[dev] [Marfuen] mariano/secure-rds-tls#2765
Closed
github-actions[bot] wants to merge 18 commits into
Closed
Conversation
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Move SSL-resolution logic into a pure ssl-config.ts module so it can be tested with bun:test (matching strip-ssl-mode.test.ts's pattern) without importing the module-level Prisma client. Drop vitest devDependency. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Extracts SSL config logic into apps/app/prisma/ssl-config.ts and updates the Prisma client to throw at boot when connecting to a non-local database without a verified CA bundle or explicit PRISMA_ALLOW_INSECURE_TLS=1 opt-in. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…pps/app Add `./ssl-config` subpath export to @trycompai/db so apps/app (and upcoming portal/framework-editor) can import the single source of truth instead of maintaining their own copy. Widen the `env` parameter type from `NodeJS.ProcessEnv` to `Partial<NodeJS.ProcessEnv>` (strictly more permissive) to satisfy apps/app's strict TS config. Delete the duplicate apps/app/prisma/ssl-config.ts and its redundant test file. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Ships the RDS CA bundle (packages/db/certs/rds-global-bundle.pem) into Trigger.dev task images at /app/certs/rds-global-bundle.pem and sets NODE_EXTRA_CA_CERTS via the deploy.env layer so Node TLS initialization picks it up before any Prisma connection attempt. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…age dependency
Drop `import { resolveSslConfig } from '@trycompai/db/ssl-config'` from
apps/app, apps/portal, and apps/framework-editor and inline the full
localhost/CA-bundle/PRISMA_ALLOW_INSECURE_TLS logic directly.
Trigger.dev pins @trycompai/db@^2.0.0 from npm which lacks the
./ssl-config subpath, causing indexer crashes at deploy time.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…lity) AWS NLB → RDS Proxy connections fail TLS hostname verification because the NLB hostname (*.elb.amazonaws.com) isn't in the RDS Proxy cert's SAN list. Cert chain verification is preserved — an attacker still cannot present a forged or wrong-CA cert. Only the hostname-string check is relaxed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add outputFileTracingIncludes to apps/app and apps/portal next.config.ts so the rds-global-bundle.pem is included in Vercel's traced file output for each deployed function. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Documents the NODE_EXTRA_CA_CERTS values to set in Vercel (both candidate paths), the Trigger.dev PRISMA_ALLOW_INSECURE_TLS removal commands, and notes that API Docker needs no action. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
next build imports every route handler to analyze it, which previously triggered our strict-TLS throw at module load even though no queries run. Wrap the client in a Proxy that constructs the real PrismaClient on first property access. The strict check still fires — just at first use, not at import.
cubic flagged: the subpath export's types entry pointed at ./src/ssl-config.ts, but the published package's files array only includes dist/. Downstream npm consumers would get broken type resolution. Workspace consumers were unaffected because @trycompai/db resolves to source via workspace:*.
Hit /api/_debug-tls on the deployed preview. Reports process.cwd(), NODE_EXTRA_CA_CERTS value, and existence/size for the env-var path plus common candidate paths. Delete this commit once the path is confirmed.
Verified on staging: NODE_EXTRA_CA_CERTS=/var/task/packages/db/certs/rds-global-bundle.pem loads correctly, cert file is present (165408 bytes), and /api/health (which runs db.$queryRaw) returns ok end-to-end.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Add 'certs' to the files array so downstream consumers (e.g. comp-private/apps/enterprise-api) get the cert at node_modules/@trycompai/db/certs/rds-global-bundle.pem after install, without each repo committing its own copy. Document the consumption pattern in the deploy checklist.
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to merge mariano/secure-rds-tls into dev.
It was created by the [Auto Pull Request] action.
Summary by cubic
Secure RDS TLS for all Postgres connections across the monorepo. We now ship the AWS RDS CA bundle, require verified TLS for non-local DBs, and publish the CA in
@trycompai/dbfor downstream apps.New Features
caBundleExtensionsetsNODE_EXTRA_CA_CERTSfor Trigger.dev, Next.js apps trace the PEM for Vercel functions, and@trycompai/dbpublishes the bundle atcerts/rds-global-bundle.pemfor consumers.PRISMA_ALLOW_INSECURE_TLS=1as explicit fallback, skip hostname check when the CA is present (NLB/RDS Proxy friendly), and lazy-init the client to avoid Next.js build-time throws.Migration
apps/app,apps/portal): setNODE_EXTRA_CA_CERTS=/var/task/packages/db/certs/rds-global-bundle.pemfor preview and production.apps/api,apps/app): after deploying with the new extension, removePRISMA_ALLOW_INSECURE_TLSfrom staging and prod.@trycompai/dbfrom npm: tracenode_modules/@trycompai/db/certs/rds-global-bundle.peminto builds and setNODE_EXTRA_CA_CERTS=/var/task/node_modules/@trycompai/db/certs/rds-global-bundle.pem.Written for commit b2c82b9. Summary will update on new commits.