From 84210cc69ab11b3c9af7a0992baa238b4d569e7e Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Fri, 17 Nov 2023 19:16:36 +0900 Subject: [PATCH 1/8] refactoring --- src/supabase-stack.ts | 55 ++++++------- test/__snapshots__/main.test.ts.snap | 116 +++++++++++++++------------ 2 files changed, 92 insertions(+), 79 deletions(-) diff --git a/src/supabase-stack.ts b/src/supabase-stack.ts index c13a4dc..dfe2c9e 100644 --- a/src/supabase-stack.ts +++ b/src/supabase-stack.ts @@ -346,42 +346,44 @@ export class SupabaseStack extends FargateStack { retries: 3, }, environment: { - // Top-Level - https://github.com/supabase/gotrue#top-level - GOTRUE_SITE_URL: siteUrl.valueAsString, - GOTRUE_URI_ALLOW_LIST: redirectUrls.valueAsString, - GOTRUE_DISABLE_SIGNUP: disableSignup.valueAsString, - GOTRUE_EXTERNAL_EMAIL_ENABLED: 'true', - GOTRUE_EXTERNAL_PHONE_ENABLED: 'false', // Amazon SNS not supported - GOTRUE_RATE_LIMIT_EMAIL_SENT: '3600', // SES Limit: 1msg/s - GOTRUE_PASSWORD_MIN_LENGTH: passwordMinLength.valueAsString, - // API - https://github.com/supabase/gotrue#api GOTRUE_API_HOST: '0.0.0.0', GOTRUE_API_PORT: '9999', API_EXTERNAL_URL: apiExternalUrl, - // Database - https://github.com/supabase/gotrue#database + GOTRUE_DB_DRIVER: 'postgres', - // Observability - //GOTRUE_TRACING_ENABLED: 'true', - //OTEL_SERVICE_NAME: 'gotrue', - //OTEL_EXPORTER_OTLP_PROTOCOL: 'grpc', - //OTEL_EXPORTER_OTLP_ENDPOINT: `http://${jaeger.dnsName}:4317`, - // JWT - https://github.com/supabase/gotrue#json-web-tokens-jwt - GOTRUE_JWT_EXP: jwtExpiryLimit.valueAsString, - GOTRUE_JWT_AUD: 'authenticated', + + GOTRUE_SITE_URL: siteUrl.valueAsString, + GOTRUE_URI_ALLOW_LIST: redirectUrls.valueAsString, + GOTRUE_DISABLE_SIGNUP: disableSignup.valueAsString, + GOTRUE_JWT_ADMIN_ROLES: 'service_role', + GOTRUE_JWT_AUD: 'authenticated', GOTRUE_JWT_DEFAULT_GROUP_NAME: 'authenticated', - // E-Mail - https://github.com/supabase/gotrue#e-mail + GOTRUE_JWT_EXP: jwtExpiryLimit.valueAsString, + + GOTRUE_EXTERNAL_EMAIL_ENABLED: 'true', + GOTRUE_MAILER_AUTOCONFIRM: 'false', + //GOTRUE_MAILER_SECURE_EMAIL_CHANGE_ENABLED: 'true', + //GOTRUE_SMTP_MAX_FREQUENCY: '1s', GOTRUE_SMTP_ADMIN_EMAIL: smtp.email, GOTRUE_SMTP_HOST: smtp.host, GOTRUE_SMTP_PORT: smtp.port.toString(), GOTRUE_SMTP_SENDER_NAME: senderName.valueAsString, - GOTRUE_MAILER_AUTOCONFIRM: 'false', GOTRUE_MAILER_URLPATHS_INVITE: '/auth/v1/verify', GOTRUE_MAILER_URLPATHS_CONFIRMATION: '/auth/v1/verify', GOTRUE_MAILER_URLPATHS_RECOVERY: '/auth/v1/verify', GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE: '/auth/v1/verify', - // Phone Auth - https://github.com/supabase/gotrue#phone-auth + + GOTRUE_EXTERNAL_PHONE_ENABLED: 'false', // Amazon SNS not supported GOTRUE_SMS_AUTOCONFIRM: 'true', + + GOTRUE_RATE_LIMIT_EMAIL_SENT: '3600', // SES Limit: 1msg/s + GOTRUE_PASSWORD_MIN_LENGTH: passwordMinLength.valueAsString, + + //GOTRUE_TRACING_ENABLED: 'true', + //OTEL_SERVICE_NAME: 'gotrue', + //OTEL_EXPORTER_OTLP_PROTOCOL: 'grpc', + //OTEL_EXPORTER_OTLP_ENDPOINT: `http://${jaeger.dnsName}:4317`, }, secrets: { GOTRUE_DB_DATABASE_URL: ecs.Secret.fromSecretsManager(supabaseAuthAdminSecret, 'uri'), @@ -404,10 +406,12 @@ export class SupabaseStack extends FargateStack { PGRST_DB_SCHEMAS: 'public,storage,graphql_public', PGRST_DB_ANON_ROLE: 'anon', PGRST_DB_USE_LEGACY_GUCS: 'false', + PGRST_APP_SETTINGS_JWT_EXP: jwtExpiryLimit.valueAsString, }, secrets: { PGRST_DB_URI: ecs.Secret.fromSecretsManager(authenticatorSecret, 'uri'), PGRST_JWT_SECRET: ecs.Secret.fromSecretsManager(jwtSecret), + PGRST_APP_SETTINGS_JWT_SECRET: ecs.Secret.fromSecretsManager(jwtSecret), }, }, highAvailability, @@ -535,15 +539,12 @@ export class SupabaseStack extends FargateStack { POSTGREST_URL: `${rest.endpoint}`, PGOPTIONS: '-c search_path=storage,public', FILE_SIZE_LIMIT: '52428800', + STORAGE_BACKEND: 's3', TENANT_ID: 'stub', - // Multitenant IS_MULTITENANT: 'false', - // Storage Backend - STORAGE_BACKEND: 's3', - GLOBAL_S3_BUCKET: bucket.bucketName, - // S3 Configuration + // TODO: https://github.com/supabase/storage-api/issues/55 REGION: cdk.Aws.REGION, - // Image Transformation + GLOBAL_S3_BUCKET: bucket.bucketName, ENABLE_IMAGE_TRANSFORMATION: 'true', IMGPROXY_URL: imgproxy.endpoint, // Smart CDN Caching diff --git a/test/__snapshots__/main.test.ts.snap b/test/__snapshots__/main.test.ts.snap index c9ad2be..5d97d65 100644 --- a/test/__snapshots__/main.test.ts.snap +++ b/test/__snapshots__/main.test.ts.snap @@ -1596,42 +1596,6 @@ Object { "ContainerDefinitions": Array [ Object { "Environment": Array [ - Object { - "Name": "GOTRUE_SITE_URL", - "Value": Object { - "Ref": "SiteUrl", - }, - }, - Object { - "Name": "GOTRUE_URI_ALLOW_LIST", - "Value": Object { - "Ref": "RedirectUrls", - }, - }, - Object { - "Name": "GOTRUE_DISABLE_SIGNUP", - "Value": Object { - "Ref": "DisableSignup", - }, - }, - Object { - "Name": "GOTRUE_EXTERNAL_EMAIL_ENABLED", - "Value": "true", - }, - Object { - "Name": "GOTRUE_EXTERNAL_PHONE_ENABLED", - "Value": "false", - }, - Object { - "Name": "GOTRUE_RATE_LIMIT_EMAIL_SENT", - "Value": "3600", - }, - Object { - "Name": "GOTRUE_PASSWORD_MIN_LENGTH", - "Value": Object { - "Ref": "PasswordMinLength", - }, - }, Object { "Name": "GOTRUE_API_HOST", "Value": "0.0.0.0", @@ -1662,23 +1626,49 @@ Object { "Value": "postgres", }, Object { - "Name": "GOTRUE_JWT_EXP", + "Name": "GOTRUE_SITE_URL", "Value": Object { - "Ref": "JwtExpiryLimit", + "Ref": "SiteUrl", }, }, Object { - "Name": "GOTRUE_JWT_AUD", - "Value": "authenticated", + "Name": "GOTRUE_URI_ALLOW_LIST", + "Value": Object { + "Ref": "RedirectUrls", + }, + }, + Object { + "Name": "GOTRUE_DISABLE_SIGNUP", + "Value": Object { + "Ref": "DisableSignup", + }, }, Object { "Name": "GOTRUE_JWT_ADMIN_ROLES", "Value": "service_role", }, + Object { + "Name": "GOTRUE_JWT_AUD", + "Value": "authenticated", + }, Object { "Name": "GOTRUE_JWT_DEFAULT_GROUP_NAME", "Value": "authenticated", }, + Object { + "Name": "GOTRUE_JWT_EXP", + "Value": Object { + "Ref": "JwtExpiryLimit", + }, + }, + Object { + "Name": "GOTRUE_EXTERNAL_EMAIL_ENABLED", + "Value": "true", + }, + Object { + "Name": "GOTRUE_MAILER_AUTOCONFIRM", + "Value": "false", + }, Object { "Name": "GOTRUE_SMTP_ADMIN_EMAIL", "Value": Object { @@ -1738,10 +1728,6 @@ Object { "Ref": "SenderName", }, }, - Object { - "Name": "GOTRUE_MAILER_AUTOCONFIRM", - "Value": "false", - }, Object { "Name": "GOTRUE_MAILER_URLPATHS_INVITE", "Value": "/auth/v1/verify", @@ -1758,10 +1744,24 @@ Object { "Name": "GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE", "Value": "/auth/v1/verify", }, + Object { + "Name": "GOTRUE_EXTERNAL_PHONE_ENABLED", + "Value": "false", + }, Object { "Name": "GOTRUE_SMS_AUTOCONFIRM", "Value": "true", }, + Object { + "Name": "GOTRUE_RATE_LIMIT_EMAIL_SENT", + "Value": "3600", + }, + Object { + "Name": "GOTRUE_PASSWORD_MIN_LENGTH", + "Value": Object { + "Ref": "PasswordMinLength", + }, + }, Object { "Name": Object { "Fn::Join": Array [ @@ -7365,6 +7365,12 @@ Object { "Name": "PGRST_DB_USE_LEGACY_GUCS", "Value": "false", }, + Object { + "Name": "PGRST_APP_SETTINGS_JWT_EXP", + "Value": Object { + "Ref": "JwtExpiryLimit", + }, + }, ], "Essential": true, "Image": Object { @@ -7411,6 +7417,12 @@ Object { "Ref": "JwtSecretB8834B39", }, }, + Object { + "Name": "PGRST_APP_SETTINGS_JWT_SECRET", + "ValueFrom": Object { + "Ref": "JwtSecretB8834B39", + }, + }, ], "Ulimits": Array [ Object { @@ -8140,6 +8152,10 @@ Object { "Name": "FILE_SIZE_LIMIT", "Value": "52428800", }, + Object { + "Name": "STORAGE_BACKEND", + "Value": "s3", + }, Object { "Name": "TENANT_ID", "Value": "stub", @@ -8149,19 +8165,15 @@ Object { "Value": "false", }, Object { - "Name": "STORAGE_BACKEND", - "Value": "s3", - }, - Object { - "Name": "GLOBAL_S3_BUCKET", + "Name": "REGION", "Value": Object { - "Ref": "Bucket83908E77", + "Ref": "AWS::Region", }, }, Object { - "Name": "REGION", + "Name": "GLOBAL_S3_BUCKET", "Value": Object { - "Ref": "AWS::Region", + "Ref": "Bucket83908E77", }, }, Object { From dc8ec17c4dc8c28fea951dab0cd85bd85a2b7a2f Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sat, 18 Nov 2023 03:04:23 +0900 Subject: [PATCH 2/8] fix: setup for supabase_admin --- src/supabase-db/sql/init-for-rds/00-postgres-user.sql | 10 ++++++++-- .../sql/init-scripts/00000000000000-initial-schema.sql | 5 +---- .../sql/init-scripts/00000000000001-auth-schema.sql | 1 + src/supabase-stack.ts | 4 +++- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/src/supabase-db/sql/init-for-rds/00-postgres-user.sql b/src/supabase-db/sql/init-for-rds/00-postgres-user.sql index b0cc8f0..2ef9423 100644 --- a/src/supabase-db/sql/init-for-rds/00-postgres-user.sql +++ b/src/supabase-db/sql/init-for-rds/00-postgres-user.sql @@ -1,3 +1,9 @@ --- postgres user for developers -CREATE USER postgres WITH LOGIN; +-- default superuser GRANT rds_replication TO postgres; + +-- Supabase super admin +create user supabase_admin; +alter user supabase_admin with createdb createrole bypassrls; +grant supabase_admin to postgres; +grant rds_superuser to supabase_admin; -- for RDS +grant rds_replication to supabase_admin; -- for RDS diff --git a/src/supabase-db/sql/init-scripts/00000000000000-initial-schema.sql b/src/supabase-db/sql/init-scripts/00000000000000-initial-schema.sql index b94a0a5..278af84 100644 --- a/src/supabase-db/sql/init-scripts/00000000000000-initial-schema.sql +++ b/src/supabase-db/sql/init-scripts/00000000000000-initial-schema.sql @@ -7,13 +7,10 @@ create publication supabase_realtime; -- Supabase super admin -- create user supabase_admin; -- alter user supabase_admin with superuser createdb createrole replication bypassrls; -alter user supabase_admin with createdb createrole bypassrls; -grant rds_replication to supabase_admin; -- for Aurora -- Supabase replication user --- create user supabase_replication_admin with login replication; create user supabase_replication_admin with login; -grant rds_replication to supabase_replication_admin; -- for Aurora +grant rds_replication to supabase_replication_admin; -- for RDS -- Supabase read-only user create role supabase_read_only_user with login bypassrls; diff --git a/src/supabase-db/sql/init-scripts/00000000000001-auth-schema.sql b/src/supabase-db/sql/init-scripts/00000000000001-auth-schema.sql index 3cf035f..c6b08b0 100644 --- a/src/supabase-db/sql/init-scripts/00000000000001-auth-schema.sql +++ b/src/supabase-db/sql/init-scripts/00000000000001-auth-schema.sql @@ -110,6 +110,7 @@ GRANT USAGE ON SCHEMA auth TO anon, authenticated, service_role; -- Supabase super admin CREATE USER supabase_auth_admin NOINHERIT CREATEROLE LOGIN NOREPLICATION; +grant supabase_auth_admin to postgres; -- RDS GRANT ALL PRIVILEGES ON SCHEMA auth TO supabase_auth_admin; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA auth TO supabase_auth_admin; GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA auth TO supabase_auth_admin; diff --git a/src/supabase-stack.ts b/src/supabase-stack.ts index dfe2c9e..688eef6 100644 --- a/src/supabase-stack.ts +++ b/src/supabase-stack.ts @@ -224,8 +224,10 @@ export class SupabaseStack extends FargateStack { maxCapacity: maxACU.valueAsNumber, }; + /** Secret of