feat: use RDS Proxy for IdP database connection pool (#788)

Add an RDS Proxy to manage the database connections for Zitadel. This will help reduce strain on the IdP and database and allow for smoother load scaling.
cds-snc · Sep 9, 2024 · c3f7b7b · c3f7b7b
1 parent c1aca16
commit c3f7b7b
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 9 deletions.
diff --git a/aws/idp/rds.tf b/aws/idp/rds.tf
@@ -2,7 +2,7 @@
 # RDS Postgress cluster
 #
 module "idp_database" {
-  source = "github.com/cds-snc/terraform-modules//rds?ref=50c0f631d2c8558e6eec44138ffc2e963a1dfa9a" # v9.6.0
+  source = "github.com/cds-snc/terraform-modules//rds?ref=63774b7bbea74205e90e173587da08193a6b85f7" # v9.6.5
   name   = "idp"
 
   database_name           = var.zitadel_database_name
@@ -12,10 +12,10 @@ module "idp_database" {
   instance_class          = "db.serverless"
   serverless_min_capacity = var.idp_database_min_acu
   serverless_max_capacity = var.idp_database_max_acu
-  use_proxy               = false # TODO: enable for prod loads if performance requires it
 
-  username = var.idp_database_cluster_admin_username
-  password = var.idp_database_cluster_admin_password
+  username               = var.idp_database_cluster_admin_username
+  password               = var.idp_database_cluster_admin_password
+  proxy_secret_auth_arns = [aws_secretsmanager_secret.zidatel_database_proxy_auth.arn]
 
   backup_retention_period      = 14
   preferred_backup_window      = "02:00-04:00"
@@ -49,7 +49,7 @@ resource "aws_ssm_parameter" "zitadel_database_host" {
   # checkov:skip=CKV_AWS_337: Default SSM service key encryption is acceptable
   name  = "zitadel_database_host"
   type  = "SecureString"
-  value = module.idp_database.rds_cluster_endpoint
+  value = module.idp_database.proxy_endpoint
   tags  = local.common_tags
 }
 
@@ -76,3 +76,17 @@ resource "aws_ssm_parameter" "zitadel_database_user_password" {
   value = var.zitadel_database_user_password
   tags  = local.common_tags
 }
+
+resource "aws_secretsmanager_secret" "zidatel_database_proxy_auth" {
+  # checkov:skip=CKV2_AWS_57: automated rotation is not applicable to this secret
+  name = "zidatel_database_proxy_auth"
+  tags = local.common_tags
+}
+
+resource "aws_secretsmanager_secret_version" "zidatel_database_proxy_auth" {
+  secret_id = aws_secretsmanager_secret.zidatel_database_proxy_auth.id
+  secret_string = jsonencode({
+    username = var.zitadel_database_user_username,
+    password = var.zitadel_database_user_password
+  })
+}
diff --git a/idp/docker/config.yaml b/idp/docker/config.yaml
@@ -15,10 +15,6 @@ TLS:
 Database:
   postgres:
     Port: 5432
-    MaxOpenConns: 200
-    MaxIdleConns: 20
-    MaxConnLifetime: 1800
-    MaxConnIdleTime: 1800
     User:
       SSL:
         Mode: require