From 9207d52323c37795cb66d2ce72321f251b255fb1 Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sat, 1 Apr 2023 14:11:32 +0900 Subject: [PATCH 01/10] fix: disable password rotation --- src/supabase-db.ts | 110 +++---- src/supabase-stack.ts | 6 +- test/__snapshots__/main.test.ts.snap | 451 --------------------------- 3 files changed, 58 insertions(+), 509 deletions(-) diff --git a/src/supabase-db.ts b/src/supabase-db.ts index 8a3a90c7..929ae75c 100644 --- a/src/supabase-db.ts +++ b/src/supabase-db.ts @@ -20,7 +20,7 @@ interface SupabaseDatabaseProps { export class SupabaseDatabase extends Construct { cluster: rds.DatabaseCluster; secret: secretsmanager.ISecret; - secretRotationSucceeded: events.Rule; + //secretRotationSucceeded: events.Rule; url: { writer: ssm.StringParameter; writerAuth: ssm.StringParameter; @@ -151,62 +151,62 @@ export class SupabaseDatabase extends Construct { }), }; - const syncSecretFunction = new NodejsFunction(this, 'SyncSecretFunction', { - description: 'Supabase - Sync DB secret to parameter store', - entry: 'src/functions/db-secret-sync.ts', - runtime: lambda.Runtime.NODEJS_18_X, - architecture: lambda.Architecture.ARM_64, - environment: { - WRITER_PARAMETER_NAME: this.url.writer.parameterName, - READER_PARAMETER_NAME: this.url.reader.parameterName, - }, - initialPolicy: [ - new iam.PolicyStatement({ - sid: 'PutParameter', - actions: [ - 'ssm:PutParameter', - 'ssm:GetParametersByPath', - 'ssm:GetParameters', - 'ssm:GetParameter', - ], - resources: [ - this.url.writer.parameterArn, - this.url.writer.parameterArn + '/*', - this.url.reader.parameterArn, - this.url.reader.parameterArn + '/*', - ], - }), - ], - }); - this.secret.grantRead(syncSecretFunction); - - this.secretRotationSucceeded = new events.Rule(this, 'SecretRotationSucceeded', { - description: `Supabase - ${id} secret rotation succeeded`, - eventPattern: { - source: ['aws.secretsmanager'], - detailType: ['AWS Service Event via CloudTrail'], - detail: { - eventName: ['RotationSucceeded'], - additionalEventData: { - SecretId: [this.secret.secretArn], - }, - }, - }, - targets: [new targets.LambdaFunction(syncSecretFunction)], - }); + //const syncSecretFunction = new NodejsFunction(this, 'SyncSecretFunction', { + // description: 'Supabase - Sync DB secret to parameter store', + // entry: 'src/functions/db-secret-sync.ts', + // runtime: lambda.Runtime.NODEJS_18_X, + // architecture: lambda.Architecture.ARM_64, + // environment: { + // WRITER_PARAMETER_NAME: this.url.writer.parameterName, + // READER_PARAMETER_NAME: this.url.reader.parameterName, + // }, + // initialPolicy: [ + // new iam.PolicyStatement({ + // sid: 'PutParameter', + // actions: [ + // 'ssm:PutParameter', + // 'ssm:GetParametersByPath', + // 'ssm:GetParameters', + // 'ssm:GetParameter', + // ], + // resources: [ + // this.url.writer.parameterArn, + // this.url.writer.parameterArn + '/*', + // this.url.reader.parameterArn, + // this.url.reader.parameterArn + '/*', + // ], + // }), + // ], + //}); + //this.secret.grantRead(syncSecretFunction); + + //this.secretRotationSucceeded = new events.Rule(this, 'SecretRotationSucceeded', { + // description: `Supabase - ${id} secret rotation succeeded`, + // eventPattern: { + // source: ['aws.secretsmanager'], + // detailType: ['AWS Service Event via CloudTrail'], + // detail: { + // eventName: ['RotationSucceeded'], + // additionalEventData: { + // SecretId: [this.secret.secretArn], + // }, + // }, + // }, + // targets: [new targets.LambdaFunction(syncSecretFunction)], + //}); // Password rotation - const rotationSecurityGroup = new ec2.SecurityGroup(this, 'RotationSecurityGroup', { vpc }); - this.secret.addRotationSchedule('Rotation', { - automaticallyAfter: cdk.Duration.days(30), - hostedRotation: secretsmanager.HostedRotation.postgreSqlSingleUser({ - functionName: `${this.secret.secretName}RotationFunction`, - excludeCharacters, - securityGroups: [rotationSecurityGroup], - vpc, - }), - }); - this.cluster.connections.allowDefaultPortFrom(rotationSecurityGroup, 'Lambda to rotate secrets'); + //const rotationSecurityGroup = new ec2.SecurityGroup(this, 'RotationSecurityGroup', { vpc }); + //this.secret.addRotationSchedule('Rotation', { + // automaticallyAfter: cdk.Duration.days(30), + // hostedRotation: secretsmanager.HostedRotation.postgreSqlSingleUser({ + // functionName: `${this.secret.secretName}RotationFunction`, + // excludeCharacters, + // securityGroups: [rotationSecurityGroup], + // vpc, + // }), + //}); + //this.cluster.connections.allowDefaultPortFrom(rotationSecurityGroup, 'Lambda to rotate secrets'); /** Custom resource function for database initialization */ const initFunction = new NodejsFunction(this, 'InitFunction', { diff --git a/src/supabase-stack.ts b/src/supabase-stack.ts index 0d5a6e76..54440267 100644 --- a/src/supabase-stack.ts +++ b/src/supabase-stack.ts @@ -428,9 +428,9 @@ export class SupabaseStack extends FargateStack { const forceDeployJob = new ForceDeployJob(this, 'ForceDeployJob', { cluster }); // for DB secret rotation - forceDeployJob.addTrigger({ - rule: db.secretRotationSucceeded, - }); + //forceDeployJob.addTrigger({ + // rule: db.secretRotationSucceeded, + //}); // for Auth provider settings changed forceDeployJob.addTrigger({ input: { services: [auth.service.serviceArn] }, diff --git a/test/__snapshots__/main.test.ts.snap b/test/__snapshots__/main.test.ts.snap index 7238786e..1cefc72d 100644 --- a/test/__snapshots__/main.test.ts.snap +++ b/test/__snapshots__/main.test.ts.snap @@ -4162,138 +4162,6 @@ Object { }, "Type": "AWS::SecretsManager::SecretTargetAttachment", }, - "DatabaseClusterSecretAttachmentPolicy3EB01968": Object { - "Properties": Object { - "ResourcePolicy": Object { - "Statement": Array [ - Object { - "Action": "secretsmanager:DeleteSecret", - "Effect": "Deny", - "Principal": Object { - "AWS": Object { - "Fn::Join": Array [ - "", - Array [ - "arn:", - Object { - "Ref": "AWS::Partition", - }, - ":iam::", - Object { - "Ref": "AWS::AccountId", - }, - ":root", - ], - ], - }, - }, - "Resource": "*", - }, - ], - "Version": "2012-10-17", - }, - "SecretId": Object { - "Ref": "DatabaseClusterSecretAttachmentDC8466C0", - }, - }, - "Type": "AWS::SecretsManager::ResourcePolicy", - }, - "DatabaseClusterSecretAttachmentRotation2DE8C19B": Object { - "Properties": Object { - "HostedRotationLambda": Object { - "ExcludeCharacters": "%+~\`#$&*()|[]{}:;<>?!'