLES IN SCHEMA public TO staff;
GRANT SELECT ON ALL TABLES IN SCHEMA hdb_catalog TO staff;
GRANT SELECT ON ALL TABLES IN SCHEMA deprecated TO staff;

GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO staff;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA hdb_catalog TO staff;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA deprecated TO staff;

-- in production
GRANT CONNECT ON DATABASE atd_moped TO staff;

grant usage on schema public to staff;
grant usage on schema hdb_catalog to staff;
grant usage on schema deprecated to staff;

GRANT SELECT ON ALL TABLES IN SCHEMA public TO staff;
GRANT SELECT ON ALL TABLES IN SCHEMA hdb_catalog TO staff;
GRANT SELECT ON ALL TABLES IN SCHEMA deprecated TO staff;

GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO staff;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA hdb_catalog TO staff;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA deprecated TO staff;
AWS security group