Spatial IaC Terraform & Pulumi for GIS

Hardening Security Groups for PostGIS Ports in Spatial Infrastructure as Code

Incident Symptom Identification & Network Isolation

Spatial databases form the foundational data plane for cloud-native GIS platforms, yet misconfigured network perimeters around PostGIS endpoints (TCP 5432) routinely trigger cascading service degradation. Primary failure modes manifest as intermittent Connection refused or Connection timed out errors from application servers, vector tile backends stalling during generation, and spatial ETL pipelines failing mid-ingestion. In multi-tenant SaaS or agency deployments, these symptoms typically correlate with either overly permissive 0.0.0.0/0 ingress rules that violate compliance baselines, or excessively restrictive CIDR blocks that silently drop legitimate VPC peering or transit gateway traffic.

Diagnostic isolation must occur before remediation. Engineers should immediately cross-reference VPC Flow Logs with PostgreSQL authentication logs to determine the failure domain. If flow logs indicate REJECT at the elastic network interface (ENI), traffic is being dropped at the perimeter. If packets successfully traverse the network layer but fail during the TLS or SASL handshake, the issue resides within pg_hba.conf misalignment or IAM Role Mapping for GIS authentication. Establishing a rigorous Network Security & Access Control posture requires treating these network boundaries as immutable, version-controlled assets rather than mutable firewall rules.

State Recovery & Drift Reconciliation

Manual console modifications that bypass Infrastructure as Code pipelines desynchronize the Terraform state or Pulumi stack from the live cloud environment. Executing a standard apply against a drifted state risks destructive rule revocations that sever active spatial ETL connections or break VPC routing for tile servers. Recovery demands a strict, non-destructive sequence:

  1. Pause Automation: Temporarily disable CI/CD pipelines to prevent race conditions during state reconciliation.
  2. Read-Only Capture: Execute terraform refresh or pulumi refresh to pull the live configuration into the state file without modifying infrastructure.
  3. Orphan Resolution: If manual edits created rules outside the module boundary, use terraform state rm to detach them, then re-import via terraform import. For Pulumi, export the stack, sanitize the JSON to remove unmanaged rule IDs, and re-import using pulumi stack import.
  4. Delta Validation: Run a dry-run (terraform plan -refresh-only or pulumi preview) to surface exact configuration deltas.

This workflow guarantees that state accurately reflects production reality before enforcing Security Group Hardening baselines. Skipping this step frequently results in inadvertent egress blockages that disrupt database patching, metrics collection, or replication streams.

Reconcile drift non-destructively before enforcing the hardened baseline — a blind apply against drifted state can revoke rules that sever active connections:

flowchart TB
  pause["Pause CI/CD automation"] --> refresh["terraform refresh / pulumi refresh"]
  refresh --> orphan{"Rules created outside the module?"}
  orphan -->|"yes"| reimport["state rm, then re-import"]
  orphan -->|"no"| delta["Dry-run: plan -refresh-only / preview"]
  reimport --> delta
  delta --> enforce["Apply hardened baseline"]

Precise Remediation via Terraform & Pulumi

Production-grade PostGIS security groups require explicit, least-privilege ingress and egress definitions. Broad CIDR ranges must be replaced with targeted references to compute security groups, specific subnet CIDRs, or VPC endpoint prefixes. Crucially, security group rules should be decoupled from the parent group resource to enable independent lifecycle management. This prevents full security group recreation during incremental updates, which causes temporary connection drops across all attached instances.

Terraform Implementation

resource "aws_security_group" "postgis_sg" {
  name        = "postgis-hardened-sg"
  description = "Least-privilege perimeter for PostGIS endpoints"
  vpc_id      = var.vpc_id

  # Primary ingress restricted to tile rendering compute
  ingress {
    description     = "PostGIS from tile servers"
    from_port       = 5432
    to_port         = 5432
    protocol        = "tcp"
    security_groups = [var.tile_server_sg_id]
  }

  # Explicit egress for OS patching and observability agents
  egress {
    description = "Outbound HTTPS for patching/metrics"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/8"]
  }

  tags = {
    Environment = "production"
    ManagedBy   = "terraform"
    CostCenter  = "gis-platform"
  }
}

# Decoupled rule for independent lifecycle management
resource "aws_security_group_rule" "etl_ingress" {
  type              = "ingress"
  from_port         = 5432
  to_port           = 5432
  protocol          = "tcp"
  cidr_blocks       = [var.etl_subnet_cidr]
  security_group_id = aws_security_group.postgis_sg.id
  description       = "ETL pipeline subnet access"
}

Pulumi Implementation (TypeScript)

import * as aws from "@pulumi/aws";

const postgisSG = new aws.ec2.SecurityGroup("postgis-hardened-sg", {
  vpcId: vpc.id,
  description: "Least-privilege perimeter for PostGIS endpoints",
  ingress: [{
    protocol: "tcp",
    fromPort: 5432,
    toPort: 5432,
    securityGroups: [tileServerSG.id],
    description: "PostGIS from tile servers"
  }],
  egress: [{
    protocol: "tcp",
    fromPort: 443,
    toPort: 443,
    cidrBlocks: ["10.0.0.0/8"],
    description: "Outbound HTTPS for patching/metrics"
  }],
  tags: { Environment: "production", ManagedBy: "pulumi" }
});

// Independent rule lifecycle prevents full SG recreation
const etlIngressRule = new aws.ec2.SecurityGroupRule("etl-ingress", {
  type: "ingress",
  fromPort: 5432,
  toPort: 5432,
  protocol: "tcp",
  cidrBlocks: [etlSubnetCidr],
  securityGroupId: postgisSG.id,
  description: "ETL pipeline subnet access"
});

Operational Guardrails & Continuous Validation

Once network boundaries are codified, continuous validation becomes mandatory. Security group drift must be detected automatically via policy-as-code scanners integrated into pull request workflows. Integrating AWS CloudTrail or equivalent audit logging with VPC Flow Logs provides the telemetry required to validate Security Group Hardening effectiveness over time.

For web-facing GIS architectures, ensure frontend applications never attempt direct database connections. All spatial queries must route through API gateways or backend-for-frontend (BFF) services, with strict CORS & CSP Configuration applied at the edge. Network controls must also align with PostgreSQL’s host-based authentication to enforce defense-in-depth. Consult the official PostgreSQL Client Authentication documentation to map IP ranges to appropriate authentication methods (e.g., scram-sha-256 or cert). Finally, validate that Network Security & Access Control policies account for dynamic scaling events, ensuring auto-scaling tile servers and ephemeral ETL runners inherit the correct security group tags without manual intervention or state corruption.