/@\\"\\\\=^", - "RotationLambdaName": Object { - "Fn::Join": Array [ - "", - Array [ - Object { - "Fn::Join": Array [ - "-", - Array [ - Object { - "Fn::Select": Array [ - 0, - Object { - "Fn::Split": Array [ - "-", - Object { - "Fn::Select": Array [ - 6, - Object { - "Fn::Split": Array [ - ":", - Object { - "Ref": "SupabaseDatabaseClusterSecret2AA4A5CD6b2eb8af71bef5c6813259b78dc271d3", - }, - ], - }, - ], - }, - ], - }, - ], - }, - Object { - "Fn::Select": Array [ - 1, - Object { - "Fn::Split": Array [ - "-", - Object { - "Fn::Select": Array [ - 6, - Object { - "Fn::Split": Array [ - ":", - Object { - "Ref": "SupabaseDatabaseClusterSecret2AA4A5CD6b2eb8af71bef5c6813259b78dc271d3", - }, - ], - }, - ], - }, - ], - }, - ], - }, - ], - ], - }, - "RotationFunction", - ], - ], - }, - "RotationType": "PostgreSQLSingleUser", - "VpcSecurityGroupIds": Object { - "Fn::GetAtt": Array [ - "DatabaseRotationSecurityGroup8E1B7C66", - "GroupId", - ], - }, - "VpcSubnetIds": Object { - "Fn::Join": Array [ - "", - Array [ - Object { - "Ref": "VPCPrivateSubnet1Subnet8BCA10E0", - }, - ",", - Object { - "Ref": "VPCPrivateSubnet2SubnetCFCDAA7A", - }, - ], - ], - }, - }, - "RotationRules": Object { - "AutomaticallyAfterDays": 30, - }, - "SecretId": Object { - "Ref": "DatabaseClusterSecretAttachmentDC8466C0", - }, - }, - "Type": "AWS::SecretsManager::RotationSchedule", - }, "DatabaseClusterSecurityGroupFEF1426A": Object { "Properties": Object { "GroupDescription": "RDS security group", @@ -4372,37 +4240,6 @@ Object { }, "Type": "AWS::EC2::SecurityGroupIngress", }, - "DatabaseClusterSecurityGroupfromSupabaseDatabaseRotationSecurityGroup0A2F515EIndirectPort779B952D": Object { - "Properties": Object { - "Description": "Lambda to rotate secrets", - "FromPort": Object { - "Fn::GetAtt": Array [ - "DatabaseCluster5B53A178", - "Endpoint.Port", - ], - }, - "GroupId": Object { - "Fn::GetAtt": Array [ - "DatabaseClusterSecurityGroupFEF1426A", - "GroupId", - ], - }, - "IpProtocol": "tcp", - "SourceSecurityGroupId": Object { - "Fn::GetAtt": Array [ - "DatabaseRotationSecurityGroup8E1B7C66", - "GroupId", - ], - }, - "ToPort": Object { - "Fn::GetAtt": Array [ - "DatabaseCluster5B53A178", - "Endpoint.Port", - ], - }, - }, - "Type": "AWS::EC2::SecurityGroupIngress", - }, "DatabaseClusterSecurityGroupfromSupabaseGraphQLFargateSecurityGroupE5556D47IndirectPort363DE43A": Object { "Properties": Object { "Description": "from SupabaseGraphQLFargateSecurityGroupE5556D47:{IndirectPort}", @@ -4931,293 +4768,6 @@ Object { }, "Type": "AWS::SSM::Parameter", }, - "DatabaseRotationSecurityGroup8E1B7C66": Object { - "Properties": Object { - "GroupDescription": "Supabase/Database/RotationSecurityGroup", - "SecurityGroupEgress": Array [ - Object { - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1", - }, - ], - "VpcId": Object { - "Ref": "VPCB9E5F0B4", - }, - }, - "Type": "AWS::EC2::SecurityGroup", - }, - "DatabaseSecretRotationSucceeded943807E0": Object { - "Properties": Object { - "Description": "Supabase - Database secret rotation succeeded", - "EventPattern": Object { - "detail": Object { - "additionalEventData": Object { - "SecretId": Array [ - Object { - "Ref": "DatabaseClusterSecretAttachmentDC8466C0", - }, - ], - }, - "eventName": Array [ - "RotationSucceeded", - ], - }, - "detail-type": Array [ - "AWS Service Event via CloudTrail", - ], - "source": Array [ - "aws.secretsmanager", - ], - }, - "State": "ENABLED", - "Targets": Array [ - Object { - "Arn": Object { - "Fn::GetAtt": Array [ - "DatabaseSyncSecretFunction60FEB86F", - "Arn", - ], - }, - "Id": "Target0", - }, - Object { - "Arn": Object { - "Ref": "ForceDeployJobStateMachine528644B1", - }, - "Id": "Target1", - "Input": "{}", - "RoleArn": Object { - "Fn::GetAtt": Array [ - "ForceDeployJobStateMachineEventsRole3137AB10", - "Arn", - ], - }, - }, - ], - }, - "Type": "AWS::Events::Rule", - }, - "DatabaseSecretRotationSucceededAllowEventRuleSupabaseDatabaseSyncSecretFunction77A96CED34706C90": Object { - "Properties": Object { - "Action": "lambda:InvokeFunction", - "FunctionName": Object { - "Fn::GetAtt": Array [ - "DatabaseSyncSecretFunction60FEB86F", - "Arn", - ], - }, - "Principal": "events.amazonaws.com", - "SourceArn": Object { - "Fn::GetAtt": Array [ - "DatabaseSecretRotationSucceeded943807E0", - "Arn", - ], - }, - }, - "Type": "AWS::Lambda::Permission", - }, - "DatabaseSyncSecretFunction60FEB86F": Object { - "DependsOn": Array [ - "DatabaseSyncSecretFunctionServiceRoleDefaultPolicy5F9B6AA1", - "DatabaseSyncSecretFunctionServiceRole189FFC3D", - ], - "Properties": Object { - "Architectures": Array [ - "arm64", - ], - "Code": Object { - "S3Bucket": Object { - "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", - }, - "S3Key": "f876411630cdd2398b95fc682c9109d30e500a842bddb63369a7823f434445ab.zip", - }, - "Description": "Supabase - Sync DB secret to parameter store", - "Environment": Object { - "Variables": Object { - "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1", - "READER_PARAMETER_NAME": Object { - "Ref": "DatabaseReaderUrlParameter0C13E1C1", - }, - "WRITER_PARAMETER_NAME": Object { - "Ref": "DatabaseWriterUrlParameter9E7B47B6", - }, - }, - }, - "Handler": "index.handler", - "Role": Object { - "Fn::GetAtt": Array [ - "DatabaseSyncSecretFunctionServiceRole189FFC3D", - "Arn", - ], - }, - "Runtime": "nodejs18.x", - }, - "Type": "AWS::Lambda::Function", - }, - "DatabaseSyncSecretFunctionServiceRole189FFC3D": Object { - "Properties": Object { - "AssumeRolePolicyDocument": Object { - "Statement": Array [ - Object { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": Object { - "Service": "lambda.amazonaws.com", - }, - }, - ], - "Version": "2012-10-17", - }, - "ManagedPolicyArns": Array [ - Object { - "Fn::Join": Array [ - "", - Array [ - "arn:", - Object { - "Ref": "AWS::Partition", - }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", - ], - ], - }, - ], - }, - "Type": "AWS::IAM::Role", - }, - "DatabaseSyncSecretFunctionServiceRoleDefaultPolicy5F9B6AA1": Object { - "Properties": Object { - "PolicyDocument": Object { - "Statement": Array [ - Object { - "Action": Array [ - "ssm:PutParameter", - "ssm:GetParametersByPath", - "ssm:GetParameters", - "ssm:GetParameter", - ], - "Effect": "Allow", - "Resource": Array [ - Object { - "Fn::Join": Array [ - "", - Array [ - "arn:", - Object { - "Ref": "AWS::Partition", - }, - ":ssm:", - Object { - "Ref": "AWS::Region", - }, - ":", - Object { - "Ref": "AWS::AccountId", - }, - ":parameter", - Object { - "Ref": "DatabaseWriterUrlParameter9E7B47B6", - }, - ], - ], - }, - Object { - "Fn::Join": Array [ - "", - Array [ - "arn:", - Object { - "Ref": "AWS::Partition", - }, - ":ssm:", - Object { - "Ref": "AWS::Region", - }, - ":", - Object { - "Ref": "AWS::AccountId", - }, - ":parameter", - Object { - "Ref": "DatabaseWriterUrlParameter9E7B47B6", - }, - "/*", - ], - ], - }, - Object { - "Fn::Join": Array [ - "", - Array [ - "arn:", - Object { - "Ref": "AWS::Partition", - }, - ":ssm:", - Object { - "Ref": "AWS::Region", - }, - ":", - Object { - "Ref": "AWS::AccountId", - }, - ":parameter", - Object { - "Ref": "DatabaseReaderUrlParameter0C13E1C1", - }, - ], - ], - }, - Object { - "Fn::Join": Array [ - "", - Array [ - "arn:", - Object { - "Ref": "AWS::Partition", - }, - ":ssm:", - Object { - "Ref": "AWS::Region", - }, - ":", - Object { - "Ref": "AWS::AccountId", - }, - ":parameter", - Object { - "Ref": "DatabaseReaderUrlParameter0C13E1C1", - }, - "/*", - ], - ], - }, - ], - "Sid": "PutParameter", - }, - Object { - "Action": Array [ - "secretsmanager:GetSecretValue", - "secretsmanager:DescribeSecret", - ], - "Effect": "Allow", - "Resource": Object { - "Ref": "DatabaseClusterSecretAttachmentDC8466C0", - }, - }, - ], - "Version": "2012-10-17", - }, - "PolicyName": "DatabaseSyncSecretFunctionServiceRoleDefaultPolicy5F9B6AA1", - "Roles": Array [ - Object { - "Ref": "DatabaseSyncSecretFunctionServiceRole189FFC3D", - }, - ], - }, - "Type": "AWS::IAM::Policy", - }, "DatabaseWriterAuthUrlParameter0D61EDD3": Object { "Properties": Object { "Description": "The standard connection PostgreSQL URI with search_path=auth", @@ -11328,6 +10878,5 @@ applications: }, }, }, - "Transform": "AWS::SecretsManager-2020-07-23", } `; From d2b369d492d7bb62d28ef50288493305245ec948 Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sat, 1 Apr 2023 14:36:59 +0900 Subject: [PATCH 02/10] chore: update projen --- .eslintrc.json | 5 +- .github/workflows/build.yml | 12 +-- .github/workflows/pull-request-lint.yml | 2 +- .mergify.yml | 1 + .npmignore | 1 + .projen/deps.json | 9 +- .projen/tasks.json | 36 +++++--- .projenrc.js | 3 +- package.json | 11 ++- tsconfig.dev.json | 4 +- tsconfig.json | 4 +- yarn.lock | 107 +++++++++++++++++++----- 12 files changed, 135 insertions(+), 60 deletions(-) diff --git a/.eslintrc.json b/.eslintrc.json index f7cd2255..a949ea70 100644 --- a/.eslintrc.json +++ b/.eslintrc.json @@ -1,3 +1,4 @@ +// ~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen". { "env": { "jest": true, @@ -34,11 +35,11 @@ }, "ignorePatterns": [ "*.js", - "!.projenrc.js", "*.d.ts", "node_modules/", "*.generated.ts", - "coverage" + "coverage", + "!.projenrc.js" ], "rules": { "indent": [ diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 03d6f685..91dc740d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,14 +23,14 @@ jobs: run: yarn install --check-files - name: build run: npx projen build - - id: self_mutation - name: Find mutations + - name: Find mutations + id: self_mutation run: |- git add . - git diff --staged --patch --exit-code > .repo.patch || echo "::set-output name=self_mutation_happened::true" - - if: steps.self_mutation.outputs.self_mutation_happened - name: Upload patch - uses: actions/upload-artifact@v2 + git diff --staged --patch --exit-code > .repo.patch || echo "self_mutation_happened=true" >> $GITHUB_OUTPUT + - name: Upload patch + if: steps.self_mutation.outputs.self_mutation_happened + uses: actions/upload-artifact@v3 with: name: .repo.patch path: .repo.patch diff --git a/.github/workflows/pull-request-lint.yml b/.github/workflows/pull-request-lint.yml index f0468d32..4e53389e 100644 --- a/.github/workflows/pull-request-lint.yml +++ b/.github/workflows/pull-request-lint.yml @@ -17,7 +17,7 @@ jobs: permissions: pull-requests: write steps: - - uses: amannn/action-semantic-pull-request@v4.5.0 + - uses: amannn/action-semantic-pull-request@v5.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.mergify.yml b/.mergify.yml index eddac7d3..d0f90113 100644 --- a/.mergify.yml +++ b/.mergify.yml @@ -2,6 +2,7 @@ queue_rules: - name: default + update_method: merge conditions: - "#approved-reviews-by>=1" - -label~=(do-not-merge) diff --git a/.npmignore b/.npmignore index 639d2533..c3a92f23 100644 --- a/.npmignore +++ b/.npmignore @@ -3,6 +3,7 @@ /test-reports/ junit.xml /coverage/ +permissions-backup.acl /.mergify.yml /test/ /tsconfig.dev.json diff --git a/.projen/deps.json b/.projen/deps.json index 74033acb..dc4e2ddd 100644 --- a/.projen/deps.json +++ b/.projen/deps.json @@ -10,7 +10,7 @@ }, { "name": "@types/node", - "version": "^14", + "version": "^16", "type": "build" }, { @@ -59,15 +59,12 @@ }, { "name": "jest-junit", - "version": "^13", - "type": "build" - }, - { - "name": "json-schema", + "version": "^15", "type": "build" }, { "name": "projen", + "version": "0.70.5", "type": "build" }, { diff --git a/.projen/tasks.json b/.projen/tasks.json index 826057ec..2b56da97 100644 --- a/.projen/tasks.json +++ b/.projen/tasks.json @@ -78,7 +78,8 @@ "description": "Deploys your CDK app to the AWS cloud", "steps": [ { - "exec": "cdk deploy" + "exec": "cdk deploy", + "receiveArgs": true } ] }, @@ -87,7 +88,8 @@ "description": "Destroys your cdk app in the AWS cloud", "steps": [ { - "exec": "cdk destroy" + "exec": "cdk destroy", + "receiveArgs": true } ] }, @@ -121,6 +123,24 @@ } ] }, + "install": { + "name": "install", + "description": "Install project dependencies and update lockfile (non-frozen)", + "steps": [ + { + "exec": "yarn install --check-files" + } + ] + }, + "install:ci": { + "name": "install:ci", + "description": "Install project dependencies using frozen lockfile", + "steps": [ + { + "exec": "yarn install --check-files --frozen-lockfile" + } + ] + }, "package": { "name": "package", "description": "Creates the distribution package" @@ -161,22 +181,14 @@ "description": "Run tests", "steps": [ { - "exec": "jest --passWithNoTests --all --updateSnapshot" + "exec": "jest --passWithNoTests --updateSnapshot", + "receiveArgs": true }, { "spawn": "eslint" } ] }, - "test:update": { - "name": "test:update", - "description": "Update jest snapshots", - "steps": [ - { - "exec": "jest --updateSnapshot" - } - ] - }, "test:watch": { "name": "test:watch", "description": "Run jest in watch mode", diff --git a/.projenrc.js b/.projenrc.js index 9abe86ce..20249d75 100644 --- a/.projenrc.js +++ b/.projenrc.js @@ -1,9 +1,10 @@ const { awscdk } = require('projen'); const project = new awscdk.AwsCdkTypeScriptApp({ + projenVersion: '0.70.5', cdkVersion: '2.72.0', defaultReleaseBranch: 'main', name: 'supabase-on-aws', - // description: undefined, /* The description is just a string that helps people understand the purpose of the package. */ + description: 'Self-hosted Supabase on AWS', deps: [ '@aws-cdk/aws-amplify-alpha', '@aws-cdk/aws-apigatewayv2-alpha', diff --git a/package.json b/package.json index 9d8b825a..3257a60f 100644 --- a/package.json +++ b/package.json @@ -1,5 +1,6 @@ { "name": "supabase-on-aws", + "description": "Self-hosted Supabase on AWS", "scripts": { "build": "npx projen build", "bundle": "npx projen bundle", @@ -17,7 +18,6 @@ "synth": "npx projen synth", "synth:silent": "npx projen synth:silent", "test": "npx projen test", - "test:update": "npx projen test:update", "test:watch": "npx projen test:watch", "watch": "npx projen watch", "projen": "npx projen" @@ -25,7 +25,7 @@ "devDependencies": { "@types/jest": "^28.1.6", "@types/jsonwebtoken": "^8.5.8", - "@types/node": "^14", + "@types/node": "^16", "@types/utf8": "^3.0.1", "@typescript-eslint/eslint-plugin": "^5", "@typescript-eslint/parser": "^5", @@ -36,9 +36,8 @@ "eslint-import-resolver-typescript": "^3.3.0", "eslint-plugin-import": "^2.26.0", "jest": "^28.1.3", - "jest-junit": "^13", - "json-schema": "^0.4.0", - "projen": "^0.59.7", + "jest-junit": "^15", + "projen": "0.70.5", "ts-jest": "^28.0.7", "ts-node": "^10.9.1", "typescript": "^4.7.4" @@ -109,4 +108,4 @@ } }, "//": "~~ Generated by projen. To modify, edit .projenrc.js and run \"npx projen\"." -} \ No newline at end of file +} diff --git a/tsconfig.dev.json b/tsconfig.dev.json index 55cdc1e8..01c1eb75 100644 --- a/tsconfig.dev.json +++ b/tsconfig.dev.json @@ -1,3 +1,4 @@ +// ~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen". { "compilerOptions": { "alwaysStrict": true, @@ -31,6 +32,5 @@ ], "exclude": [ "node_modules" - ], - "//": "~~ Generated by projen. To modify, edit .projenrc.js and run \"npx projen\"." + ] } diff --git a/tsconfig.json b/tsconfig.json index 5d0f0d7c..84701a79 100644 --- a/tsconfig.json +++ b/tsconfig.json @@ -1,3 +1,4 @@ +// ~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen". { "compilerOptions": { "rootDir": "src", @@ -31,6 +32,5 @@ ], "exclude": [ "cdk.out" - ], - "//": "~~ Generated by projen. To modify, edit .projenrc.js and run \"npx projen\"." + ] } diff --git a/yarn.lock b/yarn.lock index b0327919..c59097cd 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3791,10 +3791,10 @@ resolved "https://registry.yarnpkg.com/@types/node/-/node-18.0.6.tgz#0ba49ac517ad69abe7a1508bc9b3a5483df9d5d7" integrity sha512-/xUq6H2aQm261exT6iZTMifUySEt4GR5KX8eYyY+C4MSNPqSh9oNIP7tz2GLKTlFaiBbgZNxffoR3CVRG+cljw== -"@types/node@^14": - version "14.18.22" - resolved "https://registry.yarnpkg.com/@types/node/-/node-14.18.22.tgz#fd2a15dca290fc9ad565b672fde746191cd0c6e6" - integrity sha512-qzaYbXVzin6EPjghf/hTdIbnVW1ErMx8rPzwRNJhlbyJhu2SyqlvjGOY/tbUt6VFyzg56lROcOeSQRInpt63Yw== +"@types/node@^16": + version "16.18.23" + resolved "https://registry.yarnpkg.com/@types/node/-/node-16.18.23.tgz#b6e934fe427eb7081d0015aad070acb3373c3c90" + integrity sha512-XAMpaw1s1+6zM+jn2tmw8MyaRDIJfXxqmIQIS0HfoGYPuf7dUWeiUKopwq13KFX9lEp1+THGtlaaYx39Nxr58g== "@types/prettier@^2.1.5": version "2.6.3" @@ -4005,6 +4005,11 @@ array-includes@^3.1.4: get-intrinsic "^1.1.1" is-string "^1.0.7" +array-timsort@^1.0.3: + version "1.0.3" + resolved "https://registry.yarnpkg.com/array-timsort/-/array-timsort-1.0.3.tgz#3c9e4199e54fb2b9c3fe5976396a21614ef0d926" + integrity sha512-/+3GRL7dDAGEfM6TseQk/U+mi18TU2Ms9I3UlLdUMhz2hbvGNTKdj9xniwXfUqgYhHxRx0+8UnKkvlNwVU+cWQ== + array-union@^2.1.0: version "2.1.0" resolved "https://registry.yarnpkg.com/array-union/-/array-union-2.1.0.tgz#b798420adbeb1de828d84acd8a2e23d3efe85e8d" @@ -4178,6 +4183,13 @@ brace-expansion@^1.1.7: balanced-match "^1.0.0" concat-map "0.0.1" +brace-expansion@^2.0.1: + version "2.0.1" + resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-2.0.1.tgz#1edc459e0f0c548486ecf9fc99f2221364b9a0ae" + integrity sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA== + dependencies: + balanced-match "^1.0.0" + braces@^3.0.2: version "3.0.2" resolved "https://registry.yarnpkg.com/braces/-/braces-3.0.2.tgz#3454e1a462ee8d599e236df336cd9ea4f8afe107" @@ -4369,6 +4381,17 @@ color-name@~1.1.4: resolved "https://registry.yarnpkg.com/color-name/-/color-name-1.1.4.tgz#c2a09a87acbde69543de6f63fa3995c826c536a2" integrity sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA== +comment-json@4.2.2: + version "4.2.2" + resolved "https://registry.yarnpkg.com/comment-json/-/comment-json-4.2.2.tgz#5fae70a94e0c8f84a077bd31df5aa5269252f293" + integrity sha512-H8T+kl3nZesZu41zO2oNXIJWojNeK3mHxCLrsBNu6feksBXsgb+PtYz5daP5P86A0F3sz3840KVYehr04enISQ== + dependencies: + array-timsort "^1.0.3" + core-util-is "^1.0.3" + esprima "^4.0.1" + has-own-prop "^2.0.0" + repeat-string "^1.6.1" + concat-map@0.0.1: version "0.0.1" resolved "https://registry.yarnpkg.com/concat-map/-/concat-map-0.0.1.tgz#d8a96bd77fd68df7793a73036a3ba0d5405d477b" @@ -4391,6 +4414,11 @@ convert-source-map@^1.4.0, convert-source-map@^1.6.0, convert-source-map@^1.7.0: dependencies: safe-buffer "~5.1.1" +core-util-is@^1.0.3: + version "1.0.3" + resolved "https://registry.yarnpkg.com/core-util-is/-/core-util-is-1.0.3.tgz#a6042d3634c2b27e9328f837b965fac83808db85" + integrity sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ== + cosmiconfig@^5.0.7: version "5.2.1" resolved "https://registry.yarnpkg.com/cosmiconfig/-/cosmiconfig-5.2.1.tgz#040f726809c591e77a17c0a3626ca45b4f168b1a" @@ -4876,7 +4904,7 @@ espree@^9.3.2: acorn-jsx "^5.3.2" eslint-visitor-keys "^3.3.0" -esprima@^4.0.0: +esprima@^4.0.0, esprima@^4.0.1: version "4.0.1" resolved "https://registry.yarnpkg.com/esprima/-/esprima-4.0.1.tgz#13b04cdb3e6c5d19df91ab6987a8695619b0aa71" integrity sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A== @@ -4957,6 +4985,11 @@ fast-glob@^3.2.11, fast-glob@^3.2.9: merge2 "^1.3.0" micromatch "^4.0.4" +fast-json-patch@^3.1.1: + version "3.1.1" + resolved "https://registry.yarnpkg.com/fast-json-patch/-/fast-json-patch-3.1.1.tgz#85064ea1b1ebf97a3f7ad01e23f9337e72c66947" + integrity sha512-vf6IHUX2SBcA+5/+4883dsIjpBTqmfBjmYiWK1savxQmFk4JfBMLa7ynTYOs1Rolp/T1betJxHiGD3g1Mn8lUQ== + fast-json-stable-stringify@2.x, fast-json-stable-stringify@^2.0.0: version "2.1.0" resolved "https://registry.yarnpkg.com/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz#874bf69c6f404c2b5d99c481341399fd55892633" @@ -5141,7 +5174,7 @@ glob-parent@^6.0.1: dependencies: is-glob "^4.0.3" -glob@^7, glob@^7.0.0, glob@^7.1.3, glob@^7.1.4: +glob@^7.0.0, glob@^7.1.3, glob@^7.1.4: version "7.2.3" resolved "https://registry.yarnpkg.com/glob/-/glob-7.2.3.tgz#b8df0fb802bbfa8e89bd1d938b4e16578ed44f2b" integrity sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q== @@ -5153,6 +5186,17 @@ glob@^7, glob@^7.0.0, glob@^7.1.3, glob@^7.1.4: once "^1.3.0" path-is-absolute "^1.0.0" +glob@^8: + version "8.1.0" + resolved "https://registry.yarnpkg.com/glob/-/glob-8.1.0.tgz#d388f656593ef708ee3e34640fdfb99a9fd1c33e" + integrity