bloom-housing
diff --git a/‎.dockerignore‎
Lines changed: 3 additions & 0 deletions b/‎.dockerignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/workflows/docker_compose_ci.yml‎
Lines changed: 89 additions & 0 deletions b/‎.github/workflows/docker_compose_ci.yml‎
Lines changed: 89 additions & 0 deletions
diff --git a/‎.github/workflows/docker_image_build.yml‎
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/docker_image_build.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎api/Dockerfile‎
Lines changed: 4 additions & 4 deletions b/‎api/Dockerfile‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎api/README.md‎
Lines changed: 1 addition & 0 deletions b/‎api/README.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎api/dbinit/Dockerfile‎
Lines changed: 9 additions & 0 deletions b/‎api/dbinit/Dockerfile‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎api/dbinit/README.md‎
Lines changed: 3 additions & 0 deletions b/‎api/dbinit/README.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎api/dbinit/docker-compose.check.sql‎
Lines changed: 17 additions & 0 deletions b/‎api/dbinit/docker-compose.check.sql‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎api/dbinit/docker-compose.init.sql‎
Lines changed: 47 additions & 0 deletions b/‎api/dbinit/docker-compose.init.sql‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎api/dbinit/rds.init.sql‎
Lines changed: 49 additions & 0 deletions b/‎api/dbinit/rds.init.sql‎
Lines changed: 49 additions & 0 deletions
@@ -0,0 +1,3 @@
+Dockerfile
+.dockerignore
+**/node_modules
@@ -0,0 +1,89 @@
+name: Docker Compose CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  check-docker-compose:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out Git repository
+        uses: actions/checkout@v6
+
+      - name: build
+        shell: bash
+        run: |
+          if ! docker compose build; then
+            echo 'ERROR: docker compose build failed'
+          fi
+
+      - name: dbinitcheck
+        shell: bash
+        run: |
+          if ! docker compose up \
+               --exit-code-from dbinit \
+               db dbinit
+          then
+            echo 'ERROR: dbinit first execution did not exit with 0'
+            exit 1
+          fi
+
+          if ! docker compose up \
+               --exit-code-from dbinit \
+               db dbinit
+          then
+            echo 'ERROR: dbinit second execution did not exit with 0'
+            exit 1
+          fi
+
+          if ! docker compose down; then
+            echo 'ERROR: docker compose down failed'
+          fi
+
+      - name: dbreadonlycheck
+        shell: