modified terraform to add changes identified in rds-ssl-fix.md file

CDCgov · Oct 18, 2024 · f695017 · f695017
1 parent dcad4f3
commit f695017
Show file tree

Hide file tree

Showing 7 changed files with 33 additions and 1 deletion.
diff --git a/terraform/aws/docs/log_error.png b/terraform/aws/docs/log_error.png
diff --git a/terraform/aws/docs/log_fix.png b/terraform/aws/docs/log_fix.png
diff --git a/terraform/aws/docs/modified_iam_policy.png b/terraform/aws/docs/modified_iam_policy.png
diff --git a/terraform/aws/docs/original_iam_policy.png b/terraform/aws/docs/original_iam_policy.png
diff --git a/terraform/aws/docs/rds-ssl-fix.md b/terraform/aws/docs/rds-ssl-fix.md
@@ -0,0 +1,26 @@
+There were multiple configurations that prohibited the EKS tefca viewer pod from connecting to the Postgres database. 
+
+1. The EKS clusterwas missing the required IAM permissions (add to phdi-playground repo)
+    1. 
+    - Original policy had  `rds:Connect` as an action it was creating the error `Invalid Action: The action rds:Connect does not exist`
+    ![Original Policy](./original_iam_policy.png) 
+
+    - Modified Policy : This policy replaced rds:Connect with rds-db:Connect and the resource block to reference the database with the Resource ID
+    ![Modified Policy](./modified_iam_policy.png) 
+
+
+2. In the parameter group for the database, rds.force_ssl was enabled and only allows SSL connections.
+    - I disable the parameter by changing the value to 0
+
+    The fix is sufficient to allow the connection between the pod and RDS.
+
+    - Log with error message:
+    ![Log error](./log_error.png)
+
+    - Log after making changes above:
+        - In the snapshot, I can verify that the database is connecting based off of the 3 entries that show connection received, connection authenticated, and connection authorized
+    ![Log fix](./log_fix.png)
+
+3. To better assist with troubleshooting in the future, I made the change below:
+    -  I turned on Postgres logging for the RDS database to help with debugging the issue
+
diff --git a/terraform/aws/implementation/modules/rds/data.tf b/terraform/aws/implementation/modules/rds/data.tf
@@ -3,7 +3,7 @@ data "aws_iam_policy_document" "tefca_viewer_db_policy" {
     sid    = ""
     effect = "Allow"
     actions = [
-      "rds:Connect",
+      "rds-db:connect",
       "rds:DescribeDBInstances",
       "rds:DescribeDBClusters",
       "rds:DescribeDBSnapshots",

diff --git a/terraform/aws/implementation/modules/rds/main.tf b/terraform/aws/implementation/modules/rds/main.tf
@@ -6,6 +6,7 @@ resource "aws_db_instance" "tefca-viewer-db" {
   allocated_storage         = 5
   engine                    = var.engine_type
   engine_version            = var.engine_version
+  enabled_cloudwatch_logs_exports = "postgresql"
   username                  = var.db_username
   password                  = random_password.setup_rds_password.result
   db_subnet_group_name      = aws_db_subnet_group.this.name
@@ -25,6 +26,11 @@ resource "aws_db_parameter_group" "this" {
     name  = "log_connections"
     value = "1"
   }
+   parameter {
+    name  = "rds.force_ssl"
+    value = "0"
+  }
+
 
   lifecycle {
     create_before_destroy = true