chore: AWS IAM DB auth migrator (#10622)

https://linear.app/unleash/issue/2-3861/aws-iam-db-auth-migrator Adapts the migrator logic to support AWS IAM DB auth. Reverts a few changes from our earlier tests.
2025-09-05 17:53:12 +02:00 · 2025-09-04 16:14:02 +01:00 · 2025-09-04 16:14:02 +01:00 · 39ee5b97cb
commit 39ee5b97cb
parent ccaafb3716
3 changed files with 9 additions and 16 deletions
--- a/src/lib/db/aws-iam.ts
+++ b/src/lib/db/aws-iam.ts
@ -14,14 +14,9 @@ export const getDBPasswordResolver = (db: IDBOption): PasswordResolver => {
            region: db.awsRegion,
            hostname: db.host,
            port: db.port,
-            username: process.env.DATABASE_USERNAME || db.user,
+            username: db.user,
        });
-        return async () => {
+        return async () => signer.getAuthToken();
            console.log('[AWS RDS SIGNER] Getting token...');
            const token = await signer.getAuthToken();
            console.log(`[AWS RDS SIGNER] Got token: ${token}`);
            return token;
        };
    }
    return async () => db.password;
--- a/src/lib/db/db-pool.ts
+++ b/src/lib/db/db-pool.ts
@ -9,20 +9,11 @@ export function createDb({
    getLogger,
 }: Pick<IUnleashConfig, 'db' | 'getLogger'>): Knex {
    const logger = getLogger('db-pool.js');
    logger.info(
        `createDb: iam=${Boolean(db.awsIamAuth)} host=${db.host} port=${db.port} db=${db.database} user=${process.env.DATABASE_USERNAME || db.user} ssl=${Boolean(db.ssl)}`,
    );
    const { password, ...logDb } = db;
    logger.info(`createDb (DB): ${JSON.stringify(logDb, undefined, 2)}`);
    return knex({
        client: 'pg',
        version: db.version,
        connection: {
            ...db,
            user: process.env.DATABASE_USERNAME || db.user,
            application_name: db.applicationName,
            password: getDBPasswordResolver(db),
        },
--- a/src/migrator.ts
+++ b/src/migrator.ts
@ -6,6 +6,7 @@ import type { IUnleashConfig } from './lib/types/option.js';
 import { secondsToMilliseconds } from 'date-fns';
 import path from 'path';
 import { fileURLToPath } from 'node:url';
 import { getDBPassword } from './lib/db/aws-iam.js';
 log.setLogLevel('error');
 const __filename = fileURLToPath(import.meta.url);
@ -22,9 +23,11 @@ export async function migrateDb(
    { db }: Pick<IUnleashConfig, 'db'>,
    stopAt?: string,
 ): Promise<void> {
    const password = await getDBPassword(db);
    return noDatabaseUrl(async () => {
        const custom = {
            ...db,
            password,
            connectionTimeoutMillis: secondsToMilliseconds(10),
        };
@ -43,9 +46,11 @@ export async function migrateDb(
 export async function requiresMigration({
    db,
 }: Pick<IUnleashConfig, 'db'>): Promise<boolean> {
    const password = await getDBPassword(db);
    return noDatabaseUrl(async () => {
        const custom = {
            ...db,
            password,
            connectionTimeoutMillis: secondsToMilliseconds(10),
        };
@ -64,9 +69,11 @@ export async function requiresMigration({
 // This exists to ease testing
 export async function resetDb({ db }: IUnleashConfig): Promise<void> {
    const password = await getDBPassword(db);
    return noDatabaseUrl(async () => {
        const custom = {
            ...db,
            password,
            connectionTimeoutMillis: secondsToMilliseconds(10),
        };