chore: add IAM db auth support (#10609)

https://linear.app/unleash/issue/2-3829/investigate-aws-iam-connection-support-for-unleash-docker

Adds AWS IAM DB connection support.

.github/workflows/dependency-review.yml

@@ -22,5 +22,5 @@ jobs:
         uses: actions/dependency-review-action@v4
         with:
           fail-on-severity: moderate
-          allow-licenses: Apache-2.0, MIT, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, CC0-1.0, Unlicense, BlueOak-1.0.0, CC-BY-4.0, Artistic-2.0, PSF-2.0, MPL-2.0 
+          allow-licenses: Apache-2.0, MIT, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, CC0-1.0, Unlicense, BlueOak-1.0.0, CC-BY-4.0, Artistic-2.0, PSF-2.0, MPL-2.0, MITNFA
           comment-summary-in-pr: always

package.json

@@ -68,6 +68,7 @@
     "schema:update": "node ./.husky/update-openapi-spec-list.js"
   },
   "dependencies": {
+    "@aws-sdk/rds-signer": "^3.880.0",
     "@slack/web-api": "^7.9.1",
     "@wesleytodd/openapi": "^1.1.0",
     "ajv": "^8.17.1",

src/lib/__snapshots__/create-config.test.ts.snap

@@ -32,6 +32,8 @@ exports[`should create default config 1`] = `
   "db": {
     "acquireConnectionTimeout": 30000,
     "applicationName": "unleash",
+    "awsIamAuth": false,
+    "awsRegion": undefined,
     "database": "unleash_db",
     "disableMigration": false,
     "driver": "postgres",

src/lib/create-config.ts

@@ -266,6 +266,8 @@ const defaultDbOptions: WithOptional<IDBOption, 'user' | 'password' | 'host'> =
             false,
         ),
         applicationName: process.env.DATABASE_APPLICATION_NAME || 'unleash',
+        awsIamAuth: parseEnvVarBoolean(process.env.DATABASE_AWS_IAM, false),
+        awsRegion: process.env.AWS_REGION,
     };
 
 const defaultSessionOption = (isEnterprise: boolean): ISessionOption => ({

src/lib/db/db-pool.ts

@@ -3,19 +3,61 @@ import knexpkg from 'knex';
 const { knex } = knexpkg;
 import type { IUnleashConfig } from '../types/option.js';
 
+import { Signer } from '@aws-sdk/rds-signer';
+
 export function createDb({
     db,
     getLogger,
 }: Pick<IUnleashConfig, 'db' | 'getLogger'>): Knex {
     const logger = getLogger('db-pool.js');
+
+    const {
+        host,
+        port,
+        user,
+        database,
+        ssl,
+        applicationName,
+        password,
+        awsIamAuth,
+        awsRegion,
+        pool,
+    } = db;
+
+    let resolvedPassword: string | (() => Promise<string>) | undefined =
+        password;
+
+    if (awsIamAuth) {
+        if (!awsRegion) {
+            throw new Error(
+                'AWS_REGION is required when DATABASE_AWS_IAM=true',
+            );
+        }
+        const signer = new Signer({
+            region: awsRegion,
+            hostname: host,
+            port,
+            username: user,
+        });
+
+        resolvedPassword = async () => signer.getAuthToken();
+    }
+
+    const connection = {
+        host,
+        port,
+        user,
+        database,
+        ssl,
+        application_name: applicationName,
+        password: resolvedPassword,
+    };
+
     return knex({
         client: 'pg',
         version: db.version,
-        connection: {
+        connection,
-            ...db,
+        pool,
-            application_name: db.applicationName,
-        },
-        pool: db.pool,
         searchPath: db.schema,
         asyncStackTraces: true,
         log: {

src/lib/types/option.ts

@@ -20,7 +20,7 @@ export interface ISSLOption {
 
 export interface IDBOption {
     user: string;
-    password: string;
+    password?: string;
     host: string;
     port: number;
     database: string;
@@ -38,6 +38,8 @@ export interface IDBOption {
     schema: string;
     disableMigration: boolean;
     applicationName?: string;
+    awsIamAuth?: boolean;
+    awsRegion?: string;
 }
 
 export interface ISessionOption {