postgres database migration for party app (#37)

Co-authored-by: anttorre <[email protected]>

src/core/postgres.tf

@@ -81,3 +81,11 @@ module "postgresql" {
 
   tags = var.tags
 }
+
+resource "azurerm_postgresql_database" "selc_db" {
+  name                = "selc"
+  resource_group_name = azurerm_resource_group.postgres_rg.name
+  server_name         = module.postgresql.name
+  charset             = "UTF8"
+  collation           = "English_United States.1252"
+}

src/k8s/secrets.tf

@@ -12,8 +12,8 @@ module "key_vault_secrets_query" {
     "agid-spid-cert",
     "agid-spid-private-key",
     "mongodb-connection-string",
-    "db-selc-login",
-    "db-selc-user-password",
+    "postgres-selc-login",
+    "postgres-selc-user-password",
     "smtp-usr",
     "smtp-psw"
   ]

src/k8s/selc_secrets.tf

@@ -69,17 +69,17 @@ resource "kubernetes_secret" "postgres" {
     #principal database hostname or ip
     POSTGRES_HOST = local.postgres_hostname
     #principal database username
-    POSTGRES_USR = format("%s@%s", module.key_vault_secrets_query.values["db-selc-login"].value, local.postgres_hostname)
+    POSTGRES_USR = format("%s@%s", module.key_vault_secrets_query.values["postgres-selc-login"].value, local.postgres_hostname)
     #principal database password
-    POSTGRES_PSW = module.key_vault_secrets_query.values["db-selc-user-password"].value
+    POSTGRES_PSW = module.key_vault_secrets_query.values["postgres-selc-user-password"].value
     #replica database name
     POSTGRES_REPLICA_DB = "selc"
     #replica database hostname or ip
     POSTGRES_REPLICA_HOST = local.postgres_replica_hostname
     #replica database username
-    POSTGRES_REPLICA_USR = format("%s@%s", module.key_vault_secrets_query.values["db-selc-login"].value, var.enable_postgres_replica ? local.postgres_replica_hostname : local.postgres_hostname)
+    POSTGRES_REPLICA_USR = format("%s@%s", module.key_vault_secrets_query.values["postgres-selc-login"].value, var.enable_postgres_replica ? local.postgres_replica_hostname : local.postgres_hostname)
     #replica database password
-    POSTGRES_REPLICA_PSW = module.key_vault_secrets_query.values["db-selc-user-password"].value
+    POSTGRES_REPLICA_PSW = module.key_vault_secrets_query.values["postgres-selc-user-password"].value
   }
 
   type = "Opaque"

