From 2eb265d877a9ff76be07c7a4004d979885097db0 Mon Sep 17 00:00:00 2001 From: Ed Morley Date: Fri, 14 Oct 2016 16:18:37 +0100 Subject: [PATCH] Bug 1288369 - Use TLS when connecting to RDS from Vagrant Previously if someone set `DATABASE_URL` in their Vagrant environment to a remote RDS instance, TLS wouldn't have been used. Now, using TLS depends not on the `IS_HEROKU` environment variable (which we should stop using anyway, since it goes against the 12-factor methodology), but the DB hostname itself. The CA bundle path has been made relative, to allow it to work inside Vagrant as well as on Heroku. --- treeherder/config/settings.py | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/treeherder/config/settings.py b/treeherder/config/settings.py index 7bcacca80..14c7f6c39 100644 --- a/treeherder/config/settings.py +++ b/treeherder/config/settings.py @@ -533,20 +533,22 @@ TEMPLATE_DEBUG = DEBUG # The database config is defined using environment variables of form: # 'mysql://username:password@host:optional_port/database_name' +# ...which django-environ converts into the Django DB settings dict format. DATABASES = { 'default': env.db_url('DATABASE_URL'), 'read_only': env.db_url('DATABASE_URL_RO') } -# Setup ssl connection for aws rds. -# Can be removed when django-environ supports setting this: -# https://github.com/joke2k/django-environ/issues/72 -if env.bool('IS_HEROKU', default=False): - for db_name in DATABASES: - DATABASES[db_name]['OPTIONS'] = { +# We're intentionally not using django-environ's query string options feature, +# since it hides configuration outside of the repository, plus could lead to +# drift between environments. +for alias in DATABASES: + if DATABASES[alias]['HOST'] != 'localhost': + # Use TLS when connecting to RDS. + DATABASES[alias]['OPTIONS'] = { 'ssl': { - 'ca': '/app/deployment/aws/combined-ca-bundle.pem' - } + 'ca': 'deployment/aws/combined-ca-bundle.pem', + }, } # TREEHERDER_MEMCACHED is a string of comma-separated address:port pairs