LivingAi
/
auth
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
auth/MIGRATION_SUMMARY.md

5.3 KiB
Raw Blame History

AWS Database Migration - Implementation Summary

Completed Changes

All code changes have been implemented to migrate from local Docker PostgreSQL to AWS PostgreSQL using AWS SSM Parameter Store for secure credential management.

📁 Files Modified

1. src/utils/awsSsm.js

Changes:

  • Updated to use correct SSM parameter paths:
    • Read-Write: /test/livingai/db/app
    • Read-Only: /test/livingai/db/app/readonly
  • Added support for DB_USE_READONLY environment variable
  • Improved error handling with detailed error messages
  • Added buildDatabaseConfig() function for SSL support
  • Updated credential validation and parsing

2. src/db.js

Changes:

  • Added SSL configuration for self-signed certificates
  • Updated to use buildDatabaseConfig() instead of connection string
  • Improved error handling and logging
  • Auto-detection of AWS database when DB_HOST=db.livingai.app
  • Connection pool configuration (max: 20, idleTimeout: 30s)

3. src/config.js

Changes:

  • Updated to require AWS credentials when using SSM
  • Removed DATABASE_URL from required env vars when USE_AWS_SSM=true
  • Added validation for AWS credentials

4. Documentation

New Files:

  • docs/getting-started/AWS_DATABASE_MIGRATION.md - Complete migration guide
  • docs/getting-started/ENV_VARIABLES_REFERENCE.md - Environment variables reference
  • MIGRATION_SUMMARY.md - This file

🔒 Security Implementation

Credentials Management

  • NO database credentials in .env files
  • Credentials fetched from AWS SSM Parameter Store at runtime
  • Only AWS credentials (for SSM access) in .env
  • Supports both read-write and read-only users

SSL Configuration

  • SSL enabled with rejectUnauthorized: false for self-signed certificates
  • Connection string includes ?sslmode=require
  • Proper SSL configuration in connection pool

📋 Required Environment Variables

For AWS Database (Production)

# AWS Configuration (for SSM access)
AWS_REGION=ap-south-1
AWS_ACCESS_KEY_ID=your_aws_access_key
AWS_SECRET_ACCESS_KEY=your_aws_secret_key
USE_AWS_SSM=true

# JWT Configuration
JWT_ACCESS_SECRET=your_secret
JWT_REFRESH_SECRET=your_secret

Optional

DB_USE_READONLY=false  # false = read_write_user, true = read_only_user
DB_HOST=db.livingai.app
DB_PORT=5432
DB_NAME=livingai_test_db

🔄 Migration Steps

  1. Set up AWS SSM Parameters:

    • Create /test/livingai/db/app with read-write user credentials (JSON format)
    • Create /test/livingai/db/app/readonly with read-only user credentials (optional)

  2. Update .env file:

    • Add AWS credentials (AWS_REGION, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
    • Set USE_AWS_SSM=true
    • Remove any database credentials (DB_USER, DB_PASSWORD, DATABASE_URL)

  3. Verify IAM Permissions:

    • Ensure IAM user/role has ssm:GetParameter permission for both SSM parameter paths

  4. Test Connection:

    • Start application: npm start
    • Verify logs show successful SSM credential fetch and database connection

🧪 Testing Checklist

  • AWS SSM parameters created with correct paths and JSON format
  • IAM user has SSM read permissions
  • .env file has AWS credentials (no DB credentials)
  • USE_AWS_SSM=true in .env
  • Application starts without errors
  • Database connection established successfully
  • SSL connection working (no SSL errors)
  • API endpoints respond correctly
  • Database queries execute successfully
  • All business logic works as before

🔍 Verification Commands

Check AWS SSM Parameter

aws ssm get-parameter --name "/test/livingai/db/app" --with-decryption --region ap-south-1

Test Database Connection

npm start
# Look for these log messages:
# ✅ Successfully fetched DB credentials from SSM: /test/livingai/db/app (read-write user)
# ✅ Using database credentials from AWS SSM Parameter Store
# ✅ Database connection established successfully

⚠️ Important Notes

  1. No Breaking Changes: All business logic remains unchanged. Only database connection configuration was updated.

  2. Backward Compatibility: Local development still works with DATABASE_URL when USE_AWS_SSM=false.

  3. Security: Database credentials are never stored in files. They are fetched from AWS SSM at runtime.

  4. SSL: Self-signed certificates are supported via rejectUnauthorized: false configuration.

  5. Connection Pooling: Configured with sensible defaults (max 20 connections, 30s idle timeout).

📚 Documentation

For detailed information, see:

  • docs/getting-started/AWS_DATABASE_MIGRATION.md - Complete migration guide
  • docs/getting-started/ENV_VARIABLES_REFERENCE.md - Environment variables reference

🐛 Troubleshooting

Common issues and solutions are documented in docs/getting-started/AWS_DATABASE_MIGRATION.md under the "Troubleshooting" section.

Next Steps

  1. Review the changes in the modified files
  2. Set up AWS SSM parameters with your database credentials
  3. Update your .env file with AWS credentials
  4. Test the connection
  5. Deploy to your AWS environment

Migration Status: Complete All Requirements Met: Yes Security Requirements Met: Yes Backward Compatibility: Maintained