Add AWS IAM PostgreSQL passwordless authentication support #379
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add postgres-passwordless module with IAM authentication - Update database module to support IAM authentication options - Add variables for enabling postgres passwordless mode - Update main module integration for postgres passwordless This enables PostgreSQL database authentication using AWS IAM instead of traditional username/password authentication.
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes Have you signed the CLA already but the status is still pending? Recheck it. |
1 similar comment
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes Have you signed the CLA already but the status is still pending? Recheck it. |
- Apply terraform fmt to align with CI/CD formatting requirements - Fix alignment in locals.tf for database module references - Fix alignment in main.tf for database module parameters - Fix alignment in modules/database/main.tf
Documentation will be added separately in future PR
tauhid621
requested changes
Oct 9, 2025
There was a problem hiding this comment.
The postgres-passwordless module does not seem to be used here. We are just deploying normal postgres in this.
The approach is also not similar to general use case. Look like we are creating an VM and running postgres using docker.
We should use a RDS instance for this.
…ernal modules Updated module sources to reference the external terraform-random-tfe-utility repository with the pravi-postgres-passwordless branch that contains the critical TFE environment variable fixes. Changes: - runtime_container_engine_config: ./modules -> git::...//modules/runtime_container_engine_config?ref=pravi-postgres-passwordless - tfe_init: ./modules -> git::...//modules/tfe_init?ref=pravi-postgres-passwordless - settings: ./modules -> git::...//modules/settings?ref=pravi-postgres-passwordless - tfe_init_replicated: ./modules -> git::...//modules/tfe_init_replicated?ref=pravi-postgres-passwordless These modules were referencing non-existent local modules and needed to use the external modules that contain the proper environment variable configuration for AWS RDS IAM authentication.
…entication Added comments to address reviewer feedback about postgres-passwordless module usage: 1. **Using RDS, not EC2+Docker**: The current configuration correctly uses the standard RDS database module (./modules/database) which creates aws_db_instance with native IAM authentication support via enable_iam_database_authentication. 2. **postgres-passwordless module not used**: The postgres-passwordless module creates an EC2 instance with PostgreSQL in Docker, which is not suitable for production use cases. RDS is the correct approach. 3. **IAM authentication properly configured**: - RDS: enable_iam_database_authentication = true when passwordless requested - TFE: database_passwordless_aws_use_iam passed to runtime configuration - Region: database_passwordless_aws_region set for AWS authentication This follows the standard AWS best practice of using managed RDS services with IAM database authentication rather than self-managed PostgreSQL on EC2.
raviharshicorp
force-pushed
the
pravi/IND-5776
branch
from
651004e to
9fe4eb7
Compare
Required by the terraform release test infrastructure to properly declare variables passed from the test environment.
This variable allows specifying a separate database username for IAM authentication when postgres_enable_iam_auth=true. If null, it uses the db_username (master user). Required for passwordless PostgreSQL authentication tests.
raviharshicorp
force-pushed
the
pravi/IND-5776
branch
from
2ebf76b to
f36dc79
Compare
- Add database_endpoint, database_username, database_password, database_name outputs - Required for PostgreSQL provider configuration in passwordless auth tests - Enables test to access database connection parameters from module outputs
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
This enables PostgreSQL database authentication using AWS IAM instead of traditional username/password authentication.
Relates OR Closes https://github.com/hashicorp/terraform-enterprise/pull/3079
How Has This Been Tested
CI/CD: https://github.com/hashicorp/terraform-enterprise/actions/runs/18079265431/job/51440243884