src/psql/flyway.sh

@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+
+#
+# Apply the configuration relative to a given subscription
+# Usage:
+#  ./flyway.sh info|validate|migrate ENV-SelfCare selc
+#
+#  ./flyway.sh migrate DEV-SelfCare selc
+#  ./flyway.sh migrate UAT-SelfCare selc
+#  ./flyway.sh migrate PROD-SelfCare selc
+
+BASHDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+WORKDIR="$BASHDIR"
+
+set -e
+
+COMMAND=$1
+SUBSCRIPTION=$2
+DATABASE=$3
+shift 3
+other=$@
+
+if [ -z "${SUBSCRIPTION}" ]; then
+    printf "\e[1;31mYou must provide a subscription as first argument.\n"
+    exit 1
+fi
+
+az account set -s "${SUBSCRIPTION}"
+
+# shellcheck disable=SC2154
+printf "Subscription: %s\n" "${SUBSCRIPTION}"
+
+psql_server_name=$(az postgres server list -o tsv --query "[?contains(name,'postgresql')].{Name:name}" | head -1)
+psql_server_private_fqdn=$(az postgres server list -o tsv --query "[?contains(name,'postgresql')].{Name:fullyQualifiedDomainName}" | head -1)
+keyvault_name=$(az keyvault list -o tsv --query "[?contains(name,'kv')].{Name:name}")
+
+# in widows, even if using cygwin, these variables will contain a landing \r character
+psql_server_name=${psql_server_name//[$'\r']}
+psql_server_private_fqdn=${psql_server_private_fqdn//[$'\r']}
+keyvault_name=${keyvault_name//[$'\r']}
+
+administrator_login=$(az keyvault secret show --name postgres-administrator-login --vault-name "${keyvault_name}" -o tsv --query value)
+administrator_login_password=$(az keyvault secret show --name postgres-administrator-login-password --vault-name "${keyvault_name}" -o tsv --query value)
+
+# in widows, even if using cygwin, these variables will contain a landing \r character
+administrator_login=${administrator_login//[$'\r']}
+administrator_login_password=${administrator_login_password//[$'\r']}
+
+export FLYWAY_URL="jdbc:postgresql://${psql_server_private_fqdn}:5432/${DATABASE}?sslmode=require"
+export FLYWAY_USER="${administrator_login}@${psql_server_name}"
+export FLYWAY_PASSWORD="${administrator_login_password}"
+export SERVER_NAME="${psql_server_name}"
+export FLYWAY_DOCKER_TAG="7.11.1-alpine"
+
+selc_user_password=$(az keyvault secret show --name postgres-selc-user-password --vault-name "${keyvault_name}" -o tsv --query value)
+monitoring_user_password=$(az keyvault secret show --name postgres-monitoring-user-password --vault-name "${keyvault_name}" -o tsv --query value)
+monitoring_external_user_password=$(az keyvault secret show --name postgres-monitoring-external-user-password --vault-name "${keyvault_name}" -o tsv --query value)
+
+# in widows, even if using cygwin, these variables will contain a landing \r character
+selc_user_password=${selc_user_password//[$'\r']}
+monitoring_user_password=${monitoring_user_password//[$'\r']}
+monitoring_external_user_password=${monitoring_external_user_password//[$'\r']}
+
+export SELC_USER_PASSWORD="${selc_user_password}"
+export MONITORING_USER_PASSWORD="${monitoring_user_password}"
+export MONITORING_EXTERNAL_USER_PASSWORD="${monitoring_external_user_password}"
+
+if [[ $WORKDIR == /cygdrive/* ]]; then
+  WORKDIR=$(cygpath -w ${WORKDIR})
+  WORKDIR=${WORKDIR//\\//}
+fi
+
+docker run --rm --network=host -v "${WORKDIR}/migrations/${DATABASE}":/flyway/sql \
+  flyway/flyway:"${FLYWAY_DOCKER_TAG}" \
+  -url="${FLYWAY_URL}" -user="${FLYWAY_USER}" -password="${FLYWAY_PASSWORD}" \
+  -validateMigrationNaming=true \
+  -placeholders.selcUserPassword="${SELC_USER_PASSWORD}" \
+  -placeholders.monitoringUserPassword="${MONITORING_USER_PASSWORD}" \
+  -placeholders.monitoringExternalUserPassword="${MONITORING_EXTERNAL_USER_PASSWORD}" \
+  -placeholders.serverName="${SERVER_NAME}" "${COMMAND}" ${other}

src/psql/migrations/selc/U1__dropUsers.sql

@@ -0,0 +1,16 @@
+ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL PRIVILEGES ON TABLES FROM "SELC_USER";
+ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE USAGE ON SEQUENCES FROM "SELC_USER";
+REVOKE ALL ON ALL TABLES IN SCHEMA public FROM "SELC_USER";
+REVOKE ALL ON ALL SEQUENCES IN SCHEMA public FROM "SELC_USER";
+REVOKE ALL ON DATABASE selc FROM "SELC_USER";
+DROP ROLE "SELC_USER";
+
+ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE SELECT ON TABLES FROM "MONITORING_USER";
+REVOKE ALL ON ALL TABLES IN SCHEMA public FROM "MONITORING_USER";
+REVOKE ALL ON DATABASE selc FROM "MONITORING_USER";
+DROP ROLE "MONITORING_USER";
+
+ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE SELECT ON TABLES FROM "MONITORING_EXTERNAL_USER";
+REVOKE ALL ON ALL TABLES IN SCHEMA public FROM "MONITORING_EXTERNAL_USER";
+REVOKE ALL ON DATABASE selc FROM "MONITORING_EXTERNAL_USER";
+DROP ROLE "MONITORING_EXTERNAL_USER";

