From 274e468cf96f41f9b7230bdf3f9de94af1482860 Mon Sep 17 00:00:00 2001
From: Luke Zhang <lukezha@amazon.com>
Date: Mon, 29 Sep 2025 10:40:09 -0700
Subject: [PATCH] Replace PostgreSQL password authentication with IAM
 authentication

---
 .../pet_clinic_billing_service/settings.py    | 38 ++++++++-----------
 .../pet_clinic_insurance_service/settings.py  | 38 ++++++++-----------
 2 files changed, 32 insertions(+), 44 deletions(-)

diff --git a/pet_clinic_billing_service/pet_clinic_billing_service/settings.py b/pet_clinic_billing_service/pet_clinic_billing_service/settings.py
index a2ce1734..7b4fbd83 100644
--- a/pet_clinic_billing_service/pet_clinic_billing_service/settings.py
+++ b/pet_clinic_billing_service/pet_clinic_billing_service/settings.py
@@ -92,31 +92,22 @@
     },
 }
 
-# Get secret name and region from environment or use defaults
-SECRET_NAME = os.environ.get('SECRET_NAME', 'petclinic-python-dbsecret')
 REGION = os.environ.get('REGION', 'us-east-1')
 
-def get_secret_value(secret_name: str, region_name: str) -> str:
+def get_rds_auth_token():
     """
-    Retrieve a secret string from AWS Secrets Manager.
+    Generate IAM authentication token for RDS PostgreSQL.
     """
-    client = boto3.client('secretsmanager', region_name=region_name)
-    response = client.get_secret_value(SecretId=secret_name)
-    return response['SecretString'] 
-
-
-env_db_password = os.environ.get('DB_USER_PASSWORD')
-
-if env_db_password:
-    DB_PASSWORD = env_db_password
-else:
-    # Retrieve from Secrets Manager
-    try:
-        DB_PASSWORD = get_secret_value(SECRET_NAME, REGION)
-        print(f"Retrieved secret '{SECRET_NAME}' from AWS Secrets Manager {DB_PASSWORD}")
-    except Exception as e:
-        # Print the error
-        print(f"Error retrieving secret '{SECRET_NAME}' from AWS Secrets Manager: {e}", file=sys.stderr)
+    rds_client = boto3.client('rds', region_name=REGION)
+    hostname = os.environ.get("DB_SERVICE_HOST")
+    username = os.environ.get("DB_USER")
+    
+    auth_token = rds_client.generate_db_auth_token(
+        DBHostname=hostname,
+        Port=5432,
+        DBUsername=username
+    )
+    return auth_token
 
 
 # Database
@@ -131,9 +122,12 @@ def get_secret_value(secret_name: str, region_name: str) -> str:
         "ENGINE": "django.db.backends.postgresql",
         "NAME": os.environ.get('DB_NAME'),
         "USER": os.environ.get('DB_USER'),
-        "PASSWORD": DB_PASSWORD,
+        "PASSWORD": get_rds_auth_token(),
         "HOST": os.environ.get("DB_SERVICE_HOST"),
         "PORT": os.environ.get("DB_SERVICE_PORT"),
+        "OPTIONS": {
+            "sslmode": "require",
+        }
     }
 }
 
diff --git a/pet_clinic_insurance_service/pet_clinic_insurance_service/settings.py b/pet_clinic_insurance_service/pet_clinic_insurance_service/settings.py
index b159fb30..fbd840b7 100644
--- a/pet_clinic_insurance_service/pet_clinic_insurance_service/settings.py
+++ b/pet_clinic_insurance_service/pet_clinic_insurance_service/settings.py
@@ -75,31 +75,22 @@
 WSGI_APPLICATION = "pet_clinic_insurance_service.wsgi.application"
 
 
-# Get secret name and region from environment or use defaults
-SECRET_NAME = os.environ.get('SECRET_NAME', 'petclinic-python-dbsecret')
 REGION = os.environ.get('REGION', 'us-east-1')
 
-def get_secret_value(secret_name: str, region_name: str) -> str:
+def get_rds_auth_token():
     """
-    Retrieve a secret string from AWS Secrets Manager.
+    Generate IAM authentication token for RDS PostgreSQL.
     """
-    client = boto3.client('secretsmanager', region_name=region_name)
-    response = client.get_secret_value(SecretId=secret_name)
-    return response['SecretString'] 
-
-
-env_db_password = os.environ.get('DB_USER_PASSWORD')
-
-if env_db_password:
-    DB_PASSWORD = env_db_password
-else:
-    # Retrieve from Secrets Manager
-    try:
-        DB_PASSWORD = get_secret_value(SECRET_NAME, REGION)
-        print(f"Retrieved secret '{SECRET_NAME}' from AWS Secrets Manager {DB_PASSWORD}")
-    except Exception as e:
-        # Print the error
-        print(f"Error retrieving secret '{SECRET_NAME}' from AWS Secrets Manager: {e}", file=sys.stderr)
+    rds_client = boto3.client('rds', region_name=REGION)
+    hostname = os.environ.get("DB_SERVICE_HOST")
+    username = os.environ.get("DB_USER")
+    
+    auth_token = rds_client.generate_db_auth_token(
+        DBHostname=hostname,
+        Port=5432,
+        DBUsername=username
+    )
+    return auth_token
 
 
 # Database
@@ -114,9 +105,12 @@ def get_secret_value(secret_name: str, region_name: str) -> str:
         "ENGINE": "django.db.backends.postgresql",
         "NAME": os.environ.get('DB_NAME'),
         "USER": os.environ.get('DB_USER'),
-        "PASSWORD": DB_PASSWORD,
+        "PASSWORD": get_rds_auth_token(),
         "HOST": os.environ.get("DB_SERVICE_HOST"),
         "PORT": os.environ.get("DB_SERVICE_PORT"),
+        "OPTIONS": {
+            "sslmode": "require",
+        }
     }
 }