chore: remove AWS IAM DB auth prototype code (#10662)

https://linear.app/unleash/issue/2-3882/remove-aws-iam-db-auth-prototype-code Removes the AWS IAM DB auth prototype code. Related PRs: - https://github.com/Unleash/unleash/pull/10609 - https://github.com/Unleash/unleash/pull/10617 - https://github.com/Unleash/unleash/pull/10622 - https://github.com/Unleash/unleash/pull/10635 - https://github.com/Unleash/unleash/pull/10639 - https://github.com/Unleash/unleash/pull/10643
2025-09-19 17:52:45 +02:00 · 2025-09-12 14:46:28 +01:00 · 2025-09-12 14:46:28 +01:00 · c2f6cfe45f
commit c2f6cfe45f
parent a519cb84f5
9 changed files with 4 additions and 1348 deletions
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@ -22,5 +22,5 @@ jobs:
        uses: actions/dependency-review-action@v4
        with:
          fail-on-severity: moderate
-          allow-licenses: Apache-2.0, MIT, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, CC0-1.0, Unlicense, BlueOak-1.0.0, CC-BY-4.0, Artistic-2.0, PSF-2.0, MPL-2.0, MITNFA
+          allow-licenses: Apache-2.0, MIT, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, CC0-1.0, Unlicense, BlueOak-1.0.0, CC-BY-4.0, Artistic-2.0, PSF-2.0, MPL-2.0
          comment-summary-in-pr: always
--- a/package.json
+++ b/package.json
@ -68,7 +68,6 @@
    "schema:update": "node ./.husky/update-openapi-spec-list.js"
  },
  "dependencies": {
-    "@aws-sdk/rds-signer": "^3.880.0",
    "@slack/web-api": "^7.9.1",
    "@wesleytodd/openapi": "^1.1.0",
    "ajv": "^8.17.1",
@ -121,7 +120,6 @@
    "pg-connection-string": "^2.5.0",
    "pkginfo": "^0.4.1",
    "prom-client": "^15.0.0",
-    "proxy-agent": "^6.5.0",
    "sanitize-filename": "^1.6.3",
    "semver": "^7.6.3",
    "serve-favicon": "^2.5.0",
--- a/src/lib/snapshots/create-config.test.ts.snap
+++ b/src/lib/snapshots/create-config.test.ts.snap
@ -32,9 +32,6 @@ exports[`should create default config 1`] = `
  "db": {
    "acquireConnectionTimeout": 30000,
    "applicationName": "unleash",
-    "awsIamAuth": false,
-    "awsRegion": undefined,
-    "awsRoleArn": undefined,
    "database": "unleash_db",
    "disableMigration": false,
    "driver": "postgres",
--- a/src/lib/create-config.ts
+++ b/src/lib/create-config.ts
@ -266,9 +266,6 @@ const defaultDbOptions: WithOptional<IDBOption, 'user' | 'password' | 'host'> =
            false,
        ),
        applicationName: process.env.DATABASE_APPLICATION_NAME || 'unleash',
-        awsIamAuth: parseEnvVarBoolean(process.env.DATABASE_AWS_IAM, false),
-        awsRegion: process.env.AWS_REGION,
-        awsRoleArn: process.env.DATABASE_AWS_ROLE_ARN,
    };

