Skip to content

Add extra connection host for AWS RDS IAM token #489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add extra connection host for AWS RDS IAM token #489

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
6da51a3
add connection host
sichenzhao Nov 8, 2024
43d5e8d
Merge branch 'main' into connection_host
cyrilgdn Dec 30, 2024
bc9e0c3
update for comments
May 17, 2025
ba3d079
Update config.go
sichenzhao Jun 26, 2025
40eb932
Update provider.go
sichenzhao Jun 26, 2025
72dd06e
Merge branch 'main' into connection_host
sichenzhao Sep 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion postgresql/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,7 @@ type ClientCertificateConfig struct {
type Config struct {
Scheme string
Host string
ConnectionHost string
Port int
Username string
Password string
Expand Down Expand Up @@ -248,7 +249,10 @@ func (c *Config) connParams() []string {
}

func (c *Config) connStr(database string) string {
host := c.Host
host := c.ConnectionHost
if host == "" {
host = c.Host
}
// For GCP, support both project/region/instance and project:region:instance
// (The second one allows to use the output of google_sql_database_instance as host
if c.Scheme == "gcppostgres" {
Expand Down
15 changes: 14 additions & 1 deletion postgresql/provider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,10 @@ package postgresql
import (
"context"
"fmt"
"os"

"github.com/aws/aws-sdk-go-v2/credentials"
"github.com/aws/aws-sdk-go-v2/service/sts"
"os"

"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
Expand Down Expand Up @@ -40,6 +41,12 @@ func Provider() *schema.Provider {
}, false),
},
"host": {
Type: schema.TypeString,
Optional: true,
DefaultFunc: schema.EnvDefaultFunc("PGHOST", nil),
Description: "Name of PostgreSQL server address",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would revert this change, I feel "to connect to" is useful in distinguishing the difference between the options

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

},
"connection_host": {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am also in need of this feature 😄

As a potential user, I think I would find the stated difference between host and connection_host a bit confusing. As far as I know, the problem we're trying to solve is specific to the RDS IAM auth. I think it'd be more clear if the new provider option was prefixed with aws_rds_iam_ like the other options below (i.e. aws_rds_iam_hostname). Then we could clearly document that it should be the internal hostname of the RDS instance, used to generate an IAM token, which might not be the same address used to connect to the instance if connecting over a VPN / tunnel

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the reasonable comments! I am thinking about how I should update this PR.

IAM specific host is going to be the default host name though, and the connection host is the host through VPN/Tunnel. Not everyone uses VPN/Tunnel, but mostly every uses the host to get IAM token.

If I add a new IAM one, when not specified, we will use the default host to get the token, and when specified, we will use the default host to connect (VPN/Tunnel one), and use iam one to get the token. Sounds like a plan?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated!

Type: schema.TypeString,
Optional: true,
DefaultFunc: schema.EnvDefaultFunc("PGHOST", nil),
Expand Down Expand Up @@ -343,6 +350,11 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
port := d.Get("port").(int)
username := d.Get("username").(string)

connectionHost := d.Get("connection_host").(string)
if connectionHost == "" {
connectionHost = host
}

var password string
if d.Get("aws_rds_iam_auth").(bool) {
profile := d.Get("aws_rds_iam_profile").(string)
Expand Down Expand Up @@ -370,6 +382,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
config := Config{
Scheme: d.Get("scheme").(string),
Host: host,
ConnectionHost: connectionHost,
Port: port,
Username: username,
Password: password,
Expand Down
Loading