refactor(drainer, router): KMS decrypt database password when kms feature is enabled (#733)

2025-10-31 10:06:32 +08:00 · 2023-03-30 04:26:19 +05:30
parent a733eafbbe
commit 9d6e4ee37d
11 changed files with 149 additions and 50 deletions
--- a/crates/drainer/src/connection.rs
+++ b/crates/drainer/src/connection.rs
@ -1,5 +1,7 @@
 use bb8::PooledConnection;
 use diesel::PgConnection;
+#[cfg(feature = "kms")]
+use external_services::kms;

 use crate::settings::Database;

@ -15,13 +17,29 @@ pub async fn redis_connection(
 }

 #[allow(clippy::expect_used)]
-pub async fn diesel_make_pg_pool(database: &Database, _test_transaction: bool) -> PgPool {
+pub async fn diesel_make_pg_pool(
+    database: &Database,
+    _test_transaction: bool,
+    #[cfg(feature = "kms")] kms_config: &kms::KmsConfig,
+) -> PgPool {
+    #[cfg(feature = "kms")]
+    let password = kms::get_kms_client(kms_config)
+        .await
+        .decrypt(&database.kms_encrypted_password)
+        .await
+        .expect("Failed to KMS decrypt database password");
+
+    #[cfg(not(feature = "kms"))]
+    let password = &database.password;
+
    let database_url = format!(
        "postgres://{}:{}@{}:{}/{}",
-        database.username, database.password, database.host, database.port, database.dbname
+        database.username, password, database.host, database.port, database.dbname
    );
    let manager = async_bb8_diesel::ConnectionManager::<PgConnection>::new(database_url);
-    let pool = bb8::Pool::builder().max_size(database.pool_size);
+    let pool = bb8::Pool::builder()
+        .max_size(database.pool_size)
+        .connection_timeout(std::time::Duration::from_secs(database.connection_timeout));

    pool.build(manager)
        .await