chore: AWS IAM DB auth migrator (#10622)

https://linear.app/unleash/issue/2-3861/aws-iam-db-auth-migrator Adapts the migrator logic to support AWS IAM DB auth. Reverts a few changes from our earlier tests.
2025-09-05 17:53:12 +02:00 · 2025-09-04 16:14:02 +01:00 · 2025-09-04 16:14:02 +01:00 · 39ee5b97cb
commit 39ee5b97cb
parent ccaafb3716
3 changed files with 9 additions and 16 deletions
--- a/src/lib/db/aws-iam.ts
+++ b/src/lib/db/aws-iam.ts
@ -14,14 +14,9 @@ export const getDBPasswordResolver = (db: IDBOption): PasswordResolver => {
            region: db.awsRegion,
            hostname: db.host,
            port: db.port,
-            username: process.env.DATABASE_USERNAME || db.user,
+            username: db.user,
        });
-        return async () => {
-            console.log('[AWS RDS SIGNER] Getting token...');
-            const token = await signer.getAuthToken();
-            console.log(`[AWS RDS SIGNER] Got token: ${token}`);
-            return token;
-        };
+        return async () => signer.getAuthToken();
    }

    return async () => db.password;
--- a/src/lib/db/db-pool.ts
+++ b/src/lib/db/db-pool.ts
@ -9,20 +9,11 @@ export function createDb({
    getLogger,
 }: Pick<IUnleashConfig, 'db' | 'getLogger'>): Knex {
    const logger = getLogger('db-pool.js');
-
-    logger.info(
-        `createDb: iam=${Boolean(db.awsIamAuth)} host=${db.host} port=${db.port} db=${db.database} user=${process.env.DATABASE_USERNAME || db.user} ssl=${Boolean(db.ssl)}`,
-    );
-
-    const { password, ...logDb } = db;
-    logger.info(`createDb (DB): ${JSON.stringify(logDb, undefined, 2)}`);
-
    return knex({
        client: 'pg',
        version: db.version,
        connection: {
            ...db,
-            user: process.env.DATABASE_USERNAME || db.user,
            application_name: db.applicationName,
            password: getDBPasswordResolver(db),
        },
--- a/src/migrator.ts
+++ b/src/migrator.ts
@ -6,6 +6,7 @@ import type { IUnleashConfig } from './lib/types/option.js';
 import { secondsToMilliseconds } from 'date-fns';
 import path from 'path';
 import { fileURLToPath } from 'node:url';
+import { getDBPassword } from './lib/db/aws-iam.js';

 log.setLogLevel('error');
 const __filename = fileURLToPath(import.meta.url);
@ -22,9 +23,11 @@ export async function migrateDb(
    { db }: Pick<IUnleashConfig, 'db'>,
    stopAt?: string,
 ): Promise<void> {
+    const password = await getDBPassword(db);
    return noDatabaseUrl(async () => {
        const custom = {
            ...db,
+            password,
            connectionTimeoutMillis: secondsToMilliseconds(10),
        };

@ -43,9 +46,11 @@ export async function migrateDb(
 export async function requiresMigration({
    db,
 }: Pick<IUnleashConfig, 'db'>): Promise<boolean> {
+    const password = await getDBPassword(db);
    return noDatabaseUrl(async () => {
        const custom = {
            ...db,
+            password,
            connectionTimeoutMillis: secondsToMilliseconds(10),
        };

@ -64,9 +69,11 @@ export async function requiresMigration({

 // This exists to ease testing
 export async function resetDb({ db }: IUnleashConfig): Promise<void> {
+    const password = await getDBPassword(db);
    return noDatabaseUrl(async () => {
        const custom = {
            ...db,
+            password,
            connectionTimeoutMillis: secondsToMilliseconds(10),
        };