postgres user */ + const dbSecret = db.cluster.secret!; /** Secret of supabase_admin user */ - const supabaseAdminSecret = db.cluster.secret!; + const supabaseAdminSecret = db.genUserPassword('supabase_admin'); /** Secret of supabase_auth_admin user */ const supabaseAuthAdminSecret = db.genUserPassword('supabase_auth_admin'); /** Secret of supabase_storage_admin user */ From 2285961815217399db5b000bc8bf6e216bbc5784 Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sat, 18 Nov 2023 03:04:47 +0900 Subject: [PATCH 3/8] chore: add README --- src/supabase-db/sql/init-for-rds/README.md | 3 +++ src/supabase-db/sql/init-scripts/README.md | 3 +++ src/supabase-db/sql/migrations/README.md | 3 +++ 3 files changed, 9 insertions(+) create mode 100644 src/supabase-db/sql/init-for-rds/README.md create mode 100644 src/supabase-db/sql/init-scripts/README.md create mode 100644 src/supabase-db/sql/migrations/README.md diff --git a/src/supabase-db/sql/init-for-rds/README.md b/src/supabase-db/sql/init-for-rds/README.md new file mode 100644 index 0000000..287bb59 --- /dev/null +++ b/src/supabase-db/sql/init-for-rds/README.md @@ -0,0 +1,3 @@ +# init-for-rds + +https://github.com/supabase/supabase/tree/master/docker/volumes/db diff --git a/src/supabase-db/sql/init-scripts/README.md b/src/supabase-db/sql/init-scripts/README.md new file mode 100644 index 0000000..8b8abb7 --- /dev/null +++ b/src/supabase-db/sql/init-scripts/README.md @@ -0,0 +1,3 @@ +# init-scripts + +https://github.com/supabase/postgres/tree/develop/migrations/db/init-scripts diff --git a/src/supabase-db/sql/migrations/README.md b/src/supabase-db/sql/migrations/README.md new file mode 100644 index 0000000..58f909d --- /dev/null +++ b/src/supabase-db/sql/migrations/README.md @@ -0,0 +1,3 @@ +# migrations + +https://github.com/supabase/postgres/tree/develop/migrations/db/migrations From 16ceeed8e68bec12fdaa0f702b482eb950012f86 Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sat, 18 Nov 2023 03:05:30 +0900 Subject: [PATCH 4/8] feat: add migration scripts --- ...0529180330_alter_api_roles_for_inherit.sql | 9 +++ ...uthenticator_to_supabase_storage_admin.sql | 5 ++ ...g_graphql_permissions_for_custom_roles.sql | 78 +++++++++++++++++++ ...evoke_writes_on_cron_job_from_postgres.sql | 47 +++++++++++ 4 files changed, 139 insertions(+) create mode 100644 src/supabase-db/sql/migrations/20230529180330_alter_api_roles_for_inherit.sql create mode 100644 src/supabase-db/sql/migrations/20231013070755_grant_authenticator_to_supabase_storage_admin.sql create mode 100644 src/supabase-db/sql/migrations/20231017062225_grant_pg_graphql_permissions_for_custom_roles.sql create mode 100644 src/supabase-db/sql/migrations/20231020085357_revoke_writes_on_cron_job_from_postgres.sql diff --git a/src/supabase-db/sql/migrations/20230529180330_alter_api_roles_for_inherit.sql b/src/supabase-db/sql/migrations/20230529180330_alter_api_roles_for_inherit.sql new file mode 100644 index 0000000..9663c0f --- /dev/null +++ b/src/supabase-db/sql/migrations/20230529180330_alter_api_roles_for_inherit.sql @@ -0,0 +1,9 @@ +-- migrate:up + +ALTER ROLE authenticated inherit; +ALTER ROLE anon inherit; +ALTER ROLE service_role inherit; + +GRANT pgsodium_keyholder to service_role; + +-- migrate:down diff --git a/src/supabase-db/sql/migrations/20231013070755_grant_authenticator_to_supabase_storage_admin.sql b/src/supabase-db/sql/migrations/20231013070755_grant_authenticator_to_supabase_storage_admin.sql new file mode 100644 index 0000000..15020e4 --- /dev/null +++ b/src/supabase-db/sql/migrations/20231013070755_grant_authenticator_to_supabase_storage_admin.sql @@ -0,0 +1,5 @@ +-- migrate:up +grant authenticator to supabase_storage_admin; +revoke