Support optional certificate authority for database connection (#1086)

dotkom · Jan 25, 2025 · 603857b · 603857b
1 parent ef0e3b0
commit 603857b
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 7 deletions.
diff --git a/apps/rpc/src/env.ts b/apps/rpc/src/env.ts
@@ -16,4 +16,6 @@ export const env = createEnvironment({
   MANAGEMENT_OAUTH_CLIENT_ID: variable,
   MANAGEMENT_OAUTH_CLIENT_SECRET: variable,
   MANAGEMENT_TENANT_DOMAIN_ID: variable,
+  // AWS RDS Certificate Authority, if you are connecting to RDS.
+  AWS_RDS_CERTIFICATE_AUTHORITY: variable.optional(),
 })
diff --git a/apps/rpc/src/index.ts b/apps/rpc/src/index.ts
@@ -39,7 +39,7 @@ const stripeAccounts = {
     webhookSecret: env.FAGKOM_STRIPE_WEBHOOK_SECRET,
   },
 }
-const kysely = createKysely(env.DATABASE_URL)
+const kysely = createKysely(env.DATABASE_URL, env.AWS_RDS_CERTIFICATE_AUTHORITY)
 
 export async function createFastifyContext({ req }: CreateFastifyContextOptions) {
   const bearer = req.headers.authorization

diff --git a/packages/db/src/index.ts b/packages/db/src/index.ts
@@ -1,15 +1,27 @@
 import { CamelCasePlugin, Kysely, PostgresDialect } from "kysely"
-import pg from "pg"
+import pg, { type PoolConfig } from "pg"
 import type { DB } from "./db.generated"
 export type { DB as Database } from "./db.generated"
 
 export { createMigrator } from "./migrator"
 
-export const createKysely = (url: string) => {
+export const createKysely = (url: string, certificateAuthority?: string) => {
+  // If the caller has provided a certificate authority, we pass it down to
+  // node-postgres. This is required in production, but not for a local postgres
+  // database from the docker compose configuration.
+  let sslOptions: PoolConfig["ssl"] | undefined = undefined
+  if (certificateAuthority !== undefined) {
+    sslOptions = {
+      rejectUnauthorized: true,
+      ca: certificateAuthority,
+    }
+  }
+
   return new Kysely<DB>({
     dialect: new PostgresDialect({
       pool: new pg.Pool({
         connectionString: url,
+        ssl: sslOptions,
       }),
     }),
     plugins: [new CamelCasePlugin()],

diff --git a/packages/environment/src/index.d.ts b/packages/environment/src/index.d.ts
@@ -1,12 +1,22 @@
+/**
+ * For the sake of staying reasonable, we only support strings for now
+ */
+export type AnySpec = Record<
+  PropertyKey,
+  | import("zod").ZodString
+  | import("zod").ZodDefault<import("zod").ZodString>
+  | import("zod").ZodOptional<import("zod").ZodString>
+>
+
 /**
  * Parse the provided environment variables (or process.env) and return a typed object
  *
  * This function exists to normalize all environment variables to strings, and to provide runtime type safety for any
  * consumer of environment variables.
  */
-export declare function createEnvironment<T>(
-  schema: Record<T, import("zod").ZodString | import("zod").ZodDefault<import("zod").ZodString>>,
+export declare function createEnvironment<TSpec extends AnySpec>(
+  schema: TSpec,
   env?: NodeJS.ProcessEnv
-): Record<T, string>
+): import("zod").infer<import("zod").ZodObject<TSpec>>
 
 export declare const variable: import("zod").ZodString
diff --git a/tools/migrator/src/db.ts b/tools/migrator/src/db.ts
@@ -1,4 +1,4 @@
 import { createKysely } from "@dotkomonline/db"
 import { env } from "./env"
 
-export const db = createKysely(env.DATABASE_URL)
+export const db = createKysely(env.DATABASE_URL, env.AWS_RDS_CERTIFICATE_AUTHORITY)
diff --git a/tools/migrator/src/env.ts b/tools/migrator/src/env.ts
@@ -2,4 +2,5 @@ import { createEnvironment, variable } from "@dotkomonline/environment"
 
 export const env = createEnvironment({
   DATABASE_URL: variable,
+  AWS_RDS_CERTIFICATE_AUTHORITY: variable.optional(),
 })