Fix: Add missing TFE_DATABASE_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE for postgres passwordless

raviharshicorp · raviharshicorp · commit 86eec09fe5d2 · 2025-10-29T12:35:19.000+05:30
This critical fix adds the missing TFE_ prefixed environment variables that
the Go config system requires to properly configure AWS RDS IAM authentication.

Without these variables, the terraform-enterprise Go application cannot
read the passwordless configuration via envconfig, causing 502 errors.

Added:
- TFE_DATABASE_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE (for Go config system)
- TFE_DATABASE_PASSWORDLESS_AWS_REGION (for Go config system)

Kept existing:
- DATABASE_AUTH_USE_AWS_IAM (for Atlas Ruby application)
- DATABASE_AUTH_AWS_DB_REGION (for Atlas Ruby application)

This matches the pattern used in redis_config.tf and ensures both
configuration systems receive the required environment variables.
diff --git a/modules/runtime_container_engine_config/database_config.tf b/modules/runtime_container_engine_config/database_config.tf
@@ -3,19 +3,21 @@
 
 locals {
   database = {
-    TFE_DATABASE_USER                         = var.database_user
-    TFE_DATABASE_PASSWORD                     = var.database_password
-    TFE_DATABASE_HOST                         = var.database_host
-    TFE_DATABASE_NAME                         = var.database_name
-    TFE_DATABASE_PARAMETERS                   = var.database_parameters
-    TFE_DATABASE_USE_MTLS                     = var.database_use_mtls
-    TFE_DATABASE_CA_CERT_FILE                 = var.database_ca_cert_file
-    TFE_DATABASE_CLIENT_CERT_FILE             = var.database_client_cert_file
-    TFE_DATABASE_CLIENT_KEY_FILE              = var.database_client_key_file
-    TFE_DATABASE_PASSWORDLESS_AZURE_USE_MSI   = var.database_passwordless_azure_use_msi
-    TFE_DATABASE_PASSWORDLESS_AZURE_CLIENT_ID = var.database_passwordless_azure_client_id
-    DATABASE_AUTH_USE_AWS_IAM                 = var.database_passwordless_aws_use_iam
-    DATABASE_AUTH_AWS_DB_REGION               = var.database_passwordless_aws_region
+    TFE_DATABASE_USER                                        = var.database_user
+    TFE_DATABASE_PASSWORD                                    = var.database_password
+    TFE_DATABASE_HOST                                        = var.database_host
+    TFE_DATABASE_NAME                                        = var.database_name
+    TFE_DATABASE_PARAMETERS                                  = var.database_parameters
+    TFE_DATABASE_USE_MTLS                                    = var.database_use_mtls
+    TFE_DATABASE_CA_CERT_FILE                                = var.database_ca_cert_file
+    TFE_DATABASE_CLIENT_CERT_FILE                            = var.database_client_cert_file
+    TFE_DATABASE_CLIENT_KEY_FILE                             = var.database_client_key_file
+    TFE_DATABASE_PASSWORDLESS_AZURE_USE_MSI                  = var.database_passwordless_azure_use_msi
+    TFE_DATABASE_PASSWORDLESS_AZURE_CLIENT_ID                = var.database_passwordless_azure_client_id
+    TFE_DATABASE_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE       = var.database_passwordless_aws_use_iam
+    TFE_DATABASE_PASSWORDLESS_AWS_REGION                     = var.database_passwordless_aws_region
+    DATABASE_AUTH_USE_AWS_IAM                                = var.database_passwordless_aws_use_iam
+    DATABASE_AUTH_AWS_DB_REGION                              = var.database_passwordless_aws_region
   }
   database_configuration = local.disk ? {} : local.database
   explorer_database = {
