DPR2-893: Glue connection and placeholder operational datastore secret

[tom-ogle-moj]

• Limit created resources to Dev/Sandbox only
• Create a Glue JDBC Data Connection for attachment to DataHub Glue jobs to give them Operational Datastore access
• Temporarily populate it with the manually created Dev/Sandbox RDS details which will be replaced by the actual Operational Datastore details
• Create a secret for the credentials used by the DataHub Glue jobs to write to the Operational Datastore
• Create a Security Group associated with the Glue JDBC Data Connection
  • it will be associated with a glue job automatically when the connection is attached to it
  • this is a requirement of Glue and it allows Glue to communicate with itself by allowing TCP ingress on all ports from the security group. See https://docs.aws.amazon.com/glue/latest/dg/setup-vpc-for-glue-access.html
  • the same security group is attached to the RDS as well as the glue job so the same ingress rule also allows access to the RDS instance. Instead, a separate security group could be attached to the RDS allowing Ingress from this security group.
  • it allows egress on all ports which allows it to communicate with services such as S3 without having an S3 service endpoint in the VPC.
• I've tested this by attaching the connection to the activities glue batch job, manually giving the job access to read the secret and verifying it can write to the RDS database using the connection and secret provided here

[gavriil-g-moj]

LGTM, not sure if the static analysis failure is an issue.

[tom-ogle-moj]

LGTM, not sure if the static analysis failure is an issue.

It seems that it fails for our project continuously for every PR

[harichintala1]

lgtm