anon, authenticated, service_role from supabase_storage_admin; + +-- migrate:down \ No newline at end of file diff --git a/src/supabase-db/sql/migrations/20231017062225_grant_pg_graphql_permissions_for_custom_roles.sql b/src/supabase-db/sql/migrations/20231017062225_grant_pg_graphql_permissions_for_custom_roles.sql new file mode 100644 index 0000000..825f7b2 --- /dev/null +++ b/src/supabase-db/sql/migrations/20231017062225_grant_pg_graphql_permissions_for_custom_roles.sql @@ -0,0 +1,78 @@ +-- migrate:up + +create or replace function extensions.grant_pg_graphql_access() + returns event_trigger + language plpgsql +AS $func$ +DECLARE + func_is_graphql_resolve bool; +BEGIN + func_is_graphql_resolve = ( + SELECT n.proname = 'resolve' + FROM pg_event_trigger_ddl_commands() AS ev + LEFT JOIN pg_catalog.pg_proc AS n + ON ev.objid = n.oid + ); + + IF func_is_graphql_resolve + THEN + -- Update public wrapper to pass all arguments through to the pg_graphql resolve func + DROP FUNCTION IF EXISTS graphql_public.graphql; + create or replace function graphql_public.graphql( + "operationName" text default null, + query text default null, + variables jsonb default null, + extensions jsonb default null + ) + returns jsonb + language sql + as $$ + select graphql.resolve( + query := query, + variables := coalesce(variables, '{}'), + "operationName" := "operationName", + extensions := extensions + ); + $$; + + -- This hook executes when `graphql.resolve` is created. That is not necessarily the last + -- function in the extension so we need to grant permissions on existing entities AND + -- update default permissions to any others that are created after `graphql.resolve` + grant usage on schema graphql to postgres, anon, authenticated, service_role; + grant select on all tables in schema graphql to postgres, anon, authenticated, service_role; + grant execute on all functions in schema graphql to postgres, anon, authenticated, service_role; + grant all on all sequences in schema graphql to postgres, anon, authenticated, service_role; + alter default privileges in schema graphql grant all on tables to postgres, anon, authenticated, service_role; + alter default privileges in schema graphql grant all on functions to postgres, anon, authenticated, service_role; + alter default privileges in schema graphql grant all on sequences to postgres, anon, authenticated, service_role; + + -- Allow postgres role to allow granting usage on graphql and graphql_public schemas to custom roles + grant usage on schema graphql_public to postgres with grant option; + grant usage on schema graphql to postgres with grant option; + END IF; + +END; +$func$; + +-- Cycle the extension off and back on to apply the permissions update. + +drop extension if exists pg_graphql; +-- Avoids limitation of only being able to load the extension via dashboard +-- Only install as well if the extension is actually installed +DO $$ +DECLARE + graphql_exists boolean; +BEGIN + graphql_exists = ( + select count(*) = 1 + from pg_available_extensions + where name = 'pg_graphql' + ); + + IF graphql_exists + THEN + create extension if not exists pg_graphql; + END IF; +END $$; + +-- migrate:down \ No newline at end of file diff --git a/src/supabase-db/sql/migrations/20231020085357_revoke_writes_on_cron_job_from_postgres.sql b/src/supabase-db/sql/migrations/20231020085357_revoke_writes_on_cron_job_from_postgres.sql new file mode 100644 index 0000000..e719ffa --- /dev/null +++ b/src/supabase-db/sql/migrations/20231020085357_revoke_writes_on_cron_job_from_postgres.sql @@ -0,0 +1,47 @@ +-- migrate:up +do $$ +begin + if exists (select from pg_extension where extname = 'pg_cron') then + revoke all on table cron.job from postgres; + grant