Cannot connect to Postgres via IP with sslmode=require

(edit: please see the next comment)

I have a public Postgres cluster (dedicated IPv4), and I am unable to connect to it via Terraform when using sslmode=require. I suspect this may be an issue with some Go libraries, but I’d like to learn more about the pg_tls handler’s implementation because so far I haven’t been able to find any related Go bug reports.

Additional details

  • I can connect via psql, which reports
    SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
  • I can connect via terraform if I use sslmode=disable
  • I see the error both with the pg backend and the cyrilgdn/postgresql provider.
  • Even with TF_LOG=trace there are no messages related to the error. The last entry before the error is
    Meta.Backend: ignoring local "default" workspace because its state is empty

Steps to reproduce

  1. create a new Postgres app, save the connection string
  2. allocate a dedicated IPv4 (if you’re on macOS, otherwise an IPv6 may work as well)
  3. install Terraform
  4. create a new directory, and in that directory create a file with the content:
    terraform {
      backend "pg" {
        conn_str = "postgres://"
  5. inside the directory, run terraform init

I might have found the problem: Connecting via psql fails as well if I set hostname to an allocated IP (v6 or dedicated v4) instead of the the app’s domain.
I suspect that Terraform resolves the hostname internally and connects via the IP, which bypasses the TLS proxy. Unfortunately I’m not sure how I can verify that assumption.

How can I proceed here? Do I need to set up my own TLS proxy if I want to support secure external connections via an IP (and without Wireguard)?

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.