sha512-r8hpEjiQEYlF2QU0df3dS+nxxSIreXQS1qRhMJM0Q5NDdR386C7jb7Hwwod8Fgiuex+k0GFjgft18yvxm5XoCQ== + dependencies: + fs.realpath "^1.0.0" + inflight "^1.0.4" + inherits "2" + minimatch "^5.0.1" + once "^1.3.0" + globals@^11.1.0: version "11.12.0" resolved "https://registry.yarnpkg.com/globals/-/globals-11.12.0.tgz#ab8795338868a0babd8525758018c2a7eb95c42e" @@ -5218,6 +5262,11 @@ has-flag@^4.0.0: resolved "https://registry.yarnpkg.com/has-flag/-/has-flag-4.0.0.tgz#944771fd9c81c81265c4d6941860da06bb59479b" integrity sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ== +has-own-prop@^2.0.0: + version "2.0.0" + resolved "https://registry.yarnpkg.com/has-own-prop/-/has-own-prop-2.0.0.tgz#f0f95d58f65804f5d218db32563bb85b8e0417af" + integrity sha512-Pq0h+hvsVm6dDEa8x82GnLSYHOzNDt7f0ddFa3FqcQlgzEiptPqL+XrOJNavjOzSYiYWIrgeVYYgGlLmnxwilQ== + has-property-descriptors@^1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/has-property-descriptors/-/has-property-descriptors-1.0.0.tgz#610708600606d36961ed04c196193b6a607fa861" @@ -5656,10 +5705,10 @@ jest-haste-map@^28.1.3: optionalDependencies: fsevents "^2.3.2" -jest-junit@^13: - version "13.2.0" - resolved "https://registry.yarnpkg.com/jest-junit/-/jest-junit-13.2.0.tgz#66eeb86429aafac8c1745a70f44ace185aacb943" - integrity sha512-B0XNlotl1rdsvFZkFfoa19mc634+rrd8E4Sskb92Bb8MmSXeWV9XJGUyctunZS1W410uAxcyYuPUGVnbcOH8cg== +jest-junit@^15: + version "15.0.0" + resolved "https://registry.yarnpkg.com/jest-junit/-/jest-junit-15.0.0.tgz#a47544ab42e9f8fe7ada56306c218e09e52bd690" + integrity sha512-Z5sVX0Ag3HZdMUnD5DFlG+1gciIFSy7yIVPhOdGUi8YJaI9iLvvBb530gtQL2CHmv0JJeiwRZenr0VrSR7frvg== dependencies: mkdirp "^1.0.4" strip-ansi "^6.0.1" @@ -5934,11 +5983,6 @@ json-schema-traverse@^1.0.0: resolved "https://registry.yarnpkg.com/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz#ae7bcb3656ab77a73ba5c49bf654f38e6b6860e2" integrity sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug== -json-schema@^0.4.0: - version "0.4.0" - resolved "https://registry.yarnpkg.com/json-schema/-/json-schema-0.4.0.tgz#f7de4cf6efab838ebaeb3236474cbba5a1930ab5" - integrity sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA== - json-stable-stringify-without-jsonify@^1.0.1: version "1.0.1" resolved "https://registry.yarnpkg.com/json-stable-stringify-without-jsonify/-/json-stable-stringify-without-jsonify-1.0.1.tgz#9db7b59496ad3f3cfef30a75142d2d930ad72651" @@ -6152,6 +6196,13 @@ minimatch@^3.0.4, minimatch@^3.1.1, minimatch@^3.1.2: dependencies: brace-expansion "^1.1.7" +minimatch@^5.0.1: + version "5.1.6" + resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-5.1.6.tgz#1cfcb8cf5522ea69952cd2af95ae09477f122a96" + integrity sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g== + dependencies: + brace-expansion "^2.0.1" + minimist@^1.2.0, minimist@^1.2.3, minimist@^1.2.6: version "1.2.6" resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.6.tgz#8637a5b759ea0d6e98702cfb3a9283323c93af44" @@ -6488,23 +6539,25 @@ pretty-format@^28.0.0, pretty-format@^28.1.3: ansi-styles "^5.0.0" react-is "^18.0.0" -projen@^0.59.7: - version "0.59.7" - resolved "https://registry.yarnpkg.com/projen/-/projen-0.59.7.tgz#9cedcc71d403d94f505902359b37b2bcd8fdad1c" - integrity sha512-nKRPK+sfO46id+wiqZiw8u82S869LbT8d5ij+7OEvcxvroO/tcDGj/ov81iMrTDdpvQaTj6h8k8/EgwSMlangQ== +projen@0.70.5: + version "0.70.5" + resolved "https://registry.yarnpkg.com/projen/-/projen-0.70.5.tgz#bbcb7b43de31f38feb9ad1bb4662d6f447ffca99" + integrity sha512-jOm8S6O1MdUJEl7I6iNdnIJlvhdDjDB7dw3zRKjAaEZS10R5YSCmORWL2Uza7fwOSKhi6IpM8SXfC3Lr/CdMRg== dependencies: "@iarna/toml" "^2.2.5" case "^1.6.3" chalk "^4.1.2" + comment-json "4.2.2" conventional-changelog-config-spec "^2.1.0" - fs-extra "^9.1.0" - glob "^7" + fast-json-patch "^3.1.1" + glob "^8" ini "^2.0.0" - semver "^7.3.7" + semver "^7.3.8" shx "^0.3.4" xmlbuilder2 "^2.4.1" yaml "2.0.0" yargs "^16.2.0" + zlib "^1.0.5" prompts@^2.0.1: version "2.4.2" @@ -6555,6 +6608,11 @@ regexpp@^3.2.0: resolved "https://registry.yarnpkg.com/regexpp/-/regexpp-3.2.0.tgz#0425a2768d8f23bad70ca4b90461fa2f1213e1b2" integrity sha512-pq2bWo9mVD43nbts2wGv17XLiNLya+GklZ8kaDLV2Z08gDCsGpnKn9BFMepvWuHCbyVvY7J5o5+BVvoQbmlJLg== +repeat-string@^1.6.1: + version "1.6.1" + resolved "https://registry.yarnpkg.com/repeat-string/-/repeat-string-1.6.1.tgz#8dcae470e1c88abc2d600fff4a776286da75e637" + integrity sha512-PV0dzCYDNfRi1jCDbJzpW7jNNDRuCOG/jI5ctQcGKt/clZD+YcPS3yIlWuTJMmESC8aevCFmWJy5wjAFgNqN6w== + require-directory@^2.1.1: version "2.1.1" resolved "https://registry.yarnpkg.com/require-directory/-/require-directory-2.1.1.tgz#8c64ad5fd30dab1c976e2344ffe7f792a6a6df42" @@ -7217,3 +7275,8 @@ yocto-queue@^0.1.0: version "0.1.0" resolved "https://registry.yarnpkg.com/yocto-queue/-/yocto-queue-0.1.0.tgz#0294eb3dee05028d31ee1a5fa2c556a6aaf10a1b" integrity sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q== + +zlib@^1.0.5: + version "1.0.5" + resolved "https://registry.yarnpkg.com/zlib/-/zlib-1.0.5.tgz#6e7c972fc371c645a6afb03ab14769def114fcc0" + integrity sha512-40fpE2II+Cd3k8HWTWONfeKE2jL+P42iWJ1zzps5W51qcTsOUKM5Q5m2PFb0CLxlmFAaUuUdJGc3OfZy947v0w== From 80cfaa55a87b5e78582af4b53657367310ad7d0e Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sat, 1 Apr 2023 14:50:24 +0900 Subject: [PATCH 03/10] build: refactoring actions --- ...ble-publish.yml => cfn-publish-stable.yml} | 16 ++--- .github/workflows/cfn-publish.yml | 63 ++++++++++++++++ .../{publish.yml => ecr-publish.yml} | 72 +------------------ 3 files changed, 74 insertions(+), 77 deletions(-) rename .github/workflows/{stable-publish.yml => cfn-publish-stable.yml} (89%) create mode 100644 .github/workflows/cfn-publish.yml rename .github/workflows/{publish.yml => ecr-publish.yml} (58%) diff --git a/.github/workflows/stable-publish.yml b/.github/workflows/cfn-publish-stable.yml similarity index 89% rename from .github/workflows/stable-publish.yml rename to .github/workflows/cfn-publish-stable.yml index de7010c6..93a791c2 100644 --- a/.github/workflows/stable-publish.yml +++ b/.github/workflows/cfn-publish-stable.yml @@ -9,14 +9,14 @@ env: jobs: stable: - name: Stable Templates + name: Stable CFn templates runs-on: ubuntu-latest permissions: id-token: write # needed to interact with GitHub's OIDC Token endpoint. contents: read steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Get the version tag run: echo "TAG=${GITHUB_REF##*/}" >> $GITHUB_ENV @@ -24,7 +24,7 @@ jobs: - name: node.js setup uses: actions/setup-node@v3 with: - node-version: '16' + node-version: '18' - name: Install dependencies run: yarn install --check-files @@ -36,7 +36,7 @@ jobs: aws-region: us-west-2 - name: cdk synth - run: $(npm bin)/cdk synth --no-version-reporting + run: npm run synth --no-version-reporting env: BSS_FILE_ASSET_PREFIX: stable/ @@ -52,14 +52,14 @@ jobs: run: npx cdk-assets publish --path cdk.out/Supabase.assets.json --verbose version: - name: Version Templates + name: Versioning CFn templates runs-on: ubuntu-latest permissions: id-token: write # needed to interact with GitHub's OIDC Token endpoint. contents: read steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Get the version tag run: echo "TAG=${GITHUB_REF##*/}" >> $GITHUB_ENV @@ -67,7 +67,7 @@ jobs: - name: node.js setup uses: actions/setup-node@v3 with: - node-version: '16' + node-version: '18' - name: Install dependencies run: yarn install --check-files @@ -79,7 +79,7 @@ jobs: aws-region: us-west-2 - name: cdk synth - run: $(npm bin)/cdk synth --no-version-reporting + run: npm run synth synth --no-version-reporting env: BSS_FILE_ASSET_PREFIX: ${{ env.TAG }}/ diff --git a/.github/workflows/cfn-publish.yml b/.github/workflows/cfn-publish.yml new file mode 100644 index 00000000..63c0cbe0 --- /dev/null +++ b/.github/workflows/cfn-publish.yml @@ -0,0 +1,63 @@ +name: publish +on: + push: + branches: + - main + workflow_dispatch: {} + +env: + BSS_FILE_ASSET_BUCKET_NAME: 'supabase-on-aws-${AWS::Region}' + BSS_FILE_ASSET_REGION_SET: us-east-1,us-west-2,eu-west-1,ap-northeast-1,ap-northeast-2,ap-northeast-3,ap-southeast-1,ap-southeast-2 + BSS_FILE_ASSET_PREFIX: latest/ + +jobs: + latest: + name: Latest Cfn templates + runs-on: ubuntu-latest + permissions: + id-token: write # needed to interact with GitHub's OIDC Token endpoint. + contents: read + steps: + - name: Checkout + uses: actions/checkout@v3 + + - uses: technote-space/get-diff-action@v6 + with: + PATTERNS: | + src/**/* + .projenrc.js + .github/workflows/publish.yml + + - name: node.js setup + if: env.GIT_DIFF + uses: actions/setup-node@v3 + with: + node-version: '18' + + - name: Install dependencies + if: env.GIT_DIFF + run: yarn install --check-files + + - name: Configure AWS credentials + if: env.GIT_DIFF + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.CDK_PUBLISHING_ROLE }} + aws-region: us-west-2 + + - name: cdk synth + if: env.GIT_DIFF + run: npm run synth --no-version-reporting + + - name: remove old template + if: env.GIT_DIFF + run: | + region_list=(${BSS_FILE_ASSET_REGION_SET//,/ }) + for region in ${region_list[@]}; do + bucket_name=(${BSS_FILE_ASSET_BUCKET_NAME//\$\{AWS::Region\}/$region}) + aws s3 rm s3://$bucket_name/${BSS_FILE_ASSET_PREFIX}Supabase.template.json + done + + - name: Publish assets + if: env.GIT_DIFF + run: npx cdk-assets publish --path cdk.out/Supabase.assets.json --verbose diff --git a/.github/workflows/publish.yml b/.github/workflows/ecr-publish.yml similarity index 58% rename from .github/workflows/publish.yml rename to .github/workflows/ecr-publish.yml index 3187b640..8456ec0c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/ecr-publish.yml @@ -5,15 +5,16 @@ on: - main workflow_dispatch: {} +env: + ECR_PUBLIC_ALIAS: u3p7q2r8 + jobs: kong: - name: Kong Docker Image runs-on: ubuntu-latest permissions: id-token: write # needed to interact with GitHub's OIDC Token endpoint. contents: read env: - ECR_PUBLIC_ALIAS: u3p7q2r8 IMAGE_NAME: kong steps: - name: Checkout @@ -47,16 +48,6 @@ jobs: with: registry-type: public - #- name: Extract metadata (tags, labels) for Docker - # id: meta - # uses: docker/metadata-action@v4 - # with: - # images: ${{ env.ECR_PUBLIC_REGISTRY }}/${{ env.IMAGE_NAME }} - # flavor: | - # latest=true - # tags: | - # type=raw,value=lates - - name: Build and push if: env.GIT_DIFF uses: docker/build-push-action@v3 @@ -68,13 +59,11 @@ jobs: tags: ${{ steps.login-ecr-public.outputs.registry }}/${{ env.ECR_PUBLIC_ALIAS }}/${{ env.IMAGE_NAME }}:latest postgraphile: - name: PostGraphile Docker Image runs-on: ubuntu-latest permissions: id-token: write # needed to interact with GitHub's OIDC Token endpoint. contents: read env: - ECR_PUBLIC_ALIAS: u3p7q2r8 IMAGE_NAME: postgraphile steps: - name: Checkout @@ -119,58 +108,3 @@ jobs: tags: | ${{ steps.login-ecr-public.outputs.registry }}/${{ env.ECR_PUBLIC_ALIAS }}/${{ env.IMAGE_NAME }}:latest ${{ steps.login-ecr-public.outputs.registry }}/${{ env.ECR_PUBLIC_ALIAS }}/${{ env.IMAGE_NAME }}:4 - - cloudformation: - name: CloudFormation Templates - runs-on: ubuntu-latest - permissions: - id-token: write # needed to interact with GitHub's OIDC Token endpoint. - contents: read - env: - BSS_FILE_ASSET_BUCKET_NAME: 'supabase-on-aws-${AWS::Region}' - BSS_FILE_ASSET_REGION_SET: us-east-1,us-west-2,eu-west-1,ap-northeast-1,ap-northeast-2,ap-northeast-3,ap-southeast-1,ap-southeast-2 - BSS_FILE_ASSET_PREFIX: latest/ - steps: - - name: Checkout - uses: actions/checkout@v2 - - - uses: technote-space/get-diff-action@v6 - with: - PATTERNS: | - src/**/* - .projenrc.js - .github/workflows/publish.yml - - - name: node.js setup - if: env.GIT_DIFF - uses: actions/setup-node@v3 - with: - node-version: '18' - - - name: Install dependencies - if: env.GIT_DIFF - run: yarn install --check-files - - - name: Configure AWS credentials - if: env.GIT_DIFF - uses: aws-actions/configure-aws-credentials@v1 - with: - role-to-assume: ${{ secrets.CDK_PUBLISHING_ROLE }} - aws-region: us-west-2 - - - name: cdk synth - if: env.GIT_DIFF - run: npm run synth --no-version-reporting - - - name: remove old template - if: env.GIT_DIFF - run: | - region_list=(${BSS_FILE_ASSET_REGION_SET//,/ }) - for region in ${region_list[@]}; do - bucket_name=(${BSS_FILE_ASSET_BUCKET_NAME//\$\{AWS::Region\}/$region}) - aws s3 rm s3://$bucket_name/${BSS_FILE_ASSET_PREFIX}Supabase.template.json - done - - - name: Publish assets - if: env.GIT_DIFF - run: npx cdk-assets publish --path cdk.out/Supabase.assets.json --verbose From 5fce4850cada2c28dd12db460546f35939b0bc2f Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sat, 1 Apr 2023 15:10:27 +0900 Subject: [PATCH 04/10] refactoring --- src/supabase-db.