[WIP] Replace RDS password-based authentication with IAM role authentication

pet_clinic_billing_service/pet_clinic_billing_service/settings.py

@@ -92,31 +92,22 @@
     },
 }
 
-# Get secret name and region from environment or use defaults
-SECRET_NAME = os.environ.get('SECRET_NAME', 'petclinic-python-dbsecret')
 REGION = os.environ.get('REGION', 'us-east-1')
 
-def get_secret_value(secret_name: str, region_name: str) -> str:
+def get_rds_auth_token():
     """
-    Retrieve a secret string from AWS Secrets Manager.
+    Generate IAM authentication token for RDS PostgreSQL.
     """
-    client = boto3.client('secretsmanager', region_name=region_name)
-    response = client.get_secret_value(SecretId=secret_name)
-    return response['SecretString'] 
-
-
-env_db_password = os.environ.get('DB_USER_PASSWORD')
-
-if env_db_password:
-    DB_PASSWORD = env_db_password
-else:
-    # Retrieve from Secrets Manager
-    try:
-        DB_PASSWORD = get_secret_value(SECRET_NAME, REGION)
-        print(f"Retrieved secret '{SECRET_NAME}' from AWS Secrets Manager {DB_PASSWORD}")
-    except Exception as e:
-        # Print the error
-        print(f"Error retrieving secret '{SECRET_NAME}' from AWS Secrets Manager: {e}", file=sys.stderr)
+    rds_client = boto3.client('rds', region_name=REGION)
+    hostname = os.environ.get("DB_SERVICE_HOST")
+    username = os.environ.get("DB_USER")
+
+    auth_token = rds_client.generate_db_auth_token(
+        DBHostname=hostname,
+        Port=5432,
+        DBUsername=username
+    )
+    return auth_token
 
 
 # Database
@@ -131,9 +122,12 @@ def get_secret_value(secret_name: str, region_name: str) -> str:
         "ENGINE": "django.db.backends.postgresql",
         "NAME": os.environ.get('DB_NAME'),
         "USER": os.environ.get('DB_USER'),
-        "PASSWORD": DB_PASSWORD,
+        "PASSWORD": get_rds_auth_token(),
         "HOST": os.environ.get("DB_SERVICE_HOST"),
         "PORT": os.environ.get("DB_SERVICE_PORT"),
+        "OPTIONS": {
+            "sslmode": "require",
+        }
     }
 }
 

pet_clinic_insurance_service/pet_clinic_insurance_service/settings.py

@@ -75,31 +75,22 @@
 WSGI_APPLICATION = "pet_clinic_insurance_service.wsgi.application"
 
 
-# Get secret name and region from environment or use defaults
-SECRET_NAME = os.environ.get('SECRET_NAME', 'petclinic-python-dbsecret')
 REGION = os.environ.get('REGION', 'us-east-1')
 
-def get_secret_value(secret_name: str, region_name: str) -> str:
+def get_rds_auth_token():
     """
-    Retrieve a secret string from AWS Secrets Manager.
+    Generate IAM authentication token for RDS PostgreSQL.
     """
-    client = boto3.client('secretsmanager', region_name=region_name)
-    response = client.get_secret_value(SecretId=secret_name)
-    return response['SecretString'] 
-
-
-env_db_password = os.environ.get('DB_USER_PASSWORD')
-
-if env_db_password:
-    DB_PASSWORD = env_db_password
-else:
-    # Retrieve from Secrets Manager
-    try:
-        DB_PASSWORD = get_secret_value(SECRET_NAME, REGION)
-        print(f"Retrieved secret '{SECRET_NAME}' from AWS Secrets Manager {DB_PASSWORD}")
-    except Exception as e:
-        # Print the error
-        print(f"Error retrieving secret '{SECRET_NAME}' from AWS Secrets Manager: {e}", file=sys.stderr)
+    rds_client = boto3.client('rds', region_name=REGION)
+    hostname = os.environ.get("DB_SERVICE_HOST")
+    username = os.environ.get("DB_USER")
+
+    auth_token = rds_client.generate_db_auth_token(
+        DBHostname=hostname,
+        Port=5432,
+        DBUsername=username
+    )
+    return auth_token
 
 
 # Database
@@ -114,9 +105,12 @@ def get_secret_value(secret_name: str, region_name: str) -> str:
         "ENGINE": "django.db.backends.postgresql",
         "NAME": os.environ.get('DB_NAME'),
         "USER": os.environ.get('DB_USER'),
-        "PASSWORD": DB_PASSWORD,
+        "PASSWORD": get_rds_auth_token(),
         "HOST": os.environ.get("DB_SERVICE_HOST"),
         "PORT": os.environ.get("DB_SERVICE_PORT"),
+        "OPTIONS": {
+            "sslmode": "require",
+        }
     }
 }