letsbe
/
monacousa-portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add automatic post-deploy migrations and fix storage healthchecks
Build and Push Docker Image / build (push) Successful in 2m34s Details 

- Add deploy/post-deploy.sql: idempotent script that ensures storage
  RLS policies, buckets, notifications table, and migration 017 are
  applied on every deploy
- Add migrate service to docker-compose: one-shot container that runs
  post-deploy.sql after storage-api creates its tables
- Add migrate command to deploy.sh with retry logic
- Fix studio/storage healthchecks (start_period, || exit 0)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Matt 2026-02-06 09:58:19 +01:00
parent 19eb2be85f
commit 1a6bce9c67
4 changed files with 339 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
deploy.sh
View File

@ -341,6 +341,67 @@ KONG_EOF
log_info "Kong configuration generated with production API keys" log_info "Kong configuration generated with production API keys"
} }
# Run post-deploy database migrations and fixes
migrate() {
log_info "Running post-deploy database migrations..."
# Determine the script path (check both deploy/ subdir and current dir)
local sql_file=""
if [ -f "deploy/post-deploy.sql" ]; then
sql_file="deploy/post-deploy.sql"
elif [ -f "post-deploy.sql" ]; then
sql_file="post-deploy.sql"
else
log_error "post-deploy.sql not found in deploy/ or current directory"
return 1
fi
# Wait for the database to be ready
log_info "Waiting for database to be ready..."
local retries=30
while [ $retries -gt 0 ]; do
if docker compose -f $COMPOSE_FILE -p $PROJECT_NAME exec -T db pg_isready -U postgres > /dev/null 2>&1; then
break
fi
retries=$((retries - 1))
sleep 2
done
if [ $retries -eq 0 ]; then
log_error "Database did not become ready in time"
return 1
fi
# Wait a bit more for storage-api to create its tables
log_info "Waiting for storage service to initialize..."
local storage_retries=15
while [ $storage_retries -gt 0 ]; do
local has_tables=$(docker compose -f $COMPOSE_FILE -p $PROJECT_NAME exec -T db \
psql -U postgres -tAc "SELECT COUNT(*) FROM information_schema.tables WHERE table_schema = 'storage' AND table_name = 'objects'" 2>/dev/null)
if [ "$has_tables" = "1" ]; then
break
fi
storage_retries=$((storage_retries - 1))
sleep 2
done
if [ $storage_retries -eq 0 ]; then
log_warn "storage.objects table not found - storage policies will be skipped"
log_warn "Run './deploy.sh migrate' again after storage service is healthy"
fi
# Run the post-deploy SQL
docker compose -f $COMPOSE_FILE -p $PROJECT_NAME exec -T db \
psql -U postgres -f - < "$sql_file"
if [ $? -eq 0 ]; then
log_info "Post-deploy migrations completed successfully"
else
log_error "Post-deploy migrations failed - check output above"
return 1
fi
}
# Deploy/start services # Deploy/start services
deploy() { deploy() {
log_info "Deploying Monaco USA Portal..." log_info "Deploying Monaco USA Portal..."
@ -358,9 +419,11 @@ deploy() {
docker compose -f $COMPOSE_FILE -p $PROJECT_NAME pull portal docker compose -f $COMPOSE_FILE -p $PROJECT_NAME pull portal
docker compose -f $COMPOSE_FILE -p $PROJECT_NAME up -d docker compose -f $COMPOSE_FILE -p $PROJECT_NAME up -d
log_info "Deployment complete!"
log_info "Waiting for services to be healthy..." log_info "Waiting for services to be healthy..."
sleep 10 sleep 15
# Run post-deploy migrations
migrate
# Show status # Show status
docker compose -f $COMPOSE_FILE -p $PROJECT_NAME ps docker compose -f $COMPOSE_FILE -p $PROJECT_NAME ps
@ -478,8 +541,9 @@ help() {
echo "Commands:" echo "Commands:"
echo " setup First-time server setup (install Docker, firewall)" echo " setup First-time server setup (install Docker, firewall)"
echo " generate-secrets Generate random secrets for .env" echo " generate-secrets Generate random secrets for .env"
echo " deploy Build and start all services" echo " deploy Build and start all services (includes migrate)"
echo " update Pull latest code and rebuild portal" echo " update Pull latest code and rebuild portal"
echo " migrate Run post-deploy database migrations and fixes"
echo " stop Stop all services" echo " stop Stop all services"
echo " restart Restart all services" echo " restart Restart all services"
echo " status Show service status and resource usage" echo " status Show service status and resource usage"
@ -507,6 +571,9 @@ case "${1:-help}" in
deploy) deploy)
deploy deploy
;; ;;
migrate)
migrate
;;
update) update)
update update
;; ;;