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/supabase-db.ts b/src/supabase-db.ts index 929ae75c..6e55643a 100644 --- a/src/supabase-db.ts +++ b/src/supabase-db.ts @@ -1,3 +1,4 @@ +import * as path from 'path'; import * as cdk from 'aws-cdk-lib'; import * as ec2 from 'aws-cdk-lib/aws-ec2'; import * as events from 'aws-cdk-lib/aws-events'; @@ -211,7 +212,7 @@ export class SupabaseDatabase extends Construct { /** Custom resource function for database initialization */ const initFunction = new NodejsFunction(this, 'InitFunction', { description: 'Supabase - Database init function', - entry: './src/functions/db-init/index.ts', + entry: path.resolve(__dirname, 'functions/db-init/index.ts'), bundling: { nodeModules: [ '@databases/pg', From 3ec96b726c89369d67216c7c082e7386ebbed0b7 Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sat, 1 Apr 2023 15:58:39 +0900 Subject: [PATCH 05/10] fix: modify assetHash manually --- src/supabase-db.ts | 1 + test/__snapshots__/main.test.ts.snap | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/supabase-db.ts b/src/supabase-db.ts index 6e55643a..d7fc08e0 100644 --- a/src/supabase-db.ts +++ b/src/supabase-db.ts @@ -214,6 +214,7 @@ export class SupabaseDatabase extends Construct { description: 'Supabase - Database init function', entry: path.resolve(__dirname, 'functions/db-init/index.ts'), bundling: { + assetHash: cdk.FileSystem.fingerprint(path.resolve(__dirname, 'functions/db-init')), nodeModules: [ '@databases/pg', ], diff --git a/test/__snapshots__/main.test.ts.snap b/test/__snapshots__/main.test.ts.snap index 1cefc72d..af71a71b 100644 --- a/test/__snapshots__/main.test.ts.snap +++ b/test/__snapshots__/main.test.ts.snap @@ -4449,7 +4449,7 @@ Object { "S3Bucket": Object { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, - "S3Key": "27567f000fd9f4e2048b416b793333d2f059ccc5dbda4a14d7ab90240f734c45.zip", + "S3Key": "3973acbf31dc14f6a2e316663692391bd14a96d98bede8ecec33fb8bba44abc8.zip", }, "Description": "Supabase - Database init function", "Environment": Object { From bd7dd6d04603c841b323b6b968d6067845b44d2f Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sat, 1 Apr 2023 16:22:53 +0900 Subject: [PATCH 06/10] fix: fix permissions --- src/supabase-db.ts | 4 ++-- test/__snapshots__/main.test.ts.snap | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/supabase-db.ts b/src/supabase-db.ts index d7fc08e0..47fa6407 100644 --- a/src/supabase-db.ts +++ b/src/supabase-db.ts @@ -214,7 +214,7 @@ export class SupabaseDatabase extends Construct { description: 'Supabase - Database init function', entry: path.resolve(__dirname, 'functions/db-init/index.ts'), bundling: { - assetHash: cdk.FileSystem.fingerprint(path.resolve(__dirname, 'functions/db-init')), + assetHash: cdk.FileSystem.fingerprint(path.resolve(__dirname, 'functions/db-init/')), nodeModules: [ '@databases/pg', ], @@ -226,7 +226,7 @@ export class SupabaseDatabase extends Construct { return []; }, afterBundling: (inputDir, outputDir) => { - return [`cp ${inputDir}/src/functions/db-init/*.sql ${outputDir}`]; + return [`cp -p ${inputDir}/src/functions/db-init/*.sql ${outputDir}`]; }, }, }, diff --git a/test/__snapshots__/main.test.ts.snap b/test/__snapshots__/main.test.ts.snap index af71a71b..4f3d76ce 100644 --- a/test/__snapshots__/main.test.ts.snap +++ b/test/__snapshots__/main.test.ts.snap @@ -4449,7 +4449,7 @@ Object { "S3Bucket": Object { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, - "S3Key": "3973acbf31dc14f6a2e316663692391bd14a96d98bede8ecec33fb8bba44abc8.zip", + "S3Key": "d31f58712f982d04df8c70a09ce7325acff74223df9d90b92b63f104ab004658.zip", }, "Description": "Supabase - Database init function", "Environment": Object { From c9ddd69f7a3d66a8aba91fc4344b36f0c0b00b45 Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sat, 1 Apr 2023 16:38:28 +0900 Subject: [PATCH 07/10] fix: fix assetHash --- src/supabase-db.ts | 2 +- test/__snapshots__/main.test.ts.snap | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/supabase-db.ts b/src/supabase-db.ts index 47fa6407..d07f7695 100644 --- a/src/supabase-db.ts +++ b/src/supabase-db.ts @@ -214,7 +214,7 @@ export class SupabaseDatabase extends Construct { description: 'Supabase - Database init function', entry: path.resolve(__dirname, 'functions/db-init/index.ts'), bundling: { - assetHash: cdk.FileSystem.fingerprint(path.resolve(__dirname, 'functions/db-init/')), + assetHash: cdk.FileSystem.fingerprint(path.resolve(__dirname, 'functions/db-init/index.ts')), nodeModules: [ '@databases/pg', ], diff --git a/test/__snapshots__/main.test.ts.snap b/test/__snapshots__/main.test.ts.snap index 4f3d76ce..7c219154 100644 --- a/test/__snapshots__/main.test.ts.snap +++ b/test/__snapshots__/main.test.ts.snap @@ -4449,7 +4449,7 @@ Object { "S3Bucket": Object { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, - "S3Key": "d31f58712f982d04df8c70a09ce7325acff74223df9d90b92b63f104ab004658.zip", + "S3Key": "0a021569131124321b6fea92a6f97cfa7ca76e0006f19bd2bb4543493c71db71.zip", }, "Description": "Supabase - Database init function", "Environment": Object { From 06fb7965fda401582a5222700fb112311730187e Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sat, 1 Apr 2023 16:48:57 +0900 Subject: [PATCH 08/10] fix: disable forceDockerBundling --- src/supabase-db.ts | 2 +- test/__snapshots__/main.test.ts.snap | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/supabase-db.ts b/src/supabase-db.ts index d07f7695..25a70103 100644 --- a/src/supabase-db.ts +++ b/src/supabase-db.ts @@ -214,7 +214,7 @@ export class SupabaseDatabase extends Construct { description: 'Supabase - Database init function', entry: path.resolve(__dirname, 'functions/db-init/index.ts'), bundling: { - assetHash: cdk.FileSystem.fingerprint(path.resolve(__dirname, 'functions/db-init/index.ts')), + forceDockerBundling: false, nodeModules: [ '@databases/pg', ], diff --git a/test/__snapshots__/main.test.ts.snap b/test/__snapshots__/main.test.ts.snap index 7c219154..1cefc72d 100644 --- a/test/__snapshots__/main.test.ts.snap +++ b/test/__snapshots__/main.test.ts.snap @@ -4449,7 +4449,7 @@ Object { "S3Bucket": Object { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, - "S3Key": "0a021569131124321b6fea92a6f97cfa7ca76e0006f19bd2bb4543493c71db71.zip", + "S3Key": "27567f000fd9f4e2048b416b793333d2f059ccc5dbda4a14d7ab90240f734c45.zip", }, "Description": "Supabase - Database init function", "Environment": Object { From aeeac0283dd9330515768b5103c86d16954e4734 Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sat, 1 Apr 2023 16:54:21 +0900 Subject: [PATCH 09/10] fix use static assetHash --- src/supabase-db.ts | 2 +- test/__snapshots__/main.test.ts.snap | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/supabase-db.ts b/src/supabase-db.ts index 25a70103..dc31a467 100644 --- a/src/supabase-db.ts +++ b/src/supabase-db.ts @@ -214,7 +214,7 @@ export class SupabaseDatabase extends Construct { description: 'Supabase - Database init function', entry: path.resolve(__dirname, 'functions/db-init/index.ts'), bundling: { - forceDockerBundling: false, + assetHash: 'v1.0.0', // Todo: Modify dynamically nodeModules: [ '@databases/pg', ], diff --git a/test/__snapshots__/main.test.ts.snap b/test/__snapshots__/main.test.ts.snap