 const defaultSessionOption = (isEnterprise: boolean): ISessionOption => ({
--- a/src/lib/db/aws-iam.ts
+++ b/src/lib/db/aws-iam.ts
@ -1,64 +0,0 @@
-import { Signer } from '@aws-sdk/rds-signer';
-import {
-    fromTemporaryCredentials,
-    fromNodeProviderChain,
-} from '@aws-sdk/credential-providers';
-import { NodeHttpHandler } from '@smithy/node-http-handler';
-import { ProxyAgent } from 'proxy-agent';
-import type { IDBOption } from '../types/option.js';
-
-type PasswordResolver = () => Promise<string>;
-
-export const getDBPasswordResolver = (db: IDBOption): PasswordResolver => {
-    if (!db.awsIamAuth) return async () => db.password;
-    if (!db.awsRegion)
-        throw new Error('AWS_REGION is required when DATABASE_AWS_IAM=true');
-
-    const needProxy = Boolean(
-        process.env.HTTPS_PROXY ||
-            process.env.HTTP_PROXY ||
-            process.env.NO_PROXY,
-    );
-    const proxyAgent = needProxy ? new ProxyAgent() : undefined;
-
-    const requestHandler = needProxy
-        ? new NodeHttpHandler({
-              httpAgent: proxyAgent,
-              httpsAgent: proxyAgent,
-          })
-        : undefined;
-
-    const clientConfig = {
-        region: db.awsRegion,
-        endpoint: `https://sts.${db.awsRegion}.amazonaws.com`,
-        requestHandler,
-    };
-
-    const baseCreds = fromNodeProviderChain({
-        clientConfig,
-    });
-
-    const credentials = db.awsRoleArn
-        ? fromTemporaryCredentials({
-              params: {
-                  RoleArn: db.awsRoleArn,
-                  RoleSessionName: 'unleash-db-session',
-              },
-              clientConfig,
-              masterCredentials: baseCreds,
-          })
-        : baseCreds;
-
-    const signer = new Signer({
-        region: db.awsRegion,
-        hostname: db.host,
-        port: db.port,
-        username: db.user,
-        credentials,
-    });
-
-    return async () => signer.getAuthToken();
-};
-
-export const getDBPassword = (db: IDBOption): Promise<string> =>
-    getDBPasswordResolver(db)();
--- a/src/lib/db/db-pool.ts
+++ b/src/lib/db/db-pool.ts
@ -2,7 +2,6 @@ import type { Knex } from 'knex';
 import knexpkg from 'knex';
 const { knex } = knexpkg;
 import type { IUnleashConfig } from '../types/option.js';
-import { getDBPasswordResolver } from './aws-iam.js';

 export function createDb({
    db,
@ -15,7 +14,6 @@ export function createDb({
        connection: {
            ...db,
            application_name: db.applicationName,
-            password: getDBPasswordResolver(db),
        },
        pool: db.pool,
        searchPath: db.schema,
--- a/src/lib/types/option.ts
+++ b/src/lib/types/option.ts
@ -38,9 +38,6 @@ export interface IDBOption {
    schema: string;
    disableMigration: boolean;
    applicationName?: string;
-    awsIamAuth?: boolean;
-    awsRegion?: string;
-    awsRoleArn?: string;
 }

 export interface ISessionOption {
--- a/src/migrator.ts
+++ b/src/migrator.ts
@ -6,7 +6,6 @@ import type { IUnleashConfig } from './lib/types/option.js';
 import { secondsToMilliseconds } from 'date-fns';
 import path from 'path';
 import { fileURLToPath } from 'node:url';
-import { getDBPassword } from './lib/db/aws-iam.js';

 log.setLogLevel('error');
 const __filename = fileURLToPath(import.meta.url);
@ -23,11 +22,9 @@ export async function migrateDb(
    { db }: Pick<IUnleashConfig, 'db'>,
    stopAt?: string,
 ): Promise<void> {
-    const password = await getDBPassword(db);
    return noDatabaseUrl(async () => {
        const custom = {
            ...db,
-            password,
            connectionTimeoutMillis: secondsToMilliseconds(10),
        };

@ -46,11 +43,9 @@ export async function migrateDb(
 export async function requiresMigration({
    db,
 }: Pick<IUnleashConfig, 'db'>): Promise<boolean> {
-    const password = await getDBPassword(db);
    return noDatabaseUrl(async () => {
        const custom = {
            ...db,
-            password,
            connectionTimeoutMillis: secondsToMilliseconds(10),
        };

@ -69,11 +64,9 @@ export async function requiresMigration({

 // This exists to ease testing
 export async function resetDb({ db }: IUnleashConfig): Promise<void> {
-    const password = await getDBPassword(db);
    return noDatabaseUrl(async () => {
        const custom = {
            ...db,
-            password,
            connectionTimeoutMillis: secondsToMilliseconds(10),
        };

--- a/yarn.lock
+++ b/yarn.lock