[registration-cleaning-worker] Use dedicated security group for accessing Postgres#1707
Merged
jacobwinch merged 1 commit intomainfrom Mar 4, 2026
Merged
[registration-cleaning-worker] Use dedicated security group for accessing Postgres#1707jacobwinch merged 1 commit intomainfrom
jacobwinch merged 1 commit intomainfrom
Conversation
jacobwinch
added
the
maintenance
Contributor
jacobwinch
force-pushed
the
jw-reg-cleaning-worker-sg
branch
2 times, most recently
from
1c8ad70 to
146259b
Compare
Contributor
akash1810
approved these changes
Feb 27, 2026
aracho1
approved these changes
Mar 4, 2026
jacobwinch
force-pushed
the
jw-reg-cleaning-worker-sg
branch
from
146259b to
4283483
Compare
Contributor
Contributor
Contributor
Contributor
Contributor
Contributor
Author
|
This has been deployed successfully. These logs show that we are deleting records as expected and the SQS metrics suggest that all messages are being processed as expected. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this change?
The Notifications VPC has a “default group”. Prior to this PR,
registration-cleaning-workerused this group to gain access to the RDS database (via the RDS proxy). This approach to networking does not follow the principle of least privilege, as any network interface in the VPC can implicitly reach theCODEandPRODdatabases.In #1636 a new security group was created, with the intention of services joining it only if they need database access. This will ultimately allow us to remove the “default group”, thus improving our security posture by moving towards the principle of least privilege.
This PR updates
registration-cleaning-workerto use the new security group / approach1.How has this change been tested?
I've deployed this to
CODEto check that the new CFN / Riff-Raff wiring is valid.However, testing the actual behaviour of this Lambda seems tricky (#1527), so I'd like to merge this and confirm that it works in
PRODby checking the logs / SQS metrics.How can we measure success?
This is a step towards removing the "default group", which improves our security posture and allows us to standardise on a single approach following the changes made in #1636.
Have we considered potential risks?
As mentioned above, testing this in
CODEis tricky.'Testing' this in
PROD(after merging tomain) should be low risk because this Lambda processes a queue (and has a dead letter queue):mobile-n10n/notificationworkerlambda/registration-cleaning-worker-cfn.yaml
Lines 44 to 61 in 146259b
So if anything goes wrong we can just rollback and re-drive the messages.
As far as I can tell there will be no negative impact caused by taking a bit longer than normal to tidy up invalid tokens.
Footnotes
Note that all of the above applies regardless of whether the application connects to the RDS instance directly or whether it goes via the RDS proxy, because the RDS instance and the RDS proxy share the same security group (created here). ↩