Cannot connect to Postgres via IP with sslmode=require

(edit: please see the next comment)

I have a public Postgres cluster (dedicated IPv4), and I am unable to connect to it via Terraform when using sslmode=require. I suspect this may be an issue with some Go libraries, but I’d like to learn more about the pg_tls handler’s implementation because so far I haven’t been able to find any related Go bug reports.

Additional details

• I can connect via psql, which reports

  SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
  

• I can connect via terraform if I use sslmode=disable
• I see the error both with the pg backend and the cyrilgdn/postgresql provider.
• Even with TF_LOG=trace there are no messages related to the error. The last entry before the error is

  Meta.Backend: ignoring local "default" workspace because its state is empty
  

Steps to reproduce

1. create a new Postgres app, save the connection string
2. allocate a dedicated IPv4 (if you’re on macOS, otherwise an IPv6 may work as well)
3. install Terraform
4. create a new directory, and in that directory create a file main.tf with the content:

   terraform {
     backend "pg" {
       conn_str = "postgres://postgres:YOUR_PASS@YOUR_APP_NAME.fly.dev:5432?sslmode=require"
     }
   }
   

5. inside the directory, run terraform init

I might have found the problem: Connecting via psql fails as well if I set hostname to an allocated IP (v6 or dedicated v4) instead of the the app’s .fly.dev domain.
I suspect that Terraform resolves the hostname internally and connects via the IP, which bypasses the TLS proxy. Unfortunately I’m not sure how I can verify that assumption.

How can I proceed here? Do I need to set up my own TLS proxy if I want to support secure external connections via an IP (and without Wireguard)?

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.