mirror of
https://github.com/GSA/notifications-api.git
synced 2026-01-08 11:47:47 -05:00
cfcc3128c2
Refer to
https://www.postgresql.org/docs/11/libpq-connect.html#LIBPQ-CONNECT-SSLMODE
GOV.UK PaaS gives us the database URI, and we use the default mode of
postgres auth which prefers a TLS connection instead of a plain TCP
connection
We are now specifying the SSL mode in the URI when establishing our
connection to the database, so that:
* We will not connect to the database via a plaintext connection
* We will verify the database connection against a list of trusted CAs
The RDS CA from which the database's certificate is issued is added into
the Cloud Foundry app container via
925681f19b/manifests/cf-manifest/operations.d/350-diego-cell.yml (L17-L22)
Signed-off-by: Toby Lorne <toby.lornewelch-richards@digital.cabinet-office.gov.uk>
Co-authored-by: David <david.mcdonald@digital.cabinet-office.gov.uk>
27 lines
768 B
Python
27 lines
768 B
Python
"""
|
|
Extracts cloudfoundry config from its json and populates the environment variables that we would expect to be populated
|
|
on local/aws boxes
|
|
"""
|
|
|
|
import os
|
|
import json
|
|
|
|
|
|
def extract_cloudfoundry_config():
|
|
vcap_services = json.loads(os.environ['VCAP_SERVICES'])
|
|
set_config_env_vars(vcap_services)
|
|
|
|
|
|
def set_config_env_vars(vcap_services):
|
|
# Postgres config
|
|
db_uri = vcap_services['postgres'][0]['credentials']['uri']
|
|
|
|
sep = "&" if "?" in db_uri else "?"
|
|
db_uri += sep + "sslmode=verify-full"
|
|
|
|
os.environ['SQLALCHEMY_DATABASE_URI'] = db_uri
|
|
|
|
vcap_application = json.loads(os.environ['VCAP_APPLICATION'])
|
|
os.environ['NOTIFY_ENVIRONMENT'] = vcap_application['space_name']
|
|
os.environ['NOTIFY_LOG_PATH'] = '/home/vcap/logs/app.log'
|