Add disableSSL and rejectUnauthorized settings to rds secret

asfadmin · Nov 1, 2024 · b39ea6f · b39ea6f
1 parent 33c35e0
commit b39ea6f
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,9 @@
 ## v18.5.0.1
 * Add GitHub Actions pipeline for deploying to ASF's Sandbox account
 * Add SNAPSHOT_IDENTIFIER to GitHub Actions pipeline for the v18.5.0 upgrade
+* Add `disableSSL` and `rejectUnauthorized` variables with default values from
+  latest Cumulus version. See
+  [CUMULUS-3919](https://bugs.earthdata.nasa.gov/browse/CUMULUS-3919)
 
 ## v18.5.0.0
 * Upgrade to [Cumulus v18.5.0](https://github.com/nasa/cumulus/releases/tag/v18.5.0)

diff --git a/rds/main.tf b/rds/main.tf
@@ -35,3 +35,26 @@ module "rds_cluster" {
   # https://bugs.earthdata.nasa.gov/browse/CUMULUS-3896
   tags = local.default_tags
 }
+
+# In Cumulus 18.5.0 the disableSSL and rejectUnauthorized variables were not
+# included in the secret version causing the lambdas to fail to connect to the
+# database. The Cumulus team has said they will not back port the fix to 18.5.0
+# so we need to add these settings in ourselves.
+data "aws_secretsmanager_secret_version" "rds_login" {
+  depends_on = [module.rds_cluster]
+  secret_id  = module.rds_cluster.admin_db_login_secret_arn
+  version_id = module.rds_cluster.admin_db_login_secret_version
+}
+
+resource "aws_secretsmanager_secret_version" "rds_login_override" {
+  secret_id = module.rds_cluster.admin_db_login_secret_arn
+  secret_string = jsonencode(
+    merge(
+      jsondecode(data.aws_secretsmanager_secret_version.rds_login.secret_string),
+      {
+        disableSSL         = var.disableSSL
+        rejectUnauthorized = var.rejectUnauthorized
+      },
+    )
+  )
+}
diff --git a/rds/variables.tf b/rds/variables.tf
@@ -48,6 +48,12 @@ variable "deletion_protection" {
   default     = true
 }
 
+variable "disableSSL" {
+  description = "If set to true, disable use of SSL with Core database connections."
+  type        = bool
+  default     = false
+}
+
 variable "engine_version" {
   description = "Postgres engine version for serverless cluster"
   type        = string
@@ -72,6 +78,12 @@ variable "rds_user_password" {
   default = ""
 }
 
+variable "rejectUnauthorized" {
+  description = "If disableSSL is false or not set, set to false to allow self-signed certificates or non-supported CAs."
+  type        = bool
+  default     = false
+}
+
 variable "snapshot_identifier" {
   description = "Optional database snapshot for restoration"
   type        = string