Skip to content

Commit

Permalink
Merge pull request #81 from supabase-community/upgrade-202311
Browse files Browse the repository at this point in the history
chore: Upgrade 2023.11
  • Loading branch information
mats16 authored Nov 21, 2023
2 parents 0234279 + fbeb58e commit b6273dd
Show file tree
Hide file tree
Showing 16 changed files with 268 additions and 109 deletions.
4 changes: 2 additions & 2 deletions .projen/deps.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions .projenrc.js
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ const project = new awscdk.AwsCdkTypeScriptApp({
'@aws-cdk/aws-apigatewayv2-alpha',
'@aws-cdk/aws-apigatewayv2-integrations-alpha',
// Lambda Powertools
'@aws-lambda-powertools/logger@1.14.2',
'@aws-lambda-powertools/tracer@1.14.2',
'@aws-lambda-powertools/logger@1.16.0',
'@aws-lambda-powertools/tracer@1.16.0',
// AWS SDK
'@aws-sdk/client-cloudfront',
'@aws-sdk/client-ecs',
Expand Down
4 changes: 2 additions & 2 deletions package.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion src/supabase-cdn/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ class CacheManager extends Construct {
],
},
layers: [
lambda.LayerVersion.fromLayerVersionArn(this, 'LambdaPowertools', `arn:aws:lambda:${cdk.Aws.REGION}:094274105915:layer:AWSLambdaPowertoolsTypeScript:23`),
lambda.LayerVersion.fromLayerVersionArn(this, 'LambdaPowertools', `arn:aws:lambda:${cdk.Aws.REGION}:094274105915:layer:AWSLambdaPowertoolsTypeScript:25`),
],
};

Expand Down
3 changes: 3 additions & 0 deletions src/supabase-db/sql/init-for-rds/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# init-for-rds

https://github.com/supabase/supabase/tree/master/docker/volumes/db
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,13 @@
create publication supabase_realtime;

-- Supabase super admin
-- create user supabase_admin;
-- alter user supabase_admin with superuser createdb createrole replication bypassrls;
-- create user supabase_admin; -- supabase_admin is rds_superuser.
alter user supabase_admin with createdb createrole bypassrls;
grant rds_replication to supabase_admin; -- for Aurora
grant rds_replication to supabase_admin; -- for RDS

-- Supabase replication user
-- create user supabase_replication_admin with login replication;
create user supabase_replication_admin with login;
grant rds_replication to supabase_replication_admin; -- for Aurora
grant rds_replication to supabase_replication_admin; -- for RDS

-- Supabase read-only user
create role supabase_read_only_user with login bypassrls;
Expand Down
3 changes: 3 additions & 0 deletions src/supabase-db/sql/init-scripts/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# init-scripts

https://github.com/supabase/postgres/tree/develop/migrations/db/init-scripts
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
-- migrate:up

ALTER ROLE authenticated inherit;
ALTER ROLE anon inherit;
ALTER ROLE service_role inherit;

GRANT pgsodium_keyholder to service_role;

-- migrate:down
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
-- migrate:up
grant authenticator to supabase_storage_admin;
revoke anon, authenticated, service_role from supabase_storage_admin;

-- migrate:down
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
-- migrate:up

create or replace function extensions.grant_pg_graphql_access()
returns event_trigger
language plpgsql
AS $func$
DECLARE
func_is_graphql_resolve bool;
BEGIN
func_is_graphql_resolve = (
SELECT n.proname = 'resolve'
FROM pg_event_trigger_ddl_commands() AS ev
LEFT JOIN pg_catalog.pg_proc AS n
ON ev.objid = n.oid
);

IF func_is_graphql_resolve
THEN
-- Update public wrapper to pass all arguments through to the pg_graphql resolve func
DROP FUNCTION IF EXISTS graphql_public.graphql;
create or replace function graphql_public.graphql(
"operationName" text default null,
query text default null,
variables jsonb default null,
extensions jsonb default null
)
returns jsonb
language sql
as $$
select graphql.resolve(
query := query,
variables := coalesce(variables, '{}'),
"operationName" := "operationName",
extensions := extensions
);
$$;

-- This hook executes when `graphql.resolve` is created. That is not necessarily the last
-- function in the extension so we need to grant permissions on existing entities AND
-- update default permissions to any others that are created after `graphql.resolve`
grant usage on schema graphql to postgres, anon, authenticated, service_role;
grant select on all tables in schema graphql to postgres, anon, authenticated, service_role;
grant execute on all functions in schema graphql to postgres, anon, authenticated, service_role;
grant all on all sequences in schema graphql to postgres, anon, authenticated, service_role;
alter default privileges in schema graphql grant all on tables to postgres, anon, authenticated, service_role;
alter default privileges in schema graphql grant all on functions to postgres, anon, authenticated, service_role;
alter default privileges in schema graphql grant all on sequences to postgres, anon, authenticated, service_role;

