Description
Creates a migration plan and execution scripts for replacing the shared prod-rdsproxy with three service-isolated, IAM-only RDS proxies:
| Proxy | Service | Target DB |
|---|
iam-proxy-apollo | Apollo (Next.js) | prodrds |
iam-proxy-thermos | All Thermos services | prodrds |
iam-proxy-workerdb | Thermos workers (webhook/polling/timer) | workerdb Aurora |
Each proxy uses IAMAuth: REQUIRED — clients must present a signed 15-minute IAM token instead of a password. The old proxies remain live throughout; cutover is a single Doppler variable swap, fully reversible.
Files:
docs/iam-rds-proxy-migration.md — full architecture, migration phases, IAM permission model, rollback procedurescripts/create-iam-proxies.sh — creates all three proxies against existing Secrets Manager credentialsscripts/grant-rds-iam-connect.sh — attaches rds-db:connect inline policy to prod_us-east-1_ecs_task_execution_role after proxies are available
Depends on: PR #10242 (IAM auth code for Apollo/Thermos/Redis) must be merged before Phase 5 (Doppler flip).
How did I test this PR
Scripts are idempotent AWS CLI calls using existing secrets and IAM roles already present in the account. Proxy resource IDs are resolved dynamically at grant time so no ARN is hardcoded before creation.
🤖 Generated with Claude Code
@acsrujan