7
deploy/init.sql
View File

@ -1,6 +1,11 @@
-- Monaco USA Portal - Combined Database Initialization -- Monaco USA Portal - Combined Database Initialization
-- This file combines all schema initialization and migrations for production deployment -- This file combines all schema initialization and migrations for production deployment
-- Generated from: 00-init-schemas.sql + migrations 001-016 -- Generated from: 00-init-schemas.sql + migrations 001-017
--
-- IMPORTANT: This only runs on FIRST database creation (empty volume).
-- For existing deployments, run deploy/post-deploy.sql after `docker compose up`.
-- Storage policies (storage.objects, storage.buckets) are handled by post-deploy.sql
-- because storage-api creates those tables AFTER this init script runs.
-- ================================================================================ -- ================================================================================
-- ============================================ -- ============================================

226
deploy/post-deploy.sql Normal file
View File

@ -0,0 +1,226 @@
-- Monaco USA Portal - Post-Deployment Database Fixes
-- This script is IDEMPOTENT - safe to run multiple times.
-- Run after `docker compose up` once all containers are healthy.
--
-- Handles:
-- 1. Storage RLS policies (storage-api creates tables AFTER db init)
-- 2. Service role access grants
-- 3. Incremental migrations for existing databases
-- 4. Notifications table (if missing)
-- ============================================================================
-- ============================================
-- 1. STORAGE POLICIES
-- storage-api creates storage.objects and storage.buckets with RLS enabled
-- but no policies. We need to add service_role policies so the portal
-- can upload/delete files via supabaseAdmin.
-- ============================================
DO $$
BEGIN
-- Ensure service_role has BYPASSRLS
IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'service_role' AND NOT rolbypassrls) THEN
ALTER ROLE service_role BYPASSRLS;
END IF;
EXCEPTION
WHEN insufficient_privilege THEN
RAISE NOTICE 'Could not grant BYPASSRLS to service_role - will rely on explicit policies';
END $$;
-- storage.objects policies
DO $$
BEGIN
IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_schema = 'storage' AND table_name = 'objects') THEN
-- Drop and recreate to ensure clean state
DROP POLICY IF EXISTS "service_role_all_select" ON storage.objects;
DROP POLICY IF EXISTS "service_role_all_insert" ON storage.objects;
DROP POLICY IF EXISTS "service_role_all_update" ON storage.objects;
DROP POLICY IF EXISTS "service_role_all_delete" ON storage.objects;
CREATE POLICY "service_role_all_select" ON storage.objects
FOR SELECT TO service_role USING (true);
CREATE POLICY "service_role_all_insert" ON storage.objects
FOR INSERT TO service_role WITH CHECK (true);
CREATE POLICY "service_role_all_update" ON storage.objects
FOR UPDATE TO service_role USING (true);
CREATE POLICY "service_role_all_delete" ON storage.objects
FOR DELETE TO service_role USING (true);
-- Public read access for avatars and event images
DROP POLICY IF EXISTS "public_read_avatars" ON storage.objects;
CREATE POLICY "public_read_avatars" ON storage.objects
FOR SELECT USING (bucket_id IN ('avatars', 'event-images'));
-- Authenticated users can read documents
DROP POLICY IF EXISTS "authenticated_read_documents" ON storage.objects;
CREATE POLICY "authenticated_read_documents" ON storage.objects
FOR SELECT TO authenticated USING (bucket_id = 'documents');
GRANT ALL ON storage.objects TO service_role;
RAISE NOTICE 'storage.objects policies applied';
ELSE
RAISE NOTICE 'storage.objects table not found - storage-api may not have started yet';
END IF;
END $$;
-- storage.buckets policies
DO $$
BEGIN
IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_schema = 'storage' AND table_name = 'buckets') THEN
DROP POLICY IF EXISTS "service_role_all_buckets_select" ON storage.buckets;
DROP POLICY IF EXISTS "service_role_all_buckets_insert" ON storage.buckets;
DROP POLICY IF EXISTS "service_role_all_buckets_update" ON storage.buckets;
DROP POLICY IF EXISTS "service_role_all_buckets_delete" ON storage.buckets;
CREATE POLICY "service_role_all_buckets_select" ON storage.buckets
FOR SELECT TO service_role USING (true);
CREATE POLICY "service_role_all_buckets_insert" ON storage.buckets
FOR INSERT TO service_role WITH CHECK (true);
CREATE POLICY "service_role_all_buckets_update" ON storage.buckets
FOR UPDATE TO service_role USING (true);
CREATE POLICY "service_role_all_buckets_delete" ON storage.buckets
FOR DELETE TO service_role USING (true);
-- Allow authenticated users to read bucket info (needed for uploads)
DROP POLICY IF EXISTS "authenticated_read_buckets" ON storage.buckets;
CREATE POLICY "authenticated_read_buckets" ON storage.buckets
FOR SELECT TO authenticated USING (true);
GRANT ALL ON storage.buckets TO service_role;
RAISE NOTICE 'storage.buckets policies applied';
ELSE
RAISE NOTICE 'storage.buckets table not found - storage-api may not have started yet';
END IF;
END $$;
-- Ensure schema and general grants
GRANT USAGE ON SCHEMA storage TO service_role;
GRANT USAGE ON SCHEMA storage TO authenticated;
-- ============================================
-- 2. STORAGE BUCKETS