index 1cefc72d..cedf8da4 100644 --- a/test/__snapshots__/main.test.ts.snap +++ b/test/__snapshots__/main.test.ts.snap @@ -4449,7 +4449,7 @@ Object { "S3Bucket": Object { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, - "S3Key": "27567f000fd9f4e2048b416b793333d2f059ccc5dbda4a14d7ab90240f734c45.zip", + "S3Key": "26fbe0cf6c92c436f80f064bfb1584a6ed38573e9771d4e65eb68af42a5396da.zip", }, "Description": "Supabase - Database init function", "Environment": Object { From b9f85de45b341666033d99a0b293c90621284c56 Mon Sep 17 00:00:00 2001 From: Kazuki Matsuda Date: Sat, 1 Apr 2023 17:02:32 +0900 Subject: [PATCH 10/10] build: disable build workflow --- .gitattributes | 2 - .github/workflows/build.yml | 71 ---------------------------- .gitignore | 2 - .mergify.yml | 24 ---------- .npmignore | 2 - .projen/files.json | 2 - .projenrc.js | 1 + src/supabase-db.ts | 1 - test/__snapshots__/main.test.ts.snap | 2 +- 9 files changed, 2 insertions(+), 105 deletions(-) delete mode 100644 .github/workflows/build.yml delete mode 100644 .mergify.yml diff --git a/.gitattributes b/.gitattributes index 535217c5..fc8af673 100644 --- a/.gitattributes +++ b/.gitattributes @@ -4,10 +4,8 @@ /.eslintrc.json linguist-generated /.gitattributes linguist-generated /.github/pull_request_template.md linguist-generated -/.github/workflows/build.yml linguist-generated /.github/workflows/pull-request-lint.yml linguist-generated /.gitignore linguist-generated -/.mergify.yml linguist-generated /.npmignore linguist-generated /.projen/** linguist-generated /.projen/deps.json linguist-generated diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index 91dc740d..00000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,71 +0,0 @@ -# ~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen". - -name: build -on: - pull_request: {} - workflow_dispatch: {} -jobs: - build: - runs-on: ubuntu-latest - permissions: - contents: write - outputs: - self_mutation_happened: ${{ steps.self_mutation.outputs.self_mutation_happened }} - env: - CI: "true" - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Install dependencies - run: yarn install --check-files - - name: build - run: npx projen build - - name: Find mutations - id: self_mutation - run: |- - git add . - git diff --staged --patch --exit-code > .repo.patch || echo "self_mutation_happened=true" >> $GITHUB_OUTPUT - - name: Upload patch - if: steps.self_mutation.outputs.self_mutation_happened - uses: actions/upload-artifact@v3 - with: - name: .repo.patch - path: .repo.patch - - name: Fail build on mutation - if: steps.self_mutation.outputs.self_mutation_happened - run: |- - echo "::error::Files were changed during build (see build log). If this was triggered from a fork, you will need to update your branch." - cat .repo.patch - exit 1 - self-mutation: - needs: build - runs-on: ubuntu-latest - permissions: - contents: write - if: always() && needs.build.outputs.self_mutation_happened && !(github.event.pull_request.head.repo.full_name != github.repository) - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - token: ${{ secrets.PROJEN_GITHUB_TOKEN }} - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Download patch - uses: actions/download-artifact@v3 - with: - name: .repo.patch - path: ${{ runner.temp }} - - name: Apply patch - run: '[ -s ${{ runner.temp }}/.repo.patch ] && git apply ${{ runner.temp }}/.repo.patch || echo "Empty patch. Skipping."' - - name: Set git identity - run: |- - git config user.name "github-actions" - git config user.email "github-actions@github.com" - - name: Push changes - run: |2- - git add . - git commit -s -m "chore: self mutation" - git push origin HEAD:${{ github.event.pull_request.head.ref }} diff --git a/.gitignore b/.gitignore index 0b12d214..d02d06de 100644 --- a/.gitignore +++ b/.gitignore @@ -35,8 +35,6 @@ cdk.context.json /test-reports/ junit.xml /coverage/ -!/.github/workflows/build.yml -!/.mergify.yml !/.github/pull_request_template.md !/test/ !/tsconfig.json diff --git a/.mergify.yml b/.mergify.yml deleted file mode 100644 index d0f90113..00000000 --- a/.mergify.yml +++ /dev/null @@ -1,24 +0,0 @@ -# ~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen". - -queue_rules: - - name: default - update_method: merge - conditions: - - "#approved-reviews-by>=1" - - -label~=(do-not-merge) - - status-success=build -pull_request_rules: - - name: Automatic merge on approval and successful build - actions: - delete_head_branch: {} - queue: - method: squash - name: default - commit_message_template: |- - {{ title }} (#{{ number }}) - - {{ body }} - conditions: - - "#approved-reviews-by>=1" - - -label~=(do-not-merge) - - status-success=build diff --git a/.npmignore b/.npmignore index c3a92f23..1aad9266 100644 --- a/.npmignore +++ b/.npmignore @@ -3,8 +3,6 @@ /test-reports/ junit.xml /coverage/ -permissions-backup.acl -/.mergify.yml /test/ /tsconfig.dev.json /src/ diff --git a/.projen/files.json b/.projen/files.json index d0746765..1451abf2 100644 --- a/.projen/files.json +++ b/.projen/files.json @@ -3,10 +3,8 @@ ".eslintrc.json", ".gitattributes", ".github/pull_request_template.md", - ".github/workflows/build.yml", ".github/workflows/pull-request-lint.yml", ".gitignore", - ".mergify.yml", ".npmignore", ".projen/deps.json", ".projen/files.json", diff --git a/.projenrc.js b/.projenrc.js index 20249d75..2a6060f9 100644 --- a/.projenrc.js +++ b/.projenrc.js @@ -39,6 +39,7 @@ const project = new awscdk.AwsCdkTypeScriptApp({ gitignore: [ 'cdk.context.json', ], + buildWorkflow: false, // Todo: fix db-init function assets key depsUpgrade: false, }); project.synth(); \ No newline at end of file diff --git a/src/supabase-db.ts b/src/supabase-db.ts index dc31a467..3f006280 100644 --- a/src/supabase-db.ts +++ b/src/supabase-db.ts @@ -214,7 +214,6 @@ export class SupabaseDatabase extends Construct { description: 'Supabase - Database init function', entry: path.resolve(__dirname, 'functions/db-init/index.ts'), bundling: { - assetHash: 'v1.0.0', // Todo: Modify dynamically nodeModules: [ '@databases/pg', ], diff --git a/test/__snapshots__/main.test.ts.snap b/test/__snapshots__/main.test.ts.snap index cedf8da4..1cefc72d 100644 --- a/test/__snapshots__/main.test.ts.snap +++ b/test/__snapshots__/main.test.ts.snap @@ -4449,7 +4449,7 @@ Object { "S3Bucket": Object { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, - "S3Key": "26fbe0cf6c92c436f80f064bfb1584a6ed38573e9771d4e65eb68af42a5396da.zip", + "S3Key": "27567f000fd9f4e2048b416b793333d2f059ccc5dbda4a14d7ab90240f734c45.zip", }, "Description": "Supabase - Database init function", "Environment": Object {