src/psql/migrations/selc/U2__dropParty.sql

@@ -0,0 +1,3 @@
+DROP TABLE IF EXISTS public.event_journal CASCADE;
+DROP TABLE IF EXISTS public.event_tag CASCADE;
+DROP TABLE IF EXISTS public.snapshot CASCADE;

src/psql/migrations/selc/V1__user.sql

@@ -0,0 +1,31 @@
+--
+-- Roles
+--
+
+CREATE ROLE "SELC_USER";
+ALTER ROLE "SELC_USER" WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS;
+ALTER USER "SELC_USER" WITH PASSWORD '${selcUserPassword}';
+
+CREATE ROLE "MONITORING_USER";
+ALTER ROLE "MONITORING_USER" WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS;
+ALTER USER "MONITORING_USER" WITH PASSWORD '${monitoringUserPassword}';
+
+CREATE ROLE "MONITORING_EXTERNAL_USER";
+ALTER ROLE "MONITORING_EXTERNAL_USER" WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS;
+ALTER USER "MONITORING_EXTERNAL_USER" WITH PASSWORD '${monitoringExternalUserPassword}';
+
+-- Database creation
+--
+
+GRANT ALL ON DATABASE selc TO "SELC_USER";
+GRANT CONNECT ON DATABASE selc TO "MONITORING_USER";
+GRANT CONNECT ON DATABASE selc TO "MONITORING_EXTERNAL_USER";
+
+-- schema grants
+--
+
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES TO "SELC_USER";
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO "SELC_USER";
+
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO "MONITORING_USER";
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO "MONITORING_EXTERNAL_USER";

src/psql/migrations/selc/V2__party.sql

@@ -0,0 +1,48 @@
+CREATE TABLE IF NOT EXISTS public.event_journal(
+  ordering BIGSERIAL,
+  persistence_id VARCHAR(255) NOT NULL,
+  sequence_number BIGINT NOT NULL,
+  deleted BOOLEAN DEFAULT FALSE NOT NULL,
+
+  writer VARCHAR(255) NOT NULL,
+  write_timestamp BIGINT,
+  adapter_manifest VARCHAR(255),
+
+  event_ser_id INTEGER NOT NULL,
+  event_ser_manifest VARCHAR(255) NOT NULL,
+  event_payload BYTEA NOT NULL,
+
+  meta_ser_id INTEGER,
+  meta_ser_manifest VARCHAR(255),
+  meta_payload BYTEA,
+
+  PRIMARY KEY(persistence_id, sequence_number)
+);
+
+CREATE UNIQUE INDEX event_journal_ordering_idx ON public.event_journal(ordering);
+
+CREATE TABLE IF NOT EXISTS public.event_tag(
+    event_id BIGINT,
+    tag VARCHAR(256),
+    PRIMARY KEY(event_id, tag),
+    CONSTRAINT fk_event_journal
+      FOREIGN KEY(event_id)
+      REFERENCES event_journal(ordering)
+      ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS public.snapshot (
+  persistence_id VARCHAR(255) NOT NULL,
+  sequence_number BIGINT NOT NULL,
+  created BIGINT NOT NULL,
+
+  snapshot_ser_id INTEGER NOT NULL,
+  snapshot_ser_manifest VARCHAR(255) NOT NULL,
+  snapshot_payload BYTEA NOT NULL,
+
+  meta_ser_id INTEGER,
+  meta_ser_manifest VARCHAR(255),
+  meta_payload BYTEA,
+
+  PRIMARY KEY(persistence_id, sequence_number)
+);