feat(infra): allow runner egress to PostgreSQL 5432 for DB migrations

[kaio6fellipe]

Problem

vulcan-saas PR #151 added a pre-deploy apply DB migrations step to deploy-dev.yml/deploy-prd.yml. It fails because the self-hosted runner can't reach the Supabase Postgres:

• Direct host db.<ref>.supabase.co:5432 is IPv6-only → dial tcp [2600:...]:5432: connect: network is unreachable (runner SG has no IPv6 egress / subnet likely no IPv6).
• Session pooler aws-1-<region>.pooler.supabase.com:5432 (IPv4) → the migrate step hangs ~8 min: the runner SG egress allows only 443/80/53, so the tcp/5432 SYN is silently dropped.

Verified against the live SG sg-0b7b1cd1a8e9c77ca (us-east-2): egress = tcp/80, tcp/443, udp/53 only.

Change

Add a tcp/5432 egress rule to the runner security group in both IaC paths (CloudFormation template — the deployed stack — and the Terraform module for parity), so runners can reach the Supabase session pooler (IPv4, port 5432, advisory-lock-capable; the transaction pooler on 6543 is intentionally not used as it breaks golang-migrate's advisory lock). Updates the now-stale 443/80/53 references in CLAUDE.md / AGENTS.md / docs.

cfn-lint clean; tofu validate passes. Egress-only change on ephemeral runners.

Deploy

After merge, redeploy the CloudFormation stack (aws cloudformation deploy … --template-file infra/cloudformation/template.yaml) to apply the new egress rule. Then vulcan-saas deploy-dev will connect to the session pooler and apply migrations.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation

  • Updated CI/CD runner configuration documentation to reflect expanded egress port allowlist, now including port 5432.

• Chores

  • Extended EC2 runner security group egress rules to allow outbound port 5432 traffic across CloudFormation and Terraform configurations.

[github-actions]

OpenSSF Scorecard — 8.3/10 ✅

Check	Score	Details
Binary-Artifacts	10/10	no binaries found in the repo
CI-Tests	10/10	24 out of 24 merged PRs checked by a CI test -- score normalized to 10
Code-Review	0/10	Found 0/30 approved changesets -- score normalized to 0
Dangerous-Workflow	10/10	no dangerous workflow patterns detected
License	10/10	license file detected
Pinned-Dependencies	6/10	dependency not pinned by hash detected -- score normalized to 6
Security-Policy	10/10	security policy file detected
Token-Permissions	10/10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	10/10	0 existing vulnerabilities detected

Threshold: 7 | Full report

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d4825058-389e-4211-96eb-17a6a2e68f30

📥 Commits

Reviewing files that changed from the base of the PR and between 0e3e171 and 3156fa9.

📒 Files selected for processing (5)

• AGENTS.md
• CLAUDE.md
• docs/ami-prebaked.md
• infra/cloudformation/template.yaml
• infra/terraform/ec2.tf

---

📝 Walkthrough

Walkthrough

Self-hosted runner security group rules are extended to allow outbound TCP port 5432 (PostgreSQL session pooler) for Supabase database migrations. Both CloudFormation and Terraform infrastructure definitions are updated, and corresponding documentation is synchronized across three files.

Changes

Self-hosted Runner PostgreSQL Access

Layer / File(s)	Summary
Infrastructure egress rule updates infra/cloudformation/template.yaml, infra/terraform/ec2.tf	CloudFormation template and Terraform EC2 security group resource each add an outbound rule permitting TCP port 5432 to 0.0.0.0/0 for PostgreSQL session pooler (Supabase) access during DB migrations.
Documentation port allowlist sync AGENTS.md, CLAUDE.md, docs/ami-prebaked.md	AGENTS.md, CLAUDE.md, and ami-prebaked.md are updated to include port 5432 in the described outbound egress allowlist for the self-hosted runner security group, keeping documentation consistent with infrastructure changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

documentation, jit-runners, github-actions

Poem

🐇 A hop and a bound, a port to allow,
Five-four-three-two, see the database flow,
From runners self-hosted to Postgres's door,
Migrations dance onward through Supabase lore! 📚✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description covers the required template sections: Problem, Change, and Deploy notes. However, the author-provided description does not follow the structured template format with all required sections (What/Why/Who, Checklist, AI Summary).	Reformat the description to match the template structure, including the Checklist section and AI Summary section for consistency with repository standards.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding PostgreSQL 5432 egress to runner security group for DB migrations, which is the core purpose of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/runner-egress-postgres-5432

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}