feat: Setup metabase_read_only role

[DafyddLlyr]

What does this PR do?

• Sets up the metabase_read_only database role
• Ensures that Metabase can only read a small subset of tables and views, and has no write permissions
• Please see included doc file for more context and detail

Testing

I've gone ahead and set up the user and permissions outlined here on staging Metabase so that we can test a little (I'll revoke the changes before merging this PR).

It works as expected - for example, I can read sessions_summary, but running SQL to select from lowcal_sessions gives a permissions error.

[github-actions]

Removed vultr server and associated DNS entries

[DafyddLlyr]

This is the solution I'm proposing for setting up the metabase_user user. Not perfect but hopefully workable?

Once this PR is merged I'll manually run the above SQL on staging and prod and save passwords to 1Password. We could put them in Pulumi secrets, but my concern would be that as there's no code-reference to them they would be sensible candidates to "tidy up" accidentally.

Chances are it will exist on staging and production and we'll never really need to deal with it locally.

[jessicamcinchak]

This seems like a good thoughtful approach and will make for less-hassle rotation if necesary in future, but not entirely following based on this doc how this user relates to existing metabase user role provisioned/managed by Pulumi - eg https://github.com/theopensystemslab/planx-new/blob/main/infrastructure/application/index.ts#L100

At minimum, do we need to think about more distinctive naming? At most, is there a way to consolidate responsibilities of each into a single user role?

[DafyddLlyr]

Yeah this caught me out initially also.

This section of code is generating a role and user to be used for the MB_DB_CONNECTION_URI env var (docs), which is responsible for the schema and role of the internal metabase db, where dashboards etc are stored - not the PlanX schema where data is accessed via Hasura / ShareDB.

I'll add a code comment to Pulumi to make this explicit, as well as document this in the "how to" in this PR.

Do you think this would be enough?

[jessicamcinchak]

Yep happy with extra docs here !

[DafyddLlyr]

Please see 4dd9b14

[DafyddLlyr]

Hide new tables from Metabase as a default

[DafyddLlyr]

This might actually be redundant - I think there might be enough information in the views? If it's simpler to remove this I'm all for it 👍

[DafyddLlyr]

I'll contact Ollie today, or manually check Metabase, to see if this is required 👍

[DafyddLlyr]

Removed - these aren't currently used. See https://opensystemslab.slack.com/archives/C5Q59R3HB/p1709720214019159 (OSL Slack)

[DafyddLlyr]

Update - in order to move this forward I've granted access to the tables analytics and analytics_logs. They are safe to read, and currently used by SQL questions. The aim would be that once we migrate to GUI questions, we can rely on summary tables and tidy this up.

@zz-hh-aa Indicated that lowcal_sessions is used, which we do not want, so I've intentionally left this out to force a transition to submission_services_summary.

If this breaking change it too harsh, we can toggle the PG username/password used in Metabase until this is resolved.

[zz-hh-aa]

I think I've removed lowcal_sessions as a source from all the questions now anyway, and am only using summary tables + analytics or analytics_logs, so don't think anything should break! All good on my end.

[DafyddLlyr]

Ah that's perfect @zz-hh-aa thanks very much!

[jessicamcinchak]

All looks good to me - thanks for extra docs!

[jessicamcinchak]

Newest changes look good - all for not exposing lowcal_sessions and just toggling at Metabase level until all migrated to new view 👍

[DafyddLlyr]

Perfect - thanks very much @jessicamcinchak for the speedy re-review here ✅