Fix connections to PostgreSQL 15 and later (#95)

irasnyd · Ira W. Snyder · web-flow · commit 238740fcd783 · 2025-04-24T08:28:32.000-07:00
Require SSL when configured for PostgreSQL 15 and later.

Co-authored-by: Ira W. Snyder &lt;ira@descarteslabs.com&gt;
diff --git a/locals.tf b/locals.tf
@@ -21,4 +21,8 @@ locals {
     module.metaflow-common.default_ui_static_container_image :
     var.ui_static_container_image
   )
+
+  # RDS PostgreSQL >= 15 requires SSL by default
+  # https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html#PostgreSQL.Concepts.General.SSL.Requiring
+  database_ssl_mode = tonumber(split(".", var.db_engine_version)[0]) >= 15 ? "require" : "disable"
 }
diff --git a/main.tf b/main.tf
@@ -28,6 +28,7 @@ module "metaflow-metadata-service" {
   database_name                    = module.metaflow-datastore.database_name
   database_password                = module.metaflow-datastore.database_password
   database_username                = module.metaflow-datastore.database_username
+  database_ssl_mode                = local.database_ssl_mode
   db_migrate_lambda_zip_file       = var.db_migrate_lambda_zip_file
   datastore_s3_bucket_kms_key_arn  = module.metaflow-datastore.datastore_s3_bucket_kms_key_arn
   enable_api_basic_auth            = var.metadata_service_enable_api_basic_auth
diff --git a/modules/metadata-service/ecs.tf b/modules/metadata-service/ecs.tf
@@ -36,7 +36,8 @@ resource "aws_ecs_task_definition" "this" {
       {"name": "MF_METADATA_DB_NAME", "value": "${var.database_name}"},
       {"name": "MF_METADATA_DB_PORT", "value": "5432"},
       {"name": "MF_METADATA_DB_PSWD", "value": "${var.database_password}"},
-      {"name": "MF_METADATA_DB_USER", "value": "${var.database_username}"}
+      {"name": "MF_METADATA_DB_USER", "value": "${var.database_username}"},
+      {"name": "MF_METADATA_DB_SSL_MODE", "value": "${var.database_ssl_mode}"}
     ],
     "logConfiguration": {
         "logDriver": "awslogs",
diff --git a/modules/metadata-service/variables.tf b/modules/metadata-service/variables.tf
@@ -20,6 +20,18 @@ variable "database_username" {
   description = "The database username"
 }
 
+variable "database_ssl_mode" {
+  type        = string
+  description = "The metadata service database connection ssl mode"
+  default     = "disable"
+
+  # https://github.com/Netflix/metaflow-service/blob/master/run_goose.py#L63
+  validation {
+    condition     = contains(["disable", "allow", "prefer", "require", "verify-ca", "verify-full"], var.database_ssl_mode)
+    error_message = "The database_ssl_mode variable is invalid."
+  }
+}
+
 variable "datastore_s3_bucket_kms_key_arn" {
   type        = string
   description = "The ARN of the KMS key used to encrypt the Metaflow datastore S3 bucket"

Original file line number	Diff line number	Diff line change
`@@ -21,4 +21,8 @@ locals {`
`21`	`21`	`module.metaflow-common.default_ui_static_container_image :`
`22`	`22`	`var.ui_static_container_image`
`23`	`23`	`)`
	`24`	`+`
	`25`	`+ # RDS PostgreSQL >= 15 requires SSL by default`
	`26`	`+ # https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html#PostgreSQL.Concepts.General.SSL.Requiring`
	`27`	`+ database_ssl_mode = tonumber(split(".", var.db_engine_version)[0]) >= 15 ? "require" : "disable"`
`24`	`28`	`}`