feat: add RDS/Aurora refresh component for DBLab

Add a new component that automates DBLab full refresh using temporary
RDS/Aurora database clones created from snapshots. This enables a
hassle-free data sync workflow that doesn't impact production.

Features:
- Create temporary RDS/Aurora clones from latest automated snapshots
- Wait for clone availability with proper timeout handling
- Trigger DBLab full refresh via API
- Poll refresh status until completion
- Clean up temporary clones automatically

Deployment options:
- AWS Lambda with SAM template and EventBridge scheduling
- Standalone CLI binary for cron/manual execution
- Docker container for containerized environments

Includes comprehensive documentation with IAM policy examples
and example configuration files.

Author: claude

engine/cmd/rds-refresh/main.go

@@ -0,0 +1,176 @@
+/*
+2024 © Postgres.ai
+*/
+
+// Package main provides the entry point for the rds-refresh CLI tool.
+// This tool automates DBLab full refresh using temporary RDS/Aurora clones.
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/aws/aws-lambda-go/lambda"
+
+	"gitlab.com/postgres-ai/database-lab/v3/internal/rdsrefresh"
+)
+
+var (
+	version   = "dev"
+	buildTime = "unknown"
+)
+
+func main() {
+	// Check if running in Lambda
+	if os.Getenv("AWS_LAMBDA_FUNCTION_NAME") != "" {
+		lambda.Start(rdsrefresh.HandleLambda)
+		return
+	}
+
+	// CLI mode
+	configPath := flag.String("config", "", "Path to configuration file")
+	dryRun := flag.Bool("dry-run", false, "Validate configuration without creating resources")
+	showVersion := flag.Bool("version", false, "Show version information")
+	help := flag.Bool("help", false, "Show help")
+
+	flag.Usage = printUsage
+	flag.Parse()
+
+	if *help {
+		printUsage()
+		os.Exit(0)
+	}
+
+	if *showVersion {
+		fmt.Printf("rds-refresh version %s (built: %s)\n", version, buildTime)
+		os.Exit(0)
+	}
+
+	if *configPath == "" {
+		fmt.Fprintln(os.Stderr, "error: -config flag is required")
+		printUsage()
+		os.Exit(1)
+	}
+
+	if err := run(*configPath, *dryRun); err != nil {
+		fmt.Fprintf(os.Stderr, "error: %v\n", err)
+		os.Exit(1)
+	}
+}
+
+func run(configPath string, dryRun bool) error {
+	cfg, err := rdsrefresh.LoadConfig(configPath)
+	if err != nil {
+		return fmt.Errorf("failed to load config: %w", err)
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Handle interrupt signals
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
+
+	go func() {
+		sig := <-sigCh
+		fmt.Printf("\nReceived signal %v, initiating graceful shutdown...\n", sig)
+		cancel()
+	}()
+
+	logger := &rdsrefresh.DefaultLogger{}
+
+	refresher, err := rdsrefresh.NewRefresher(ctx, cfg, logger)
+	if err != nil {
+		return fmt.Errorf("failed to initialize refresher: %w", err)
+	}
+
+	if dryRun {
+		return refresher.DryRun(ctx)
+	}
+
+	result := refresher.Run(ctx)
+
+	fmt.Println()
+	fmt.Println("=== Refresh Summary ===")
+	fmt.Printf("Success:     %v\n", result.Success)
+	fmt.Printf("Snapshot:    %s\n", result.SnapshotID)
+	fmt.Printf("Clone ID:    %s\n", result.CloneID)
+	fmt.Printf("Duration:    %v\n", result.Duration.Round(1e9))
+
+	if result.Error != nil {
+		return result.Error
+	}
+
+	return nil
+}
+
+func printUsage() {
+	fmt.Fprintf(os.Stderr, `rds-refresh - Automate DBLab full refresh using RDS/Aurora snapshots
+
+This tool creates a temporary RDS/Aurora clone from a snapshot, triggers
+a DBLab Engine full refresh, and then cleans up the temporary clone.
+
+USAGE:
+    rds-refresh -config <path> [options]
+
+OPTIONS:
+    -config <path>    Path to YAML configuration file (required)
+    -dry-run          Validate configuration without creating resources
+    -version          Show version information
+    -help             Show this help message
+
+LAMBDA MODE:
+    When running as an AWS Lambda function (detected via AWS_LAMBDA_FUNCTION_NAME
+    environment variable), configuration is loaded from environment variables:
+
+    Required:
+        RDS_SOURCE_IDENTIFIER       Source RDS instance or Aurora cluster ID
+        RDS_CLONE_INSTANCE_CLASS    Instance class for the clone (e.g., db.t3.medium)
+        DBLAB_API_ENDPOINT          DBLab Engine API endpoint
+        DBLAB_TOKEN                 DBLab verification token
+        AWS_REGION                  AWS region
+
+    Optional:
+        RDS_SOURCE_TYPE             "rds" or "aurora-cluster" (default: rds)
+        RDS_SNAPSHOT_IDENTIFIER     Specific snapshot ID (default: latest)
+        RDS_CLONE_SUBNET_GROUP      DB subnet group name
+        RDS_CLONE_SECURITY_GROUPS   JSON array of security group IDs
+        RDS_CLONE_PUBLIC            "true" to make clone publicly accessible
+        RDS_CLONE_PARAMETER_GROUP   DB parameter group name
+        RDS_CLONE_ENABLE_IAM_AUTH   "true" to enable IAM authentication
+        RDS_CLONE_STORAGE_TYPE      Storage type (gp2, gp3, io1, etc.)
+        RDS_CLONE_TAGS              JSON object of additional tags
+        DBLAB_INSECURE              "true" to skip TLS verification
+
+EXAMPLE CONFIGURATION:
+
+    source:
+      type: rds
+      identifier: production-db
+
+    clone:
+      instanceClass: db.t3.medium
+      subnetGroup: default-vpc-subnet
+      securityGroups:
+        - sg-12345678
+      publiclyAccessible: false
+      enableIAMAuth: true
+
+    dblab:
+      apiEndpoint: https://dblab.example.com:2345
+      token: ${DBLAB_TOKEN}
+      pollInterval: 30s
+      timeout: 4h
+
+    aws:
+      region: us-east-1
+
+For more information, see:
+    https://postgres.ai/docs/database-lab-engine
+
+`)
+}

