Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Breaking change in how provider verifies SSL-mode conenctions #361

Open
magul opened this issue Oct 12, 2023 · 0 comments
Open

Breaking change in how provider verifies SSL-mode conenctions #361

magul opened this issue Oct 12, 2023 · 0 comments

Comments

@magul
Copy link

magul commented Oct 12, 2023

Terraform Version

Terraform v1.6.1
on darwin_amd64
+ provider registry.terraform.io/cyrilgdn/postgresql v1.21.0

Affected Resource(s)

It's transport issue inside provider itself.
sources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

We're managing PostgreSQL instances that are inside private subnet of our VPC - to establish connection to them we use SSH tunelling. On provider version 1.19 it was working fine with:

provider "postgresql" {
  host     = "localhost"
  port     = 5432
  username = aws_db_instance.database.username
  password = aws_db_instance.database.password
  sslmode  = "verify-ca"
  # https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html
  # https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
  sslrootcert = "${path.module}/../../../modules/aws/environment/assets/global-bundle.pem"
  superuser   = false
}

after upgrade to 1.21 we started getting (with above configuration):

│ Error: Error connecting to PostgreSQL server localhost (scheme: postgres): x509: certificate is valid for XXX.XXX.us-east-1.rds.amazonaws.com, XXX.XXX.us-east-1.rds.amazonaws.com, XXX.XXX.us-east-1.rds.amazonaws.com, XXX.XXX.us-east-1.rds.amazonaws.com, not localhost

current workaround we employed (TBH we will stick with IP address instead of domain name, so from our perspective that's not a workaround) - we changed domain alias to direct IP address, so our current configuration looks like:

provider "postgresql" {
  host     = "127.0.0.1"
  port     = 5432
  username = aws_db_instance.database.username
  password = aws_db_instance.database.password
  sslmode  = "verify-ca"
  # https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html
  # https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
  sslrootcert = "${path.module}/../../../modules/aws/environment/assets/global-bundle.pem"
  superuser   = false
}

This workaround was inspired by: https://github.com/lib/pq/pull/1088/files#diff-22787c14a71947ab97f63d989464974b815e5b70a4cd27699215ea448a493f29R58-R60

Expected Behavior

When sslmode is set to verify-ca provider should not complain about domain mismatch (or at least provide way to set sslsni in pq library, if from RfC perspective complaining about mismatch is desired outcome).

Actual Behavior

When tuneling access to database through SSH providers is complaining about domain mismatch, even if sslmode is set to verfiy-ca.

Steps to Reproduce

  1. Use provider 1.21 (it should be also reproduceable on 1.20)
  2. Tunel access to DB via SSH.
  3. Use domain (instead of IP address) in provider configuration.
  4. AFAIK you need to have at least one resource declared using this provider.
  5. Observe provider complaining about domain mismatch.

References
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@magul