Point Heroku application to AWS RDS database

The following steps worked for me (Feb 2017), given the following setup:

• AWS RDS Region eu-west-2 (which uses VPC Security Groups, not DB Security Groups)
• Postgres 9.6
• Heroku, hosting a Flask application (eg appname: heroku-app-stage)
• Git with a remote added into the Heroku app (eg remote: stage)
• DATABASE_URL value of postgresql://username:password@awsrdshost:5432/dbname

There are broadly four steps to this:

1. Download and install the Amazon RDS SSL root certificate into your Heroku app
2. Configure your Heroku app to refer to said root certificate
3. Enable SSL on your RDS instance
4. Configure your RDS security group to allow all IP address ranges for Incoming traffic

Download and install Amazon RDS SSL root certificate

1. Download the .pem certificate file from the Amazon RDS link below.
2. Put the file into your app folders (make a note of location, I have placed it in my root folder with my .py files)
3. Commit that file into your git repository, and push said commit into the Heroku remote (git push stage master)
4. Verify that the certificate has been uploaded into the expected path (you can do heroku run bash --app heroku-app-stage to see your files in the dyno)

Configure Heroku to refer to root certificate

1. Via the Heroku dashboard, navigate to heroku-app-stage, go to Settings tab, and click on Reveal Config Vars
2. Update your DATABASE_URL variable by adding ?sslrootcert=rds-combined-ca-bundle.pem&sslmode=require. The new value should now be postgresql://username:password@awsrdshost:5432/dbname?sslrootcert=rds-combined-ca-bundle.pem&sslmode=require

Note that this answer uses a root certificate; there may be other options which may be what you want in which case refer to the following SO:

How to connect to a remote PostgreSQL database with Python

Enable SSL on your RDS instance

1. Via your RDS console, navigate to your instance details and note down the Parameter Group that it is using
2. Go to the Parameter Group screen on the dashboard
3. If you are using the default parameter group, you will need to create another parameter group, as you will not be able to edit the default one.
4. Modify the force_ssl parameter to have value 1 and save.
5. Verify that SSL is now enabled on your RDS instance. If you run psql postgres -h awsrdshost -p 5432 -U username, you should see SSL in the connection details

Configure RDS security group to allow all incoming IP ranges

1. Via your RDS console, check the active Security Group for your instance
2. Navigate to the EC2 console (under Compute > EC2), and select Security Groups
3. Select the relevant security group (from step 1) and go to the Inbound tab at the bottom. You should see a PostgreSQL item listed there. If you hit Edit, you should have an option to change the Source to Anywhere.

Note: instructions are only relevant if you're using an RDS setup that uses VPC Security Groups

That's it!

Links to the reference pages used:

Amazon's guide to SSL on Postgres http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.SSL

Heroku's (very short) guide to Amazon RDS https://devcenter.heroku.com/articles/amazon-rds

I figured out how to point heroku app to AWS RDS database. This allows me to have a giant database, test out Amazon's free tier for a year and have more customization over my database instance. This answer is in response to @pseudopeach question (pardon the delay).

So this is a pretty simple set up. To configure RDS for Heroky you need to know heroku well and you need to know AWS VERY well.

1. AWS side

a) set up your region. Pick the region closest to you e.g. US EAST (Ohio)

b) then click services tab and select rds

c) i have a db ts micro (i think that's the free tier option)

d) do the rds set up and after it is up and running you click "instance actions" and see details

e) here you will be able to view your db-username, dbname, endpoint (which for me is a url similar to this [dbname].[randomstring].us-east-1.rds.amazon.com) and port number. You need these things plus you db password for the heroku side.

2. Heroku side

a) go to your heroku app on heroku.com, then settings b) click revealconfig variables

typical heroku variables look like this:

DATABASE_URL xxxxxx

HEROKU_POSTGRESQL_VIOLET_URL xxxxxx

LANG xxxxxx

RACK_ENV production

RAILS_ENV production

SECRET_KEY_BASE xxxxxx

you need to do change these up pretty drastically

DATABASE_URL [note: this changes to a different and long url – mine looks like this broken down for easy understanding]

postgres://

[db-username]:

[your db password]

@[endpoint]:

[your db port number]/

[db name]

?sslca=config/amazon-rds-ca-cert.pem

&sslmode=require

&encrypt=true

example database url:
postgres://jdoe:supersecretpassword@mydb.coua7574xvna.us-east-1.rds.amazonaws.com:5432/mydb?sslca=config/amazon-rds-ca-cert.pem&sslmode=require&encrypt=true

EXTERNAL_DATABASE amazon-rds-ca-cert.pem

EXTERNAL_DATABASE_CA amazon-rds-ca-cert.pem

LANG (same)

RACK_ENV (same)

RAILS_ENV (same)

RDS_DB_PASS [your db password]

RDS_DB_PORT [your db port number i.e. 5432]

RDS_READS_DB_NAME [db name]

RDS_HOST [end point url]

RDS_USER [db-username]

This worked for me and I got a free year of RDS for a database way over 10,000 rows (which I believe is the free tier limit on heroku). I used postgreSQL as my database, so these configs might be biased toward postgres.

I did exactly the same that Andy G answer said.

However I ran into the following error:

no pg_hba.conf entry for host "XX.XX.XX.XX", user "username", database "dbname", SSL off

To fix this issue on Configure Heroku to refer to root certificate step 2:

Instead of adding ?sslrootcert=rds-combined-ca-bundle.pem&sslmode=require

add ?ssl=true&sslrootcert=rds-combined-ca-bundle.pem&sslmode=require