Skip to content

feat(rds-postgres): dedicated AssumeRole IAM role for server and db requirements#20

Open
sebastiancorrea81 wants to merge 8 commits into
mainfrom
feat/rds-postgres-server-assume-role
Open

feat(rds-postgres): dedicated AssumeRole IAM role for server and db requirements#20
sebastiancorrea81 wants to merge 8 commits into
mainfrom
feat/rds-postgres-server-assume-role

Conversation

@sebastiancorrea81

Copy link
Copy Markdown
Contributor

Summary

  • Gives rds-postgres-server and rds-postgres-db each a dedicated per-cluster IAM role that the nullplatform agent can assume via sts:AssumeRole, mirroring the pattern used by nullplatform/scopes-static-files (static-files/requirements/aws).
  • rds-postgres-server/requirements/: now creates its own role (trust policy naming the agent role as principal) and attaches its existing 4 policies (RDS, EC2/SG, S3, Secrets Manager — content unchanged) to it, instead of requiring an externally-supplied role name. variables.tf's name was renamed to cluster_name (module has no live state anywhere in this repo — confirmed via review).
  • rds-postgres-db/requirements/: brand-new module, same pattern, plus one new policy (secretsmanager:GetSecretValue, scoped to the nullplatform/rds/* secret-name prefix) that this service's README already documented as required but was never previously codified.
  • Out of scope (by design, see spec/plan): granting the agent itself permission to assume these roles, and wiring build_context/entrypoint scripts to actually call sts assume-role — both handled centrally, outside these modules, matching the reference architecture.

Docs

  • Design spec: docs/superpowers/specs/2026-07-02-rds-postgres-assume-role-design.md
  • Implementation plan: docs/superpowers/plans/2026-07-02-rds-postgres-assume-role.md

Test plan

  • tofu init -backend=false && tofu validate passes in databases/rds-postgres-server/requirements
  • tofu init -backend=false && tofu validate passes in databases/rds-postgres-db/requirements
  • tofu fmt -check -diff clean on both modules
  • Both modules independently reviewed (spec compliance + code quality), plus a final whole-branch review — all approved, no Critical/Important blockers remaining

🤖 Generated with Claude Code

sebas_correa and others added 8 commits July 2, 2026 10:24
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…d collision with rds-postgres-server

Both modules used the identical name nullplatform-<cluster_name>-rds-secretsmanager-policy
for two different policies. IAM policy names are account-wide unique, so deploying both
modules against the same cluster_name fails with EntityAlreadyExists — caught by an
actual tofu apply against a real AWS account with both modules together.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant