feat(rds-postgres): dedicated AssumeRole IAM role for server and db requirements#20
Open
sebastiancorrea81 wants to merge 8 commits into
Open
feat(rds-postgres): dedicated AssumeRole IAM role for server and db requirements#20sebastiancorrea81 wants to merge 8 commits into
sebastiancorrea81 wants to merge 8 commits into
Conversation
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…d collision with rds-postgres-server Both modules used the identical name nullplatform-<cluster_name>-rds-secretsmanager-policy for two different policies. IAM policy names are account-wide unique, so deploying both modules against the same cluster_name fails with EntityAlreadyExists — caught by an actual tofu apply against a real AWS account with both modules together.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
rds-postgres-serverandrds-postgres-dbeach a dedicated per-cluster IAM role that the nullplatform agent can assume viasts:AssumeRole, mirroring the pattern used bynullplatform/scopes-static-files(static-files/requirements/aws).rds-postgres-server/requirements/: now creates its own role (trust policy naming the agent role as principal) and attaches its existing 4 policies (RDS, EC2/SG, S3, Secrets Manager — content unchanged) to it, instead of requiring an externally-supplied role name.variables.tf'snamewas renamed tocluster_name(module has no live state anywhere in this repo — confirmed via review).rds-postgres-db/requirements/: brand-new module, same pattern, plus one new policy (secretsmanager:GetSecretValue, scoped to thenullplatform/rds/*secret-name prefix) that this service's README already documented as required but was never previously codified.build_context/entrypoint scripts to actually callsts assume-role— both handled centrally, outside these modules, matching the reference architecture.Docs
docs/superpowers/specs/2026-07-02-rds-postgres-assume-role-design.mddocs/superpowers/plans/2026-07-02-rds-postgres-assume-role.mdTest plan
tofu init -backend=false && tofu validatepasses indatabases/rds-postgres-server/requirementstofu init -backend=false && tofu validatepasses indatabases/rds-postgres-db/requirementstofu fmt -check -diffclean on both modules🤖 Generated with Claude Code