fix(rds): set StorageEncrypted=true on mysql + postgres instances

[Cre-eD]

Summary

Adds opt-in encryption-at-rest for AWS RDS instances managed by SC. Existing customers get zero behaviour change unless they explicitly set the new field.

File	Change
pkg/clouds/aws/rds_mysql.go	MysqlConfig.StorageEncrypted *bool (new optional field)
pkg/clouds/aws/rds_postgres.go	PostgresConfig.StorageEncrypted *bool (same)
pkg/clouds/pulumi/aws/rds_mysql.go	StorageEncrypted: sdk.Bool(lo.FromPtr(dbConfig.StorageEncrypted)) + sdk.IgnoreChanges([]string{"storageEncrypted"})
pkg/clouds/pulumi/aws/rds_postgres.go	same
pkg/clouds/aws/rds_storage_encrypted_test.go	new — unit tests for the opt-in semantics

Opt-in behaviour (per Ilya's review feedback)

Customer config	dbConfig.StorageEncrypted	Pulumi StorageEncrypted	Effect
Field omitted (legacy stacks)	nil	false	UNENCRYPTED — preserves pre-2026.5 behaviour
storageEncrypted: true	&true	true	Encrypted (AWS-managed aws/rds KMS key)
storageEncrypted: false	&false	false	Explicit unencrypted (respect the call)

This means no customer gets encryption silently — they have to opt in.

Why IgnoreChanges is still required

storage_encrypted is immutable post-creation in AWS RDS. Without IgnoreChanges, the moment a customer flips the new field to true on a stack with a pre-existing unencrypted instance, Pulumi would propose a destructive replacement (drop + recreate, data loss + downtime).

sdk.IgnoreChanges([]string{"storageEncrypted"}) silences that drift. Behaviour:

• ✅ NEW instance + storageEncrypted: true → created encrypted from the start.
• ✅ EXISTING unencrypted instance + customer flips to true → no diff, no replacement; the customer's data is safe but the existing instance stays unencrypted. They have to migrate out-of-band (see below).
• ✅ EXISTING unencrypted instance + field stays nil → no diff. Pre-2026.5 behaviour preserved exactly.

Migration path for existing unencrypted instances

sc deploy will not migrate automatically — the AWS encryption switch is destructive. The standard AWS path:

1. Take a snapshot of the unencrypted instance.
2. CopyDBSnapshot with encryption enabled (KmsKeyId set).
3. Restore from the encrypted snapshot to a new instance.
4. Cut traffic over (DNS / app config), then delete the old instance.
5. Re-import the new instance into the SC Pulumi stack.

Documented inline next to the IgnoreChanges line so a future maintainer doesn't accidentally remove the safety.

Why surfaced now

simple-container-com/actions PR #7 adds a new semgrep rule go-aws-rds-no-storage-encryption (ERROR severity). Walking the api codebase to write that rule revealed two pre-existing instances with unset encryption defaults. Originally I went with hard-coded StorageEncrypted: true; per review feedback this is now opt-in.

The semgrep rule on actions repo treats StorageEncrypted: pulumi.Bool(true) literal as "OK", and StorageEncrypted: pulumi.Bool(false) literal as "still ERROR". Our generated value uses lo.FromPtr which the rule sees textually as pulumi.Bool(...) — but it's sdk.Bool here. Verified: rule's pattern-not-regex: 'StorageEncrypted:\s*\w+\.Bool\(true\)' does NOT match sdk.Bool(lo.FromPtr(...)) because the function inside Bool(...) isn't true. So this code WILL still trigger the rule when scanned with PR #7's ruleset — by design. The rule is conservative; it can't statically prove lo.FromPtr resolves to true. Acceptable trade-off: code is conservatively flagged, reviewer eyeballs the call site, confirms the opt-in plumbing is correct, dismisses or fixes.

KMS

StorageEncrypted: sdk.Bool(true) without KmsKeyId uses AWS-managed aws/rds. Customer-managed key per stack is a follow-up — the immediate-controls bar is encrypt-at-all when the customer opts in.

Test plan

Unit (in this PR — green)

• go test ./pkg/clouds/aws/... — TestReadRdsMysqlConfig_StorageEncrypted and TestReadRdsPostgresConfig_StorageEncrypted, 6 subtests total covering all three states for both engines
• Full go test ./... — clean

Integration (manual, after merge)

• Brand-new stack, no opt-in: pulumi preview shows + Instance with storage_encrypted: false (legacy behaviour preserved).
• Brand-new stack with opt-in: same preview shows storage_encrypted: true, KmsKeyId resolves to the AWS-managed default.
• Existing customer post-upgrade, no config change: pulumi preview shows no diff on the RDS instance (this is the critical migration-safety test — proves IgnoreChanges + nil default both kick in).
• Existing customer flipping the field to true: pulumi preview shows no diff (silenced by IgnoreChanges — explicit demonstration of the safety net).

E2E (manual, sandbox AWS account)

• Variant A (no opt-in): create RDS, aws rds describe-db-instances --query '[*].StorageEncrypted' → false.
• Variant B (opt-in true): same query → true.
• Variant C (legacy → upgrade simulation): create with old code unencrypted, then sc deploy with new code (no config change) → describe → StorageEncrypted still false, instance ID unchanged.
• Tear down.

Out of scope

• Customer-managed KMS key (KmsKeyId) — follow-up.
• Schema-version-style bundling of multiple hardening defaults — only one knob today; mongodb-atlas precedent (NamingStrategyVersion) exists if the count grows.
• Migrating already-deployed unencrypted instances on customer fleets — manual, out-of-band, documented above.

[github-actions]

Semgrep Scan Results

Repository: api | Commit: 7a6616e

Check	Status	Details
⚠️ Semgrep	Warning	26 warning(s), 50 total

Scanned at 2026-05-08 14:50 UTC

[github-actions]

Security Scan Results

Repository: api | Commit: 7a6616e

Check	Status	Details
✅ Secret Scan	Pass	No secrets detected
⚠️ Dependencies (Trivy)	High	1 high, 2 total
⚠️ Dependencies (Grype)	High	1 high, 2 total
📦 SBOM	Generated	469 components (CycloneDX)

Scanned at 2026-05-08 14:51 UTC