AWS RDS

-- For MySQL/MariaDB
CREATE USER 'aampe_reader'@'%' IDENTIFIED BY 'STRONG_PASSWORD_HERE';

-- For PostgreSQL
CREATE USER aampe_reader WITH PASSWORD 'STRONG_PASSWORD_HERE';

-- For SQL Server
CREATE LOGIN aampe_reader WITH PASSWORD = 'STRONG_PASSWORD_HERE';
CREATE USER aampe_reader FOR LOGIN aampe_reader;

-- For MySQL/MariaDB
GRANT SELECT ON your_database.* TO 'aampe_reader'@'%';
FLUSH PRIVILEGES;

-- For PostgreSQL
GRANT CONNECT ON DATABASE your_database TO aampe_reader;
GRANT USAGE ON SCHEMA public TO aampe_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO aampe_reader;
-- For future tables
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO aampe_reader;

-- For SQL Server
USE your_database;
ALTER ROLE db_datareader ADD MEMBER aampe_reader;

# Add ingress rule to your RDS security group
aws ec2 authorize-security-group-ingress \
  --group-id sg-YOUR_SECURITY_GROUP_ID \
  --protocol tcp \
  --port YOUR_DB_PORT \
  --cidr AAMPE_IP_RANGE/32 \
  --group-rule-description "Aampe data sync access"

# Download RDS CA certificate
wget https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem

# For MySQL, enforce SSL for the Aampe user
mysql> ALTER USER 'aampe_reader'@'%' REQUIRE SSL;