Merge pull request #81 from supabase-community/upgrade-202311

chore: Upgrade 2023.11

Author: mats16

.projen/deps.json

@@ -11,8 +11,8 @@ const project = new awscdk.AwsCdkTypeScriptApp({
     '@aws-cdk/aws-apigatewayv2-alpha',
     '@aws-cdk/aws-apigatewayv2-integrations-alpha',
     // Lambda Powertools
-    '@aws-lambda-powertools/logger@1.14.2',
-    '@aws-lambda-powertools/tracer@1.14.2',
+    '@aws-lambda-powertools/logger@1.16.0',
+    '@aws-lambda-powertools/tracer@1.16.0',
     // AWS SDK
     '@aws-sdk/client-cloudfront',
     '@aws-sdk/client-ecs',

.projenrc.js

@@ -156,7 +156,7 @@ class CacheManager extends Construct {
         ],
       },
       layers: [
-        lambda.LayerVersion.fromLayerVersionArn(this, 'LambdaPowertools', `arn:aws:lambda:${cdk.Aws.REGION}:094274105915:layer:AWSLambdaPowertoolsTypeScript:23`),
+        lambda.LayerVersion.fromLayerVersionArn(this, 'LambdaPowertools', `arn:aws:lambda:${cdk.Aws.REGION}:094274105915:layer:AWSLambdaPowertoolsTypeScript:25`),
       ],
     };
 

package.json

@@ -0,0 +1,3 @@
+# init-for-rds
+
+https://github.com/supabase/supabase/tree/master/docker/volumes/db

src/supabase-cdn/index.ts

@@ -5,15 +5,13 @@
 create publication supabase_realtime;
 
 -- Supabase super admin
--- create user supabase_admin;
--- alter user  supabase_admin with superuser createdb createrole replication bypassrls;
+-- create user supabase_admin; -- supabase_admin is rds_superuser.
 alter user supabase_admin with createdb createrole bypassrls;
-grant rds_replication to supabase_admin; -- for Aurora
+grant rds_replication to supabase_admin; -- for RDS
 
 -- Supabase replication user
--- create user supabase_replication_admin with login replication;
 create user supabase_replication_admin with login;
-grant rds_replication to supabase_replication_admin; -- for Aurora
+grant rds_replication to supabase_replication_admin; -- for RDS
 
 -- Supabase read-only user
 create role supabase_read_only_user with login bypassrls;

src/supabase-db/sql/init-for-rds/README.md

@@ -0,0 +1,3 @@
+# init-scripts
+
+https://github.com/supabase/postgres/tree/develop/migrations/db/init-scripts

src/supabase-db/sql/init-scripts/00000000000000-initial-schema.sql

@@ -0,0 +1,9 @@
+-- migrate:up
+
+ALTER ROLE authenticated inherit;
+ALTER ROLE anon inherit;
+ALTER ROLE service_role inherit;
+
+GRANT pgsodium_keyholder to service_role;
+
+-- migrate:down

src/supabase-db/sql/init-scripts/README.md

@@ -0,0 +1,5 @@
+-- migrate:up
+grant authenticator to supabase_storage_admin;
+revoke anon, authenticated, service_role from supabase_storage_admin;
+
+-- migrate:down

src/supabase-db/sql/migrations/20230529180330_alter_api_roles_for_inherit.sql

@@ -0,0 +1,78 @@
+-- migrate:up
+
+create or replace function extensions.grant_pg_graphql_access()
+    returns event_trigger
+    language plpgsql
+AS $func$
+DECLARE
+    func_is_graphql_resolve bool;
+BEGIN
+    func_is_graphql_resolve = (
+        SELECT n.proname = 'resolve'
+        FROM pg_event_trigger_ddl_commands() AS ev
+        LEFT JOIN pg_catalog.pg_proc AS n
+        ON ev.objid = n.oid
+    );
+
+    IF func_is_graphql_resolve
+    THEN
+        -- Update public wrapper to pass all arguments through to the pg_graphql resolve func
+        DROP FUNCTION IF EXISTS graphql_public.graphql;
+        create or replace function graphql_public.graphql(
+            "operationName" text default null,
+            query text default null,
+            variables jsonb default null,
+            extensions jsonb default null
+        )
+            returns jsonb
+            language sql
+        as $$
+            select graphql.resolve(
+                query := query,
+                variables := coalesce(variables, '{}'),
+                "operationName" := "operationName",
+                extensions := extensions
+            );
+        $$;
+
+        -- This hook executes when `graphql.resolve` is created. That is not necessarily the last
+        -- function in the extension so we need to grant permissions on existing entities AND
+        -- update default permissions to any others that are created after `graphql.resolve`
+        grant usage on schema graphql to postgres, anon, authenticated, service_role;
+        grant select on all tables in schema graphql to postgres, anon, authenticated, service_role;
+        grant execute on all functions in schema graphql to postgres, anon, authenticated, service_role;
+        grant all on all sequences in schema graphql to postgres, anon, authenticated, service_role;
+        alter default privileges in schema graphql grant all on tables to postgres, anon, authenticated, service_role;
+        alter default privileges in schema graphql grant all on functions to postgres, anon, authenticated, service_role;
+        alter default privileges in schema graphql grant all on sequences to postgres, anon, authenticated, service_role;
+
+        -- Allow postgres role to allow granting usage on graphql and graphql_public schemas to custom roles
+        grant usage on schema graphql_public to postgres with grant option;
+        grant usage on schema graphql to postgres with grant option;
+    END IF;
+
+END;
+$func$;
+
+-- Cycle the extension off and back on to apply the permissions update.
+
+drop extension if exists pg_graphql;
+-- Avoids limitation of only being able to load the extension via dashboard
+-- Only install as well if the extension is actually installed
+DO $$
+DECLARE
+  graphql_exists boolean;
+BEGIN
+  graphql_exists = (
+      select count(*) = 1 
+      from pg_available_extensions 
+      where name = 'pg_graphql'
+  );
+
+  IF graphql_exists 
+  THEN
+  create extension if not exists pg_graphql;
+  END IF;
+END $$;
+
+-- migrate:down