fix: do not force sslmode at infrastructure level (#337)

* fix: do not force sslmode at infrastructure level * add RDS CA certs to all container dockerfiles * fix: nginx uses safe x-forwarded-host flag
pubpub · May 7, 2024 · 7e8e7cf · 7e8e7cf
1 parent fca322c
commit 7e8e7cf
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 10 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -16,7 +16,14 @@ FROM node:${NODE_VERSION}-alpine as base
 ARG PNPM_VERSION=8.14.3
 
 # Install python deps for node-gyp
-RUN apk add g++ make py3-pip
+RUN apk add g++ make py3-pip ca-certificates curl
+
+# Setup RDS CA Certificates
+
+RUN curl -L \
+      -o  /usr/local/share/ca-certificates/rds-global-bundle.pem \
+      https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem \
+    && update-ca-certificates
 
 # Set working directory for all build stages.
 WORKDIR /usr/src/app

diff --git a/core/.env.docker b/core/.env.docker
@@ -1 +1 @@
-DATABASE_URL=postgresql://${PGUSER}:${PGPASSWORD}@${PGHOST}:${PGPORT}/${PGDATABASE}?sslmode=require
+DATABASE_URL=postgresql://${PGUSER}:${PGPASSWORD}@${PGHOST}:${PGPORT}/${PGDATABASE}
diff --git a/infrastructure/nginx/default.conf.template b/infrastructure/nginx/default.conf.template
@@ -8,6 +8,11 @@ server {
 
   location / {
     proxy_pass  $scheme://nextjs;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Real-IP $remote_addr;
   }
 
   location /legacy_healthcheck {

diff --git a/infrastructure/terraform/modules/core-services/outputs.tf b/infrastructure/terraform/modules/core-services/outputs.tf
@@ -2,7 +2,6 @@ locals {
   db_user = aws_db_instance.core_postgres.username
   db_name = aws_db_instance.core_postgres.db_name
   db_host = aws_db_instance.core_postgres.address
-  db_sslmode = "require"
 }
 
 output "secrets" {
@@ -23,17 +22,12 @@ output "asset_uploader_key_id" {
   value = aws_iam_access_key.asset_uploader.id
 }
 
-output "rds_connection_string_sans_password" {
-  value = "postgresql://${local.db_user}@${local.db_host}:5432/${local.db_name}?sslmode=${local.db_sslmode}"
-}
-
 output "rds_connection_components" {
   value = {
     user = local.db_user
     database = local.db_name
     host = local.db_host
     port = "5432"
-    sslmode = local.db_sslmode
     id = aws_db_instance.core_postgres.id
   }
 }
diff --git a/infrastructure/terraform/modules/deployment/main.tf b/infrastructure/terraform/modules/deployment/main.tf
@@ -76,7 +76,6 @@ module "service_core" {
   configuration = {
     container_port = 3000
     environment = [
-      # { name = "DATABASE_URL", value = module.core_dependency_services.rds_connection_string_sans_password },
       { name = "PGUSER", value = module.core_dependency_services.rds_connection_components.user },
       { name = "PGDATABASE", value = module.core_dependency_services.rds_connection_components.database },
       { name = "PGHOST", value = module.core_dependency_services.rds_connection_components.host },
@@ -213,7 +212,6 @@ module "service_flock" {
 
    configuration = {
      environment = [
-       # { name = "DATABASE_URL", value = module.core_dependency_services.rds_connection_string_sans_password },
        { name = "PGUSER", value = module.core_dependency_services.rds_connection_components.user },
        { name = "PGDATABASE", value = module.core_dependency_services.rds_connection_components.database },
        { name = "PGHOST", value = module.core_dependency_services.rds_connection_components.host },
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		DATABASE_URL=postgresql://${PGUSER}:${PGPASSWORD}@${PGHOST}:${PGPORT}/${PGDATABASE}?sslmode=require
		DATABASE_URL=postgresql://${PGUSER}:${PGPASSWORD}@${PGHOST}:${PGPORT}/${PGDATABASE}