select on table cron.job to postgres with grant option; + end if; +end $$; + +CREATE OR REPLACE FUNCTION extensions.grant_pg_cron_access() RETURNS event_trigger + LANGUAGE plpgsql + AS $$ +BEGIN + IF EXISTS ( + SELECT + FROM pg_event_trigger_ddl_commands() AS ev + JOIN pg_extension AS ext + ON ev.objid = ext.oid + WHERE ext.extname = 'pg_cron' + ) + THEN + grant usage on schema cron to postgres with grant option; + + alter default privileges in schema cron grant all on tables to postgres with grant option; + alter default privileges in schema cron grant all on functions to postgres with grant option; + alter default privileges in schema cron grant all on sequences to postgres with grant option; + + alter default privileges for user supabase_admin in schema cron grant all + on sequences to postgres with grant option; + alter default privileges for user supabase_admin in schema cron grant all + on tables to postgres with grant option; + alter default privileges for user supabase_admin in schema cron grant all + on functions to postgres with grant option; + + grant all privileges on all tables in schema cron to postgres with grant option; + revoke all on table cron.job from postgres; + grant select on table cron.job to postgres with grant option; + END IF; +END; +$$; + +drop event trigger if exists issue_pg_cron_access; +CREATE EVENT TRIGGER issue_pg_cron_access ON ddl_command_end + WHEN TAG IN ('CREATE EXTENSION') + EXECUTE FUNCTION extensions.grant_pg_cron_access(); + +-- migrate:down \ No newline at end of file From 144bbf4652935c0adcf0812de3d48fb8a138aff0 Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sat, 18 Nov 2023 04:08:06 +0900 Subject: [PATCH 5/8] rollback --- src/supabase-stack.ts | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/supabase-stack.ts b/src/supabase-stack.ts index 688eef6..dfe2c9e 100644 --- a/src/supabase-stack.ts +++ b/src/supabase-stack.ts @@ -224,10 +224,8 @@ export class SupabaseStack extends FargateStack { maxCapacity: maxACU.valueAsNumber, }; - /** Secret of postgres user */ - const dbSecret = db.cluster.secret!; /** Secret of supabase_admin user */ - const supabaseAdminSecret = db.genUserPassword('supabase_admin'); + const supabaseAdminSecret = db.cluster.secret!; /** Secret of supabase_auth_admin user */ const supabaseAuthAdminSecret = db.genUserPassword('supabase_auth_admin'); /** Secret of supabase_storage_admin user */ From 2bb1c636f9f7bfcb9e934aecef0205ce0a44a438 Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sat, 18 Nov 2023 04:08:37 +0900 Subject: [PATCH 6/8] chore: update lambda runtime --- src/supabase-studio/index.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/supabase-studio/index.ts b/src/supabase-studio/index.ts index fdfe256..12c0629 100644 --- a/src/supabase-studio/index.ts +++ b/src/supabase-studio/index.ts @@ -188,10 +188,10 @@ export class Repository extends codecommit.Repository { this.importFunction = new lambda.Function(this, 'ImportFunction', { description: 'Clone to CodeCommit from remote repo (You can execute this function manually.)', - runtime: lambda.Runtime.PYTHON_3_9, + runtime: lambda.Runtime.PYTHON_3_12, code: lambda.Code.fromAsset(path.resolve(__dirname, 'cr-import-repo'), { bundling: { - image: cdk.DockerImage.fromRegistry('public.ecr.aws/sam/build-python3.9:latest-x86_64'), + image: cdk.DockerImage.fromRegistry('public.ecr.aws/sam/build-python3.12:latest-x86_64'), command: [ '/bin/bash', '-c', [ 'mkdir -p /var/task/local/{bin,lib}', @@ -208,9 +208,9 @@ export class Repository extends codecommit.Repository { }, }), handler: 'index.handler', - memorySize: 3072, + memorySize: 4096, ephemeralStorageSize: cdk.Size.gibibytes(3), - timeout: cdk.Duration.minutes(5), + timeout: cdk.Duration.minutes(15), environment: { TARGET_REPO: this.repositoryCloneUrlGrc, }, From 4bb4129ed7fa218663dbb1ed76e7bc9c0cc9a30e Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sat, 18 Nov 2023 23:43:36 +0900 Subject: [PATCH 7/8] rollback --- src/supabase-db/sql/init-for-rds/00-postgres-user.sql | 10 ++-------- .../sql/init-scripts/00000000000000-initial-schema.sql | 5 +++-- .../sql/init-scripts/00000000000001-auth-schema.sql | 1 - 3 files changed, 5 insertions(+), 11 deletions(-) diff --git a/src/supabase-db/sql/init-for-rds/00-postgres-user.sql b/src/supabase-db/sql/init-for-rds/00-postgres-user.sql index 2ef9423..b0cc8f0 100644 --- a/src/supabase-db/sql/init-for-rds/00-postgres-user.sql +++ b/src/supabase-db/sql/init-for-rds/00-postgres-user.sql @@ -1,9 +1,3 @@ --- default superuser +-- postgres user for developers +CREATE USER postgres WITH LOGIN; GRANT rds_replication TO postgres; - --- Supabase super admin -create user supabase_admin; -alter user supabase_admin with createdb createrole bypassrls; -grant supabase_admin to postgres; -grant rds_superuser to supabase_admin; -- for RDS -grant rds_replication to supabase_admin; -- for RDS diff --git a/src/supabase-db/sql/init-scripts/00000000000000-initial-schema.sql b/src/supabase-db/sql/init-scripts/00000000000000-initial-schema.sql index 278af84..635f765 100644 --- a/src/supabase-db/sql/init-scripts/00000000000000-initial-schema.sql +++ b/src/supabase-db/sql/init-scripts/00000000000000-initial-schema.sql @@ -5,8 +5,9 @@ create publication supabase_realtime; -- Supabase super admin --- create user supabase_admin; --- alter user supabase_admin with superuser createdb createrole replication bypassrls; +-- create user supabase_admin; -- supabase_admin is rds_superuser. +alter user supabase_admin with createdb createrole bypassrls; +grant rds_replication to supabase_admin; -- for RDS -- Supabase replication user create user supabase_replication_admin with login; diff --git a/src/supabase-db/sql/init-scripts/00000000000001-auth-schema.sql b/src/supabase-db/sql/init-scripts/00000000000001-auth-schema.sql index c6b08b0..3cf035f 100644 --- a/src/supabase-db/sql/init-scripts/00000000000001-auth-schema.sql +++ b/src/supabase-db/sql/init-scripts/00000000000001-auth-schema.sql @@ -110,7 +110,6 @@ GRANT USAGE ON SCHEMA auth TO anon, authenticated, service_role; -- Supabase super admin CREATE USER supabase_auth_admin NOINHERIT CREATEROLE LOGIN NOREPLICATION; -grant supabase_auth_admin to postgres; -- RDS GRANT ALL PRIVILEGES ON SCHEMA auth TO supabase_auth_admin; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA auth TO supabase_auth_admin; GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA auth TO supabase_auth_admin; From fbeb58eea3771e2b43af60b8e63d25c61e084109 Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sun, 19 Nov 2023 00:01:50 +0900 Subject: [PATCH 8/8] chore: upgrade lambda-powertools --- .projen/deps.json | 4 ++-- .projenrc.js | 4 ++-- package.json | 4 ++-- src/supabase-cdn/index.ts | 2 +- yarn.lock | 28 ++++++++++++++-------------- 5 files changed, 21 insertions(+), 21 deletions(-) diff --git a/.projen/deps.json b/.projen/deps.json index c0aa82c..2f7a5d7 100644 --- a/.projen/deps.json +++ b/.projen/deps.json @@ -93,12 +93,12 @@ }, { "name": "@aws-lambda-powertools/logger", - "version": "1.14.2", + "version": "1.16.0", "type": "runtime" }, { "name": "@aws-lambda-powertools/tracer", - "version": "1.14.2", + "version": "1.16.0", "type": "runtime" }, { diff --git a/.projenrc.js b/.projenrc.js index 5d27001..b54cead 100644 --- a/.projenrc.js +++ b/.projenrc.js @@ -11,8 +11,8 @@ const project = new awscdk.AwsCdkTypeScriptApp({ '@aws-cdk/aws-apigatewayv2-alpha', '@aws-cdk/aws-apigatewayv2-integrations-alpha', // Lambda