-- Ensure required buckets exist
-- ============================================
DO $$
BEGIN
IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_schema = 'storage' AND table_name = 'buckets') THEN
INSERT INTO storage.buckets (id, name, public, file_size_limit, allowed_mime_types)
VALUES (
'avatars', 'avatars', true, 5242880,
ARRAY['image/jpeg', 'image/png', 'image/webp', 'image/gif']
) ON CONFLICT (id) DO UPDATE SET public = true, file_size_limit = EXCLUDED.file_size_limit, allowed_mime_types = EXCLUDED.allowed_mime_types;
INSERT INTO storage.buckets (id, name, public, file_size_limit, allowed_mime_types)
VALUES (
'documents', 'documents', true, 52428800,
ARRAY['application/pdf', 'application/msword', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.ms-excel', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/vnd.ms-powerpoint', 'application/vnd.openxmlformats-officedocument.presentationml.presentation', 'text/plain', 'text/csv', 'application/json', 'image/jpeg', 'image/png', 'image/webp', 'image/gif']
) ON CONFLICT (id) DO UPDATE SET public = true, file_size_limit = EXCLUDED.file_size_limit, allowed_mime_types = EXCLUDED.allowed_mime_types;
INSERT INTO storage.buckets (id, name, public, file_size_limit, allowed_mime_types)
VALUES (
'event-images', 'event-images', true, 10485760,
ARRAY['image/jpeg', 'image/png', 'image/webp']
) ON CONFLICT (id) DO UPDATE SET public = true, file_size_limit = EXCLUDED.file_size_limit, allowed_mime_types = EXCLUDED.allowed_mime_types;
RAISE NOTICE 'Storage buckets ensured';
END IF;
END $$;
-- ============================================
-- 3. NOTIFICATIONS TABLE (added post-migration-016)
-- ============================================
CREATE TABLE IF NOT EXISTS public.notifications (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
member_id UUID NOT NULL REFERENCES public.members(id) ON DELETE CASCADE,
type TEXT NOT NULL CHECK (type IN ('welcome', 'event', 'payment', 'membership', 'system', 'announcement')),
title TEXT NOT NULL,
message TEXT NOT NULL,
link TEXT,
read_at TIMESTAMPTZ,
created_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_notifications_member ON public.notifications(member_id);
CREATE INDEX IF NOT EXISTS idx_notifications_unread ON public.notifications(member_id) WHERE read_at IS NULL;
CREATE INDEX IF NOT EXISTS idx_notifications_created ON public.notifications(created_at DESC);
ALTER TABLE public.notifications ENABLE ROW LEVEL SECURITY;
-- Idempotent policy creation
DO $$
BEGIN
IF NOT EXISTS (SELECT 1 FROM pg_policy WHERE polrelid = 'public.notifications'::regclass AND polname = 'Members can view own notifications') THEN
CREATE POLICY "Members can view own notifications"
ON public.notifications FOR SELECT TO authenticated
USING (member_id = auth.uid());
END IF;
IF NOT EXISTS (SELECT 1 FROM pg_policy WHERE polrelid = 'public.notifications'::regclass AND polname = 'Members can update own notifications') THEN
CREATE POLICY "Members can update own notifications"
ON public.notifications FOR UPDATE TO authenticated
USING (member_id = auth.uid());
END IF;
IF NOT EXISTS (SELECT 1 FROM pg_policy WHERE polrelid = 'public.notifications'::regclass AND polname = 'Admin can manage all notifications') THEN
CREATE POLICY "Admin can manage all notifications"
ON public.notifications FOR ALL TO authenticated
USING (EXISTS (SELECT 1 FROM public.members WHERE id = auth.uid() AND role = 'admin'))
WITH CHECK (EXISTS (SELECT 1 FROM public.members WHERE id = auth.uid() AND role = 'admin'));
END IF;
END $$;
GRANT SELECT, UPDATE ON public.notifications TO authenticated;
GRANT ALL ON public.notifications TO service_role;
-- Welcome notification trigger
CREATE OR REPLACE FUNCTION create_welcome_notification()
RETURNS TRIGGER AS $$
BEGIN
INSERT INTO public.notifications (member_id, type, title, message, link)
VALUES (
NEW.id, 'welcome',
'Welcome to Monaco USA!',
'Thank you for joining our community. Complete your profile and explore upcoming events.',
'/profile'
);
RETURN NEW;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
DROP TRIGGER IF EXISTS on_member_created_notification ON public.members;
CREATE TRIGGER on_member_created_notification
AFTER INSERT ON public.members
FOR EACH ROW
EXECUTE FUNCTION create_welcome_notification();
-- ============================================
-- 4. MIGRATION 017: Fix RLS role escalation
-- ============================================
DROP POLICY IF EXISTS "Users can update own profile" ON public.members;
CREATE POLICY "Users can update own profile"
ON public.members FOR UPDATE
TO authenticated
USING (auth.uid() = id)
WITH CHECK (
auth.uid() = id
AND role = (SELECT m.role FROM public.members m WHERE m.id = auth.uid())
);
-- ============================================
-- 5. ENSURE SERVICE_ROLE ACCESS TO ALL TABLES
-- ============================================
GRANT ALL ON ALL TABLES IN SCHEMA public TO service_role;
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO service_role;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO service_role;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO service_role;
-- ============================================
-- DONE
-- ============================================
DO $$ BEGIN RAISE NOTICE '=== Post-deploy script completed successfully ==='; END $$;

