Replace RDS password-based authentication with IAM role authentication

- Updated Python Django app to use IAM role auth instead of base64 decoded password
- Updated Java Spring Boot app to use IAM role auth with useAWSIam=true parameter
- Updated Node.js app to use IAM role auth with SSL configuration
- Removed RDS_MYSQL_CLUSTER_PASSWORD environment variables from all Terraform configurations
- Removed password-related variables from Terraform variable files
- All applications now use IAM role authentication for RDS connections

Author: lukeina2z

sample-apps/java/springboot-main-service/src/main/java/com/amazon/sampleapp/FrontendServiceController.java

@@ -32,7 +32,6 @@
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
 import org.apache.http.util.EntityUtils;
-import org.apache.tomcat.util.codec.binary.Base64;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -151,12 +150,15 @@ public String asyncService() {
   @ResponseBody
   public String mysql() {
     logger.info("mysql received");
-    final String rdsMySQLClusterPassword = new String(new Base64().decode(System.getenv("RDS_MYSQL_CLUSTER_PASSWORD").getBytes()));
     try {
+      // Use IAM role authentication instead of password
+      String connectionUrl = System.getenv("RDS_MYSQL_CLUSTER_CONNECTION_URL") + 
+                           "?useSSL=true&requireSSL=true&verifyServerCertificate=false" +
+                           "&allowPublicKeyRetrieval=true&useAWSIam=true";
       Connection connection = DriverManager.getConnection(
-              System.getenv("RDS_MYSQL_CLUSTER_CONNECTION_URL"),
+              connectionUrl,
               System.getenv("RDS_MYSQL_CLUSTER_USERNAME"),
-              rdsMySQLClusterPassword);
+              null); // No password needed for IAM auth
       Statement statement = connection.createStatement();
       statement.executeQuery("SELECT * FROM tables LIMIT 1;");
     } catch (SQLException e) {

sample-apps/node/frontend-service/index.js

@@ -121,12 +121,18 @@ app.get('/client-call', (req, res) => {
 });
 
 app.get('/mysql', (req, res) => {
-  // Create a connection to the MySQL database
+  // Create a connection to the MySQL database using IAM role authentication
   const connection = mysql.createConnection({
     host: process.env.RDS_MYSQL_CLUSTER_ENDPOINT,
     user: process.env.RDS_MYSQL_CLUSTER_USERNAME,
-    password: process.env.RDS_MYSQL_CLUSTER_PASSWORD,
     database: process.env.RDS_MYSQL_CLUSTER_DATABASE,
+    ssl: {
+      ca: require('fs').readFileSync('/opt/rds-ca-2019-root.pem', 'utf8'),
+      rejectUnauthorized: false
+    },
+    authPlugins: {
+      mysql_clear_password: () => () => Buffer.alloc(0)
+    }
   });
 
   // Connect to the database

sample-apps/python/django_frontend_service/frontend_service_app/__pycache__/views.cpython-312.pyc

@@ -2,7 +2,6 @@
 ## SPDX-License-Identifier: Apache-2.0
 import logging
 import os
-import base64
 import threading
 import time
 
@@ -113,14 +112,16 @@ def get_xray_trace_id():
 def mysql(request):
     logger.info("mysql received")
 
-    encoded_password = os.environ["RDS_MYSQL_CLUSTER_PASSWORD"]
-    decoded_password = base64.b64decode(encoded_password).decode('utf-8')
-
     try:
-        connection = pymysql.connect(host=os.environ["RDS_MYSQL_CLUSTER_ENDPOINT"],
-                                     user=os.environ["RDS_MYSQL_CLUSTER_USERNAME"],
-                                     password=decoded_password,
-                                     database=os.environ["RDS_MYSQL_CLUSTER_DATABASE"])
+        # Use IAM role authentication instead of password
+        connection = pymysql.connect(
+            host=os.environ["RDS_MYSQL_CLUSTER_ENDPOINT"],
+            user=os.environ["RDS_MYSQL_CLUSTER_USERNAME"],
+            database=os.environ["RDS_MYSQL_CLUSTER_DATABASE"],
+            ssl={'ca': '/opt/rds-ca-2019-root.pem'},
+            auth_plugin_map={'mysql_clear_password': ''},
+            connect_timeout=10
+        )
         with connection:
             with connection.cursor() as cursor:
                 cursor.execute("SELECT * FROM tables LIMIT 1;")

sample-apps/python/django_frontend_service/frontend_service_app/views.py

@@ -119,10 +119,6 @@ resource "kubernetes_deployment" "sample_app_deployment" {
             name = "RDS_MYSQL_CLUSTER_USERNAME"
             value = var.rds_mysql_cluster_username
           }
-          env {
-            name = "RDS_MYSQL_CLUSTER_PASSWORD"
-            value = var.rds_mysql_cluster_password
-          }
           env {
             name = "OTEL_INSTRUMENTATION_COMMON_EXPERIMENTAL_CONTROLLER_TELEMETRY_ENABLED"
             value = "true"

terraform/java/eks/main.tf

@@ -57,10 +57,6 @@ variable "rds_mysql_cluster_username" {
   default = "username"
 }
 
-variable "rds_mysql_cluster_password" {
-  default = "password"
-}
-
 variable "account_id" {
   default = "<AWS_ACCOUNT_ID>"
 }

terraform/java/eks/variables.tf

@@ -126,10 +126,6 @@ resource "kubernetes_deployment" "sample_app_deployment" {
             name = "RDS_MYSQL_CLUSTER_USERNAME"
             value = var.rds_mysql_cluster_username
           }
-          env {
-            name = "RDS_MYSQL_CLUSTER_PASSWORD"
-            value = var.rds_mysql_cluster_password
-          }
           port {
             container_port = 8000
           }

terraform/node/eks/main.tf

@@ -57,10 +57,6 @@ variable "rds_mysql_cluster_username" {
   default = "username"
 }
 
-variable "rds_mysql_cluster_password" {
-  default = "password"
-}
-
 variable "account_id" {
   default = "<AWS_ACCOUNT_ID>"
 }

terraform/node/eks/variables.tf

@@ -131,10 +131,6 @@ resource "kubernetes_deployment" "python_app_deployment" {
             name = "RDS_MYSQL_CLUSTER_USERNAME"
             value = var.rds_mysql_cluster_username
           }
-          env {
-            name = "RDS_MYSQL_CLUSTER_PASSWORD"
-            value = var.rds_mysql_cluster_password
-          }
           port {
             container_port = 8000
           }

terraform/python/eks/main.tf

@@ -61,10 +61,6 @@ variable "rds_mysql_cluster_username" {
   default = "username"
 }
 
-variable "rds_mysql_cluster_password" {
-  default = "password"
-}
-
 variable "account_id" {
   default = "<AWS_ACCOUNT_ID>"
 }