From 0a10aca53e62e56e9a0e38fec8b05a1eda5bdd26 Mon Sep 17 00:00:00 2001 From: Alex Date: Mon, 9 Sep 2024 16:10:26 +0200 Subject: [PATCH] Enhance postgres init scripts and interior cf tunnel --- envs/ci/postgres-init.sh | 7 +++++-- envs/dev/postgres-init.sh | 7 +++++-- envs/prod/cloudflared-int.yaml | 7 +++++++ envs/prod/postgres-init.sh | 7 +++++-- 4 files changed, 22 insertions(+), 6 deletions(-) diff --git a/envs/ci/postgres-init.sh b/envs/ci/postgres-init.sh index 756d591..177ba38 100755 --- a/envs/ci/postgres-init.sh +++ b/envs/ci/postgres-init.sh @@ -1,9 +1,10 @@ #!/bin/bash +set -eo pipefail psql -U ${POSTGRES_USER} <<-END +-- SUPERUSER is needed to create extensions. Remember to revoke it when not needed! CREATE USER ${SERVICE_DATABASE_USER} WITH - CREATEROLE SUPERUSER PASSWORD '${SERVICE_DATABASE_PASSWORD}'; @@ -16,6 +17,8 @@ CREATE DATABASE ${SERVICE_DATABASE_NAME}_TEST WITH CREATE USER ${SERVICE_DATABASE_READONLY_USER} WITH PASSWORD '${SERVICE_DATABASE_READONLY_PASSWORD}'; +\c ${SERVICE_DATABASE_NAME} + GRANT CONNECT ON DATABASE ${SERVICE_DATABASE_NAME} TO ${SERVICE_DATABASE_READONLY_USER}; GRANT USAGE ON SCHEMA public TO ${SERVICE_DATABASE_READONLY_USER}; @@ -23,4 +26,4 @@ GRANT USAGE ON SCHEMA public TO ${SERVICE_DATABASE_READONLY_USER}; ALTER DEFAULT PRIVILEGES FOR USER ${SERVICE_DATABASE_USER} IN SCHEMA public GRANT SELECT ON TABLES TO ${SERVICE_DATABASE_READONLY_USER}; -END \ No newline at end of file +END diff --git a/envs/dev/postgres-init.sh b/envs/dev/postgres-init.sh index 756d591..177ba38 100755 --- a/envs/dev/postgres-init.sh +++ b/envs/dev/postgres-init.sh @@ -1,9 +1,10 @@ #!/bin/bash +set -eo pipefail psql -U ${POSTGRES_USER} <<-END +-- SUPERUSER is needed to create extensions. Remember to revoke it when not needed! CREATE USER ${SERVICE_DATABASE_USER} WITH - CREATEROLE SUPERUSER PASSWORD '${SERVICE_DATABASE_PASSWORD}'; @@ -16,6 +17,8 @@ CREATE DATABASE ${SERVICE_DATABASE_NAME}_TEST WITH CREATE USER ${SERVICE_DATABASE_READONLY_USER} WITH PASSWORD '${SERVICE_DATABASE_READONLY_PASSWORD}'; +\c ${SERVICE_DATABASE_NAME} + GRANT CONNECT ON DATABASE ${SERVICE_DATABASE_NAME} TO ${SERVICE_DATABASE_READONLY_USER}; GRANT USAGE ON SCHEMA public TO ${SERVICE_DATABASE_READONLY_USER}; @@ -23,4 +26,4 @@ GRANT USAGE ON SCHEMA public TO ${SERVICE_DATABASE_READONLY_USER}; ALTER DEFAULT PRIVILEGES FOR USER ${SERVICE_DATABASE_USER} IN SCHEMA public GRANT SELECT ON TABLES TO ${SERVICE_DATABASE_READONLY_USER}; -END \ No newline at end of file +END diff --git a/envs/prod/cloudflared-int.yaml b/envs/prod/cloudflared-int.yaml index 5470b2b..833acd2 100644 --- a/envs/prod/cloudflared-int.yaml +++ b/envs/prod/cloudflared-int.yaml @@ -1,5 +1,12 @@ tunnel: credentials-file: /etc/cloudflared/certs/.json +originRequest: + access: + required: true + teamName: + audTag: + - ... # Metabase + - ... # Asynqmon ingress: - hostname: api. diff --git a/envs/prod/postgres-init.sh b/envs/prod/postgres-init.sh index 756d591..177ba38 100755 --- a/envs/prod/postgres-init.sh +++ b/envs/prod/postgres-init.sh @@ -1,9 +1,10 @@ #!/bin/bash +set -eo pipefail psql -U ${POSTGRES_USER} <<-END +-- SUPERUSER is needed to create extensions. Remember to revoke it when not needed! CREATE USER ${SERVICE_DATABASE_USER} WITH - CREATEROLE SUPERUSER PASSWORD '${SERVICE_DATABASE_PASSWORD}'; @@ -16,6 +17,8 @@ CREATE DATABASE ${SERVICE_DATABASE_NAME}_TEST WITH CREATE USER ${SERVICE_DATABASE_READONLY_USER} WITH PASSWORD '${SERVICE_DATABASE_READONLY_PASSWORD}'; +\c ${SERVICE_DATABASE_NAME} + GRANT CONNECT ON DATABASE ${SERVICE_DATABASE_NAME} TO ${SERVICE_DATABASE_READONLY_USER}; GRANT USAGE ON SCHEMA public TO ${SERVICE_DATABASE_READONLY_USER}; @@ -23,4 +26,4 @@ GRANT USAGE ON SCHEMA public TO ${SERVICE_DATABASE_READONLY_USER}; ALTER DEFAULT PRIVILEGES FOR USER ${SERVICE_DATABASE_USER} IN SCHEMA public GRANT SELECT ON TABLES TO ${SERVICE_DATABASE_READONLY_USER}; -END \ No newline at end of file +END