Breaking change in how provider verifies SSL-mode conenctions

[magul]

Terraform Version

Terraform v1.6.1
on darwin_amd64
+ provider registry.terraform.io/cyrilgdn/postgresql v1.21.0

Affected Resource(s)

It's transport issue inside provider itself. sources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

We're managing PostgreSQL instances that are inside private subnet of our VPC - to establish connection to them we use SSH tunelling. On provider version 1.19 it was working fine with:

provider "postgresql" {
  host     = "localhost"
  port     = 5432
  username = aws_db_instance.database.username
  password = aws_db_instance.database.password
  sslmode  = "verify-ca"
  # https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html
  # https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
  sslrootcert = "${path.module}/../../../modules/aws/environment/assets/global-bundle.pem"
  superuser   = false
}

after upgrade to 1.21 we started getting (with above configuration):

│ Error: Error connecting to PostgreSQL server localhost (scheme: postgres): x509: certificate is valid for XXX.XXX.us-east-1.rds.amazonaws.com, XXX.XXX.us-east-1.rds.amazonaws.com, XXX.XXX.us-east-1.rds.amazonaws.com, XXX.XXX.us-east-1.rds.amazonaws.com, not localhost

current workaround we employed (TBH we will stick with IP address instead of domain name, so from our perspective that's not a workaround) - we changed domain alias to direct IP address, so our current configuration looks like:

provider "postgresql" {
  host     = "127.0.0.1"
  port     = 5432
  username = aws_db_instance.database.username
  password = aws_db_instance.database.password
  sslmode  = "verify-ca"
  # https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html
  # https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
  sslrootcert = "${path.module}/../../../modules/aws/environment/assets/global-bundle.pem"
  superuser   = false
}

This workaround was inspired by: https://github.com/lib/pq/pull/1088/files#diff-22787c14a71947ab97f63d989464974b815e5b70a4cd27699215ea448a493f29R58-R60

Expected Behavior

When sslmode is set to verify-ca provider should not complain about domain mismatch (or at least provide way to set sslsni in pq library, if from RfC perspective complaining about mismatch is desired outcome).

Actual Behavior

When tuneling access to database through SSH providers is complaining about domain mismatch, even if sslmode is set to verfiy-ca.

Steps to Reproduce

1. Use provider 1.21 (it should be also reproduceable on 1.20)
2. Tunel access to DB via SSH.
3. Use domain (instead of IP address) in provider configuration.
4. AFAIK you need to have at least one resource declared using this provider.
5. Observe provider complaining about domain mismatch.

References

• pull request, that upgrade pq library: https://github.com/cyrilgdn/terraform-provider-postgresql/pull/295
• pull request introducing SNI in TLS connections in pq library: https://github.com/lib/pq/pull/1088