engine/configs/rds-refresh.example.yaml

@@ -0,0 +1,95 @@
+# Example configuration for rds-refresh component
+#
+# This component automates DBLab full refresh using temporary RDS/Aurora clones.
+# Copy this file and customize for your environment.
+#
+# For Lambda deployment, see deploy/rds-refresh/template.yaml
+# For CLI usage: rds-refresh -config rds-refresh.yaml
+
+# Source database configuration
+source:
+  # Type of source database:
+  # - "rds" for RDS DB instance
+  # - "aurora-cluster" for Aurora cluster
+  type: rds
+
+  # RDS DB instance identifier or Aurora cluster identifier
+  identifier: production-db
+
+  # Optional: Specific snapshot identifier to use
+  # If empty, the latest automated snapshot will be used
+  # snapshotIdentifier: rds:production-db-2024-01-15-02-00
+
+# Temporary clone configuration
+clone:
+  # Instance class for the clone (can be smaller than production)
+  instanceClass: db.t3.medium
+
+  # DB subnet group (must be in a VPC accessible from DBLab Engine)
+  subnetGroup: default-vpc-subnet
+
+  # VPC security groups for the clone
+  # Must allow inbound connections from DBLab Engine on PostgreSQL port
+  securityGroups:
+    - sg-12345678
+    - sg-87654321
+
+  # Whether the clone should be publicly accessible
+  # Set to false if DBLab is in the same VPC
+  publiclyAccessible: false
+
+  # Enable IAM database authentication (recommended)
+  enableIAMAuth: true
+
+  # Optional: DB parameter group name
+  # parameterGroup: custom-postgres-params
+
+  # Optional: DB option group name (RDS only)
+  # optionGroup: custom-options
+
+  # Optional: Cluster parameter group (Aurora only)
+  # clusterParameterGroup: aurora-postgres-params
+
+  # Optional: Engine version override
+  # engineVersion: "15.4"
+
+  # Optional: Custom port (default: 5432)
+  # port: 5432
+
+  # Optional: Storage type (gp2, gp3, io1, io2)
+  # storageType: gp3
+
+  # Deletion protection (should be false for temporary clones)
+  deletionProtection: false
+
+  # Additional tags for the clone
+  tags:
+    Environment: dblab-refresh
+    Team: platform
+    CostCenter: engineering
+
+# DBLab Engine configuration
+dblab:
+  # DBLab Engine API endpoint
+  apiEndpoint: https://dblab.example.com:2345
+
+  # Verification token for DBLab API
+  # Use environment variable expansion for security
+  token: ${DBLAB_TOKEN}
+
+  # Skip TLS certificate verification (not recommended for production)
+  insecure: false
+
+  # How often to poll DBLab status during refresh
+  pollInterval: 30s
+
+  # Maximum time to wait for refresh to complete
+  timeout: 4h
+
+# AWS configuration
+aws:
+  # AWS region where RDS/Aurora resources are located
+  region: us-east-1
+
+  # Optional: Custom AWS endpoint (for testing with LocalStack)
+  # endpoint: http://localhost:4566

engine/deploy/rds-refresh/Dockerfile

@@ -0,0 +1,39 @@
+# Build stage
+FROM golang:1.23-alpine AS builder
+
+RUN apk add --no-cache git ca-certificates
+
+WORKDIR /build
+
+# Copy go mod files first for better caching
+COPY engine/go.mod engine/go.sum ./
+RUN go mod download
+
+# Copy source code
+COPY engine/ ./
+
+# Build the binary
+ARG VERSION=dev
+ARG BUILD_TIME=unknown
+
+RUN CGO_ENABLED=0 GOOS=linux go build \
+    -ldflags="-s -w -X main.version=${VERSION} -X main.buildTime=${BUILD_TIME}" \
+    -o /rds-refresh \
+    ./cmd/rds-refresh
+
+# Runtime stage
+FROM alpine:3.19
+
+RUN apk add --no-cache ca-certificates tzdata
+
+# Create non-root user
+RUN adduser -D -u 1000 appuser
+
+WORKDIR /app
+
+COPY --from=builder /rds-refresh /usr/local/bin/rds-refresh
+
+USER appuser
+
+ENTRYPOINT ["/usr/local/bin/rds-refresh"]
+CMD ["--help"]