problem migrating to RDS
We're trying to migrate our GitLab Omnibus install to use an external Postgres DB (Amazon RDS).
the docs seem to indicate that the database user will need to have the rds_superuser role:
https://docs.gitlab.com/ce/administration/postgresql/external.html
The problem is, we have multiple databases for many applications on our RDS instance. It's a security concern to grant that level of access to everything on the instance.
Can someone tell me why the rds_superuser role is needed? Is it just to install extensions?
The AWS docs indicate the role can do the following:
The rds_superuser role can do the following:
Add extensions that are available for use with Amazon RDS. For more information, see Some supported PostgreSQL features and the PostgreSQL documentation.
Manage tablespaces, including creating and deleting them. For more information, see Tablespaces for PostgreSQL on Amazon RDS and the Tablespaces section in the PostgreSQL documentation.
View all users not assigned the rds_superuser role using the pg_stat_activity command and stop their connections using the pg_terminate_backend and pg_cancel_backend commands.
Grant and revoke the rds_replication role for all roles that are not the rds_superuser role. For more information, see the GRANT section in the PostgreSQL documentation.
If we need the rds_superuser role simply to install/manage database extensions, I suppose I could do that manually with the actual master account on the instance.
What I'm trying to determine is if the lack of that role will cause problems later when we go to upgrade the gitlab application.
I've looked through the docs and can't seem to find an answer to those questions. I appreciate any insight and hope that maybe some of this can also be included in the docs.