fix: Add password and host as explicit pulumi secrets (#4132)

theopensystemslab · Jan 9, 2025 · 4efe2d2 · 4efe2d2
1 parent 5fe9432
commit 4efe2d2
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 15 deletions.
diff --git a/infrastructure/application/Pulumi.production.yaml b/infrastructure/application/Pulumi.production.yaml
@@ -4,6 +4,10 @@ config:
   application:airbrake-project-key:
     secure: AAABAPIGB+gWevPn0SzWnuSuV1RmdwpLOlWKnu8cM/kxLfslvdCIRcU0n0M0XNJ3jwj4EdFn7/llsL1Kg2XnDA==
   application:cloudflare-zone-id: a9b9933f28e786ec4cfd4bb596f5a519
+  application:db-host:
+    secure: AAABANjg+zX8G4LymO5ul3RfQWd2B5caaf1GUgYVdPoM6IkcNihjYBkZs6xd6Nlg7W+oghm0e14cAGeKi6ZpnqmnrUy95djvq6iCGFaY51i+FcQ=
+  application:db-password:
+    secure: AAABAExMwTLOjC9suf2i6hYygiqnvm7cNaS2F2iqr/zpPMX4dhh7My8Nm5dD0WRGiTsiv9I2v24eUfAVZgLC0w==
   application:db-url:
     secure: AAABAFMl4J25TQyb+dAVA/8g5KR1aIP7cOZrrLqYzv4ScF4AGIDWnp6zC9wV+Odja2LZyy10cbUojs1mybg1EV82UAZfEX+HCcaNixJvTuoC0h4swDMdLXX9vvs1QqsC6Q+7qp96hQCT8CW81TbdDSVIu2mLbV8dnjyuD2R8o4tt5pBmXKCVJJ4zWI5LuukolIj3nw==
   application:encryption-key:

diff --git a/infrastructure/application/Pulumi.staging.yaml b/infrastructure/application/Pulumi.staging.yaml
@@ -5,6 +5,10 @@ config:
     secure: AAABABujxMHxU8Abj4QpyQTz7bLt3AP2wBFaypVkDZ2khzc6eh6lHLljTEkzpLUncno3gNNDXnrmxzXvqKnQdQ==
   application:cloudflare-zone-id:
     secure: AAABAPZz/bzFCZEZd+jzPpYP4HXAOLYQmLGf2YLQE2YPfMBUtDC83KCo2l2DJ4AL4OKL+jFFx8wrrJc6DDwXJQ==
+  application:db-host:
+    secure: AAABANgnZHJlsCzbsGz1dXhEb2zQzEOM6wQd+AnqQKvn54W/eNcf6NWtlFUpTvVmd/9IhLzl7TSHowXKq8EGjeTnaBDsnefFq9wNGAft76dmYCU=
+  application:db-password:
+    secure: AAABAKd+etETq8AV5V3Xrl5X2H+rYtSw91GDBSwFyjT/HLJT9sOLNR296GTxrHkNQ8BxSOq4rxrlMHIt0lL/DQ==
   application:db-url:
     secure: AAABAHaVuHg4NkZjMQv7N8hpKRJL13IW721pPo/ou6+itPn2PLYr8s8YjTbaxDGZg9LiB5QAgbihA1fSnIolokoZ/wJ7VzkHOI59Icci0CEoOgQrUfzDFevpgt3HaTmyrxIzemMbOPl/dGcJCTW0K9NkRADWE4z2OERcFwQBRUZuRSwIbV7teXpbY15IAW24FLNM+g==
   application:encryption-key:

diff --git a/infrastructure/application/index.ts b/infrastructure/application/index.ts
@@ -114,16 +114,15 @@ export = async () => {
     vpc,
   });
 
-  const dbRootUrl = config.requireSecret("db-url").get();
+  const DB_ROOT_USERNAME = "dbuser";
 
   // ----------------------- Metabase
-  const pgRoot = url.parse(dbRootUrl);
   const provider = new postgres.Provider("metabase", {
-    host: pgRoot.hostname as string,
-    port: Number(pgRoot.port),
-    username: pgRoot.auth!.split(":")[0] as string,
-    password: pgRoot.auth!.split(":")[1] as string,
-    database: pgRoot.path!.substring(1) as string,
+    host: config.requireSecret("db-host"),
+    port: 5432,
+    username: DB_ROOT_USERNAME,
+    password: config.requireSecret("db-password"),
+    database: "postgres",
     superuser: false,
   });
   const metabasePgPassword = config.requireSecret("metabasePgPassword");

diff --git a/infrastructure/application/services/hasura.ts b/infrastructure/application/services/hasura.ts
@@ -20,7 +20,6 @@ export const createHasuraService = async ({
 }: CreateService) => {
 
   const config = new pulumi.Config();
-  const dbRootUrl = config.requireSecret("db-url").get();
   const DOMAIN: string = await certificates.requireOutputValue("domain");
 
   const lbHasura = new awsx.lb.ApplicationLoadBalancer("hasura", {
@@ -76,13 +75,18 @@ export const createHasuraService = async ({
           memory: config.requireNumber("hasura-proxy-memory"),
           portMappings: [hasuraListenerHttp],
           // hasuraProxy should wait for the hasura container to spin up before starting
-          dependsOn: [{
-            containerName: "hasura",
-            condition: "HEALTHY"
-          }],
+          dependsOn: [
+            {
+              containerName: "hasura",
+              condition: "HEALTHY",
+            },
+          ],
           healthCheck: {
             // hasuraProxy health depends on hasura health
-            command: ["CMD-SHELL", `wget --spider --quiet http://localhost:${HASURA_PROXY_PORT}/healthz || exit 1`],
+            command: [
+              "CMD-SHELL",
+              `wget --spider --quiet http://localhost:${HASURA_PROXY_PORT}/healthz || exit 1`,
+            ],
             interval: 15,
             timeout: 3,
             retries: 3,
@@ -100,7 +104,10 @@ export const createHasuraService = async ({
           cpu: config.requireNumber("hasura-cpu"),
           memory: config.requireNumber("hasura-memory"),
           healthCheck: {
-            command: ["CMD-SHELL", "curl --head http://localhost:8080/healthz || exit 1"],
+            command: [
+              "CMD-SHELL",
+              "curl --head http://localhost:8080/healthz || exit 1",
+            ],
             // wait 5m before running container-level health check, using same params as docker-compose
             startPeriod: 300,
             interval: 15,
@@ -132,7 +139,7 @@ export const createHasuraService = async ({
             { name: "HASURA_GRAPHQL_UNAUTHORIZED_ROLE", value: "public" },
             {
               name: "HASURA_GRAPHQL_DATABASE_URL",
-              value: dbRootUrl,
+              value: config.requireSecret("db-url"),
             },
             {
               name: "HASURA_PLANX_API_URL",