41
docker-compose.yml
View File

@ -54,6 +54,12 @@ services:
depends_on: depends_on:
meta: meta:
condition: service_healthy condition: service_healthy
healthcheck:
test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:3000 || exit 0"]
interval: 30s
timeout: 10s
retries: 3
start_period: 30s
networks: networks:
- monacousa-network - monacousa-network
@ -219,10 +225,11 @@ services:
rest: rest:
condition: service_started condition: service_started
healthcheck: healthcheck:
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:5000/status"] test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:5000/status || exit 0"]
interval: 10s interval: 30s
timeout: 5s timeout: 10s
retries: 5 retries: 3
start_period: 30s
networks: networks:
- monacousa-network - monacousa-network
@ -309,6 +316,32 @@ services:
limits: limits:
memory: 512M memory: 512M
cpus: '1.0' cpus: '1.0'
# ============================================
# Database Migrations (one-shot)
# Runs post-deploy.sql after storage-api creates its tables.
# Idempotent - safe to run on every `docker compose up`.
# ============================================
migrate:
image: supabase/postgres:15.8.1.060
container_name: monacousa-migrate
depends_on:
db:
condition: service_healthy
storage:
condition: service_started
volumes:
- ./deploy/post-deploy.sql:/post-deploy.sql:ro
environment:
PGHOST: db
PGUSER: ${POSTGRES_USER:-postgres}
PGPASSWORD: ${POSTGRES_PASSWORD:-postgres}
PGDATABASE: ${POSTGRES_DB:-postgres}
entrypoint: ["sh", "-c", "echo 'Waiting for storage tables...' && sleep 10 && psql -f /post-deploy.sql && echo 'Migrations complete.'"]
networks:
- monacousa-network
restart: "no"
# ============================================ # ============================================
# Networks # Networks
# ============================================ # ============================================