terraform-provider-postgresql icon indicating copy to clipboard operation
terraform-provider-postgresql copied to clipboard

Published 20 hours ago verified publisher icon cyrilgdn

When scheme=awspostgres, sslmode is not respected, causing x509: certificate signed by unknown authority

Open adkafka opened this issue 2 years ago • 5 comments

If we setup a provider as such:

provider "postgresql" {
  scheme    = "awspostgres"
  sslmode   = "require"
 ...
}

And connect to an RDS instance whose CA comes from rds-ca-ecc384-g1, we get an unexpected error:

│ Error: Error connecting to PostgreSQL server database-name.region.rds.amazonaws.com (scheme: awspostgres): tls: failed to verify certificate: x509: certificate signed by unknown authority

Based on sslmode = "require", I expect no certificate validation.

I believe the issue is here: https://github.com/cyrilgdn/terraform-provider-postgresql/blob/fea83f376887d76424148b665b47c7f5c72371cc/postgresql/config.go#L205-L210

We should change this to if c.Scheme == "postgres" || c.Scheme == "awspostgres"

I'm able to workaround this by just setting scheme=postgres.

Terraform Version

$ terraform -v
Terraform v1.5.2
on darwin_amd64
+ provider registry.terraform.io/cyrilgdn/postgresql v1.20.0
+ provider registry.terraform.io/hashicorp/aws v4.59.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.18.1
+ provider registry.terraform.io/hashicorp/local v2.4.0
+ provider registry.terraform.io/hashicorp/random v3.4.3

Affected Resource(s)

  • terraform-provider-postgresql (provider itself, not resources)

Terraform Configuration Files

See above snipped

Debug Output

N/A

Panic Output

N/A

Expected Behavior

We should be able to connect with above config to an RDS instance.

Actual Behavior

Error

Steps to Reproduce

Create RDS instance with issuing CA rds-ca-ecc384-g1 (I expect the same behavior for other new CAs too) Try to connect to the provider using scheme = "awspostgres" and sslmode = "require"

Important Factoids

No

References

None

adkafka avatar Aug 31 '23 19:08 adkafka

I've got this error trying to create DB in the AWS serverless v1 cluster, CA rds-ca-rsa2048-g1

  • provider registry.terraform.io/cyrilgdn/postgresql v1.21.0

dstebukov avatar Oct 17 '23 23:10 dstebukov

same error with scheme = "gcppostgres"

ghost avatar Oct 20 '23 13:10 ghost

AWS given customers 12 months to migrate to the new CA. This is now a important issue that needs resolving

pexa-afarrugia avatar Nov 15 '23 05:11 pexa-afarrugia

Having a similar issue myself using rds-ca-rsa2048-g1 and scheme:awspostgres. Changing from awspostgres to postgres fixes it, what are the implications of this?

grilla99 avatar Nov 28 '23 11:11 grilla99

The problem has gone after upgrading to 1.22.0 from 1.20.0

romikoops avatar Apr 02 '24 15:04 romikoops