patheard commented 2 days ago

Summary

Update the IdP config to specify the database max connections and max idle connections.

Although these should not be needed because we use the RDS proxy to manage our connections, there is a bug report stating that leaving these empty causes slower access token responses.

The ECS task resources have also be bumped back up to the minimum recommend values to run one more performance test.

```terraform Resource actions are indicated with the following symbols: ~ update in-place -/+ destroy and then create replacement <= read (data resources) Terraform will perform the following actions: # module.idp_ecs.data.aws_ecs_task_definition.this_latest will be read during apply # (depends on a resource or a module with changes pending) <= data "aws_ecs_task_definition" "this_latest" { + arn = (known after apply) + arn_without_revision = (known after apply) + execution_role_arn = (known after apply) + family = (known after apply) + id = (known after apply) + network_mode = (known after apply) + revision = (known after apply) + status = (known after apply) + task_definition = "zitadel" + task_role_arn = (known after apply) } # module.idp_ecs.aws_ecs_service.this will be updated in-place ~ resource "aws_ecs_service" "this" { id = "arn:aws:ecs:ca-central-1:687401027353:service/idp/zitadel" name = "zitadel" tags = { "CostCentre" = "forms-platform-staging" "Terraform" = "true" } ~ task_definition = "zitadel:9" -> (known after apply) # (15 unchanged attributes hidden) # (5 unchanged blocks hidden) } # module.idp_ecs.aws_ecs_task_definition.this must be replaced -/+ resource "aws_ecs_task_definition" "this" { ~ arn = "arn:aws:ecs:ca-central-1:687401027353:task-definition/zitadel:9" -> (known after apply) ~ arn_without_revision = "arn:aws:ecs:ca-central-1:687401027353:task-definition/zitadel" -> (known after apply) ~ container_definitions = jsonencode( # whitespace changes [ { Command = [ "start-from-init", "--masterkeyFromEnv", "--tlsMode", "enabled", "--config", "/app/config.yaml", "--steps", "/app/steps.yaml", ] Cpu = 0 CredentialSpecs = null DependsOn = null DisableNetworking = null DnsSearchDomains = null DnsServers = null DockerLabels = null DockerSecurityOptions = null EntryPoint = null Environment = [ { Name = "ZITADEL_EXTERNALDOMAIN" Value = "auth.forms-staging.cdssandbox.xyz" }, ] EnvironmentFiles = null Essential = true ExtraHosts = null FirelensConfiguration = null HealthCheck = null Hostname = null Image = "687401027353.dkr.ecr.ca-central-1.amazonaws.com/idp/zitadel:latest" Interactive = null Links = null LinuxParameters = { Capabilities = { Add = [] Drop = [ "ALL", ] } Devices = null InitProcessEnabled = null MaxSwap = null SharedMemorySize = null Swappiness = null Tmpfs = null } LogConfiguration = { LogDriver = "awslogs" Options = { awslogs-group = "/aws/ecs/idp/zitadel" awslogs-region = "ca-central-1" awslogs-stream-prefix = "task" } SecretOptions = null } Memory = null MemoryReservation = null MountPoints = [] Name = "zitadel" PortMappings = [ { AppProtocol = "" ContainerPort = 8080 ContainerPortRange = null HostPort = 8080 Name = null Protocol = "tcp" }, ] Privileged = null PseudoTerminal = null ReadonlyRootFilesystem = true RepositoryCredentials = null ResourceRequirements = null Secrets = [ { Name = "ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD" ValueFrom = "arn:aws:ssm:ca-central-1:687401027353:parameter/idp_database_cluster_admin_password" }, { Name = "ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME" ValueFrom = "arn:aws:ssm:ca-central-1:687401027353:parameter/idp_database_cluster_admin_username" }, { Name = "ZITADEL_DATABASE_POSTGRES_DATABASE" ValueFrom = "arn:aws:ssm:ca-central-1:687401027353:parameter/zitadel_database_name" }, { Name = "ZITADEL_DATABASE_POSTGRES_HOST" ValueFrom = "arn:aws:ssm:ca-central-1:687401027353:parameter/zitadel_database_host" }, { Name = "ZITADEL_DATABASE_POSTGRES_USER_PASSWORD" ValueFrom = "arn:aws:ssm:ca-central-1:687401027353:parameter/zitadel_database_user_password" }, { Name = "ZITADEL_DATABASE_POSTGRES_USER_USERNAME" ValueFrom = "arn:aws:ssm:ca-central-1:687401027353:parameter/zitadel_database_user_username" }, { Name = "ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORD" ValueFrom = "arn:aws:ssm:ca-central-1:687401027353:parameter/zitadel_admin_password" }, { Name = "ZITADEL_FIRSTINSTANCE_ORG_HUMAN_USERNAME" ValueFrom = "arn:aws:ssm:ca-central-1:687401027353:parameter/zitadel_admin_username" }, { Name = "ZITADEL_MASTERKEY" ValueFrom = "arn:aws:ssm:ca-central-1:687401027353:parameter/zitadel_secret_key" }, ] StartTimeout = null StopTimeout = null SystemControls = [] Ulimits = null User = null VolumesFrom = [] WorkingDirectory = null }, ] ) ~ cpu = "1024" -> "4096" # forces replacement ~ id = "zitadel" -> (known after apply) ~ memory = "2048" -> "8192" # forces replacement ~ revision = 9 -> (known after apply) tags = { "CostCentre" = "forms-platform-staging" "Terraform" = "true" } # (10 unchanged attributes hidden) # (1 unchanged block hidden) } Plan: 1 to add, 1 to change, 1 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["aws_alb_listener_rule.idp_protocol_version"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.idp_send_email"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_user.idp_send_email"] WARN - plan.json - main - Missing Common Tags: ["aws_shield_protection.idp"] 23 tests, 19 passed, 4 warnings, 0 failures, 0 exceptions ```

cds-snc / forms-terraform

fix: set database max connection properties #859

Summary

Related

⚠ Terrform update available

Staging: idp