Use PostgreSQL with Nexus instead of In-Memory H2

[cptanalatriste]

✅ Checklist

• You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
• You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
• Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).

🚦 Depends on

N/A

⤴️ Summary

A H2 database for a Nexus server is prone to data corruption. We have experienced this in production multiple times (like: #2481 ). In this PR, we replace the in-memory H2 database with a PostgreSQL one, using the following guidance.

This change requires the following:

• We defined a new subnet for hosting the PostgreSQL database. For this subnet, we also define a new network security group (NSG). We also modify the original NSG of the software repositories component, to allow connections from the new subnet (see networking.py).
• We extended the software repositories to also include a PostgreSQL database instance. When defining this component, we need to allowlist the PG_TRGM extension, as is required by Nexus. We also add additional environment variables to the Nexus container, to instruct it to connect to PostgreSQL instead of H2 (see software_repositories.py).
• We also stored the admin password for the PostgreSQL database in the TRE's Key Vault (see data.py).
• To initialise the PostgreSQL database (i.e. create users, databases, schemas, and extensions, see init_db.mustache.sql) we rely on the existing SRE provisioning manager component. This class already does the same for the Guacamole containers (see sre_provisioning_manager.py).

🌂 Related issues

Closes #2481

🔬 Tests

We have verified that after deploying this change Nexus is working as expected:

And that the PostgreSQL database is created and populated by the Nexus container:

[github-actions]

Coverage report

Click to see where and how coverage changed

File	Statements	Missing	Coverage	Coverage (new stmts)	Lines missing
data_safe_haven/infrastructure/common
ip_ranges.py
data_safe_haven/infrastructure/components/composite
postgresql_database.py					25-28, 103-121
data_safe_haven/infrastructure/programs
declarative_sre.py					504-519
data_safe_haven/infrastructure/programs/sre
apt_proxy_server.py
data.py					363-385, 855-867
networking.py					1320-1325, 1334-1345, 1671-1679, 1811, 1831-1832, 1940-1947, 1958-1965, 2229, 2480-2485, 2504-2518
software_repositories.py					53-59, 69-76, 194-222, 429-441
user_services.py					64-66, 80-88, 105-112, 211-215
data_safe_haven/provisioning
sre_provisioning_manager.py					34-66, 95, 99-105, 109-134, 143, 195-200
data_safe_haven/types
enums.py
Project Total

This report was generated by python-coverage-comment-action