-- Allow postgres role to allow granting usage on graphql and graphql_public schemas to custom roles
grant usage on schema graphql_public to postgres with grant option;
grant usage on schema graphql to postgres with grant option;
END IF;

END;
$func$;

-- Cycle the extension off and back on to apply the permissions update.

drop extension if exists pg_graphql;
-- Avoids limitation of only being able to load the extension via dashboard
-- Only install as well if the extension is actually installed
DO $$
DECLARE
graphql_exists boolean;
BEGIN
graphql_exists = (
select count(*) = 1
from pg_available_extensions
where name = 'pg_graphql'
);

IF graphql_exists
THEN
create extension if not exists pg_graphql;
END IF;
END $$;

-- migrate:down
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
-- migrate:up
do $$
begin
if exists (select from pg_extension where extname = 'pg_cron') then
revoke all on table cron.job from postgres;
grant select on table cron.job to postgres with grant option;
end if;
end $$;

CREATE OR REPLACE FUNCTION extensions.grant_pg_cron_access() RETURNS event_trigger
LANGUAGE plpgsql
AS $$
BEGIN
IF EXISTS (
SELECT
FROM pg_event_trigger_ddl_commands() AS ev
JOIN pg_extension AS ext
ON ev.objid = ext.oid
WHERE ext.extname = 'pg_cron'
)
THEN
grant usage on schema cron to postgres with grant option;

alter default privileges in schema cron grant all on tables to postgres with grant option;
alter default privileges in schema cron grant all on functions to postgres with grant option;
alter default privileges in schema cron grant all on sequences to postgres with grant option;

alter default privileges for user supabase_admin in schema cron grant all
on sequences to postgres with grant option;
alter default privileges for user supabase_admin in schema cron grant all
on tables to postgres with grant option;
alter default privileges for user supabase_admin in schema cron grant all
on functions to postgres with grant option;

grant all privileges on all tables in schema cron to postgres with grant option;
revoke all on table cron.job from postgres;
grant select on table cron.job to postgres with grant option;
END IF;
END;
$$;

drop event trigger if exists issue_pg_cron_access;
CREATE EVENT TRIGGER issue_pg_cron_access ON ddl_command_end
WHEN TAG IN ('CREATE EXTENSION')
EXECUTE FUNCTION extensions.grant_pg_cron_access();

-- migrate:down
3 changes: 3 additions & 0 deletions src/supabase-db/sql/migrations/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# migrations

https://github.com/supabase/postgres/tree/develop/migrations/db/migrations
55 changes: 28 additions & 27 deletions src/supabase-stack.ts
Original file line number Diff line number Diff line change
Expand Up @@ -346,42 +346,44 @@ export class SupabaseStack extends FargateStack {
retries: 3,
},
environment: {
// Top-Level - https://github.com/supabase/gotrue#top-level
GOTRUE_SITE_URL: siteUrl.valueAsString,
GOTRUE_URI_ALLOW_LIST: redirectUrls.valueAsString,
GOTRUE_DISABLE_SIGNUP: disableSignup.valueAsString,
GOTRUE_EXTERNAL_EMAIL_ENABLED: 'true',
GOTRUE_EXTERNAL_PHONE_ENABLED: 'false', // Amazon SNS not supported
GOTRUE_RATE_LIMIT_EMAIL_SENT: '3600', // SES Limit: 1msg/s
GOTRUE_PASSWORD_MIN_LENGTH: passwordMinLength.valueAsString,
// API - https://github.com/supabase/gotrue#api
GOTRUE_API_HOST: '0.0.0.0',
GOTRUE_API_PORT: '9999',
API_EXTERNAL_URL: apiExternalUrl,
// Database - https://github.com/supabase/gotrue#database

GOTRUE_DB_DRIVER: 'postgres',
// Observability
//GOTRUE_TRACING_ENABLED: 'true',
//OTEL_SERVICE_NAME: 'gotrue',
//OTEL_EXPORTER_OTLP_PROTOCOL: 'grpc',
//OTEL_EXPORTER_OTLP_ENDPOINT: `http://${jaeger.dnsName}:4317`,
// JWT - https://github.com/supabase/gotrue#json-web-tokens-jwt
GOTRUE_JWT_EXP: jwtExpiryLimit.valueAsString,
GOTRUE_JWT_AUD: 'authenticated',

GOTRUE_SITE_URL: siteUrl.valueAsString,
GOTRUE_URI_ALLOW_LIST: redirectUrls.valueAsString,
GOTRUE_DISABLE_SIGNUP: disableSignup.valueAsString,

GOTRUE_JWT_ADMIN_ROLES: 'service_role',
GOTRUE_JWT_AUD: 'authenticated',
GOTRUE_JWT_DEFAULT_GROUP_NAME: 'authenticated',
// E-Mail - https://github.com/supabase/gotrue#e-mail
GOTRUE_JWT_EXP: jwtExpiryLimit.valueAsString,