Powertools - '@aws-lambda-powertools/logger@1.14.2', - '@aws-lambda-powertools/tracer@1.14.2', + '@aws-lambda-powertools/logger@1.16.0', + '@aws-lambda-powertools/tracer@1.16.0', // AWS SDK '@aws-sdk/client-cloudfront', '@aws-sdk/client-ecs', diff --git a/package.json b/package.json index 6f7c68f..8237a94 100644 --- a/package.json +++ b/package.json @@ -46,8 +46,8 @@ "@aws-cdk/aws-amplify-alpha": "^2.53.0-alpha.0", "@aws-cdk/aws-apigatewayv2-alpha": "^2.53.0-alpha.0", "@aws-cdk/aws-apigatewayv2-integrations-alpha": "^2.53.0-alpha.0", - "@aws-lambda-powertools/logger": "1.14.2", - "@aws-lambda-powertools/tracer": "1.14.2", + "@aws-lambda-powertools/logger": "1.16.0", + "@aws-lambda-powertools/tracer": "1.16.0", "@aws-sdk/client-cloudfront": "^3.231.0", "@aws-sdk/client-ecs": "^3.154.0", "@aws-sdk/client-secrets-manager": "^3.137.0", diff --git a/src/supabase-cdn/index.ts b/src/supabase-cdn/index.ts index e243291..c42687e 100644 --- a/src/supabase-cdn/index.ts +++ b/src/supabase-cdn/index.ts @@ -156,7 +156,7 @@ class CacheManager extends Construct { ], }, layers: [ - lambda.LayerVersion.fromLayerVersionArn(this, 'LambdaPowertools', `arn:aws:lambda:${cdk.Aws.REGION}:094274105915:layer:AWSLambdaPowertoolsTypeScript:23`), + lambda.LayerVersion.fromLayerVersionArn(this, 'LambdaPowertools', `arn:aws:lambda:${cdk.Aws.REGION}:094274105915:layer:AWSLambdaPowertoolsTypeScript:25`), ], }; diff --git a/yarn.lock b/yarn.lock index 2182d05..2c49fb8 100644 --- a/yarn.lock +++ b/yarn.lock @@ -100,25 +100,25 @@ "@aws-sdk/util-utf8-browser" "^3.0.0" tslib "^1.11.1" -"@aws-lambda-powertools/commons@^1.14.2": - version "1.14.2" - resolved "https://registry.yarnpkg.com/@aws-lambda-powertools/commons/-/commons-1.14.2.tgz#930dbf80443afcd7bba1603b79bce416ce2f2b89" - integrity sha512-pGW2RSeOEbU1e+mj+MlMkaiM4njO289glFjJA1V+H8bmjvHJXaItroH7lutZ8Gde1Iq+5WoRVQN8M/xmMNSxIA== +"@aws-lambda-powertools/commons@^1.16.0": + version "1.16.0" + resolved "https://registry.yarnpkg.com/@aws-lambda-powertools/commons/-/commons-1.16.0.tgz#a2388bfda8adadb645119e7e8b7e39db962cef64" + integrity sha512-NWCQapc7zbF0dHW469607l16pFIzm6EQNL/uBdY7bDhJ2t98VFpErO7lj0gbqtTtSL28Ev1TMLtP3PYQeq2BLw== -"@aws-lambda-powertools/logger@1.14.2": - version "1.14.2" - resolved "https://registry.yarnpkg.com/@aws-lambda-powertools/logger/-/logger-1.14.2.tgz#0b511eb574407183d28c1a0a172c4deac3e04cbe" - integrity sha512-eUu1qF/8S3H7SquaKjmIj/go/3UDYwsfiJ3My1gtqd9eKRlUPKpvktAeF/+yghcO0BmuA5q1i2hKr8rsJ+2lGg== +"@aws-lambda-powertools/logger@1.16.0": + version "1.16.0" + resolved "https://registry.yarnpkg.com/@aws-lambda-powertools/logger/-/logger-1.16.0.tgz#f1a707f3522e1773e641c6a762be9afbe03483d3" + integrity sha512-uuLEM6dnYZK6Qi5RFH/420dRHZxPd8pwH/nPOTmgz/TEyVPy+nyiUkCxUMiNK1UVd/tJOXzp72wLKYlAFAQM8Q== dependencies: - "@aws-lambda-powertools/commons" "^1.14.2" + "@aws-lambda-powertools/commons" "^1.16.0" lodash.merge "^4.6.2" -"@aws-lambda-powertools/tracer@1.14.2": - version "1.14.2" - resolved "https://registry.yarnpkg.com/@aws-lambda-powertools/tracer/-/tracer-1.14.2.tgz#0ade48674c395f0c07a2cf56c75f5fc33dffa294" - integrity sha512-wJqTr7IWQNfVRMpWhn5JFg1Syh9xG+JyqfTsHvQ8USLIzjG5qa5LJKaPVAcugRVN05qzEHYpWKVdrRTEvf663g== +"@aws-lambda-powertools/tracer@1.16.0": + version "1.16.0" + resolved "https://registry.yarnpkg.com/@aws-lambda-powertools/tracer/-/tracer-1.16.0.tgz#b85fb818445f6a43fecdc6d35f0fe31104e283df" + integrity sha512-oJvjSZTvCAb2PDV0yKpAViLgl3aePe2DqCLX0ZWCXGVyoLq7y7KVX5zquDFzntx/LMDA9ZwDQtHYn2hsO9b4dA== dependencies: - "@aws-lambda-powertools/commons" "^1.14.2" + "@aws-lambda-powertools/commons" "^1.16.0" aws-xray-sdk-core "^3.5.3" "@aws-sdk/abort-controller@3.127.0":