From c3f7b7bc4d85fa787c4e2167cd1ccca5c28a211d Mon Sep 17 00:00:00 2001
From: Pat Heard <patrick.heard@cds-snc.ca>
Date: Mon, 9 Sep 2024 16:15:45 -0400
Subject: [PATCH] feat: use RDS Proxy for IdP database connection pool (#788)

Add an RDS Proxy to manage the database connections for Zitadel.
This will help reduce strain on the IdP and database and allow for
smoother load scaling.
---
 aws/idp/rds.tf         | 24 +++++++++++++++++++-----
 idp/docker/config.yaml |  4 ----
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/aws/idp/rds.tf b/aws/idp/rds.tf
index 4bb3f89e3..3e69bc3e1 100644
--- a/aws/idp/rds.tf
+++ b/aws/idp/rds.tf
@@ -2,7 +2,7 @@
 # RDS Postgress cluster
 #
 module "idp_database" {
-  source = "github.com/cds-snc/terraform-modules//rds?ref=50c0f631d2c8558e6eec44138ffc2e963a1dfa9a" # v9.6.0
+  source = "github.com/cds-snc/terraform-modules//rds?ref=63774b7bbea74205e90e173587da08193a6b85f7" # v9.6.5
   name   = "idp"
 
   database_name           = var.zitadel_database_name
@@ -12,10 +12,10 @@ module "idp_database" {
   instance_class          = "db.serverless"
   serverless_min_capacity = var.idp_database_min_acu
   serverless_max_capacity = var.idp_database_max_acu
-  use_proxy               = false # TODO: enable for prod loads if performance requires it
 
-  username = var.idp_database_cluster_admin_username
-  password = var.idp_database_cluster_admin_password
+  username               = var.idp_database_cluster_admin_username
+  password               = var.idp_database_cluster_admin_password
+  proxy_secret_auth_arns = [aws_secretsmanager_secret.zidatel_database_proxy_auth.arn]
 
   backup_retention_period      = 14
   preferred_backup_window      = "02:00-04:00"
@@ -49,7 +49,7 @@ resource "aws_ssm_parameter" "zitadel_database_host" {
   # checkov:skip=CKV_AWS_337: Default SSM service key encryption is acceptable
   name  = "zitadel_database_host"
   type  = "SecureString"
-  value = module.idp_database.rds_cluster_endpoint
+  value = module.idp_database.proxy_endpoint
   tags  = local.common_tags
 }
 
@@ -76,3 +76,17 @@ resource "aws_ssm_parameter" "zitadel_database_user_password" {
   value = var.zitadel_database_user_password
   tags  = local.common_tags
 }
+
+resource "aws_secretsmanager_secret" "zidatel_database_proxy_auth" {
+  # checkov:skip=CKV2_AWS_57: automated rotation is not applicable to this secret
+  name = "zidatel_database_proxy_auth"
+  tags = local.common_tags
+}
+
+resource "aws_secretsmanager_secret_version" "zidatel_database_proxy_auth" {
+  secret_id = aws_secretsmanager_secret.zidatel_database_proxy_auth.id
+  secret_string = jsonencode({
+    username = var.zitadel_database_user_username,
+    password = var.zitadel_database_user_password
+  })
+}
diff --git a/idp/docker/config.yaml b/idp/docker/config.yaml
index e901265ab..fe36f04c6 100644
--- a/idp/docker/config.yaml
+++ b/idp/docker/config.yaml
@@ -15,10 +15,6 @@ TLS:
 Database:
   postgres:
     Port: 5432
-    MaxOpenConns: 200
-    MaxIdleConns: 20
-    MaxConnLifetime: 1800
-    MaxConnIdleTime: 1800
     User:
       SSL:
         Mode: require