GOTRUE_EXTERNAL_EMAIL_ENABLED: 'true',
GOTRUE_MAILER_AUTOCONFIRM: 'false',
//GOTRUE_MAILER_SECURE_EMAIL_CHANGE_ENABLED: 'true',
//GOTRUE_SMTP_MAX_FREQUENCY: '1s',
GOTRUE_SMTP_ADMIN_EMAIL: smtp.email,
GOTRUE_SMTP_HOST: smtp.host,
GOTRUE_SMTP_PORT: smtp.port.toString(),
GOTRUE_SMTP_SENDER_NAME: senderName.valueAsString,
GOTRUE_MAILER_AUTOCONFIRM: 'false',
GOTRUE_MAILER_URLPATHS_INVITE: '/auth/v1/verify',
GOTRUE_MAILER_URLPATHS_CONFIRMATION: '/auth/v1/verify',
GOTRUE_MAILER_URLPATHS_RECOVERY: '/auth/v1/verify',
GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE: '/auth/v1/verify',
// Phone Auth - https://github.com/supabase/gotrue#phone-auth

GOTRUE_EXTERNAL_PHONE_ENABLED: 'false', // Amazon SNS not supported
GOTRUE_SMS_AUTOCONFIRM: 'true',

GOTRUE_RATE_LIMIT_EMAIL_SENT: '3600', // SES Limit: 1msg/s
GOTRUE_PASSWORD_MIN_LENGTH: passwordMinLength.valueAsString,

//GOTRUE_TRACING_ENABLED: 'true',
//OTEL_SERVICE_NAME: 'gotrue',
//OTEL_EXPORTER_OTLP_PROTOCOL: 'grpc',
//OTEL_EXPORTER_OTLP_ENDPOINT: `http://${jaeger.dnsName}:4317`,
},
secrets: {
GOTRUE_DB_DATABASE_URL: ecs.Secret.fromSecretsManager(supabaseAuthAdminSecret, 'uri'),
Expand All @@ -404,10 +406,12 @@ export class SupabaseStack extends FargateStack {
PGRST_DB_SCHEMAS: 'public,storage,graphql_public',
PGRST_DB_ANON_ROLE: 'anon',
PGRST_DB_USE_LEGACY_GUCS: 'false',
PGRST_APP_SETTINGS_JWT_EXP: jwtExpiryLimit.valueAsString,
},
secrets: {
PGRST_DB_URI: ecs.Secret.fromSecretsManager(authenticatorSecret, 'uri'),
PGRST_JWT_SECRET: ecs.Secret.fromSecretsManager(jwtSecret),
PGRST_APP_SETTINGS_JWT_SECRET: ecs.Secret.fromSecretsManager(jwtSecret),
},
},
highAvailability,
Expand Down Expand Up @@ -535,15 +539,12 @@ export class SupabaseStack extends FargateStack {
POSTGREST_URL: `${rest.endpoint}`,
PGOPTIONS: '-c search_path=storage,public',
FILE_SIZE_LIMIT: '52428800',
STORAGE_BACKEND: 's3',
TENANT_ID: 'stub',
// Multitenant
IS_MULTITENANT: 'false',
// Storage Backend
STORAGE_BACKEND: 's3',
GLOBAL_S3_BUCKET: bucket.bucketName,
// S3 Configuration
// TODO: https://github.com/supabase/storage-api/issues/55
REGION: cdk.Aws.REGION,
// Image Transformation
GLOBAL_S3_BUCKET: bucket.bucketName,
ENABLE_IMAGE_TRANSFORMATION: 'true',
IMGPROXY_URL: imgproxy.endpoint,
// Smart CDN Caching
Expand Down
8 changes: 4 additions & 4 deletions src/supabase-studio/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -188,10 +188,10 @@ export class Repository extends codecommit.Repository {

this.importFunction = new lambda.Function(this, 'ImportFunction', {
description: 'Clone to CodeCommit from remote repo (You can execute this function manually.)',
runtime: lambda.Runtime.PYTHON_3_9,
runtime: lambda.Runtime.PYTHON_3_12,
code: lambda.Code.fromAsset(path.resolve(__dirname, 'cr-import-repo'), {
bundling: {
image: cdk.DockerImage.fromRegistry('public.ecr.aws/sam/build-python3.9:latest-x86_64'),
image: cdk.DockerImage.fromRegistry('public.ecr.aws/sam/build-python3.12:latest-x86_64'),
command: [
'/bin/bash', '-c', [
'mkdir -p /var/task/local/{bin,lib}',
Expand All @@ -208,9 +208,9 @@ export class Repository extends codecommit.Repository {
},
}),
handler: 'index.handler',
memorySize: 3072,
memorySize: 4096,
ephemeralStorageSize: cdk.Size.gibibytes(3),
timeout: cdk.Duration.minutes(5),
timeout: cdk.Duration.minutes(15),
environment: {
TARGET_REPO: this.repositoryCloneUrlGrc,
},
Expand Down
Loading

0 comments on commit b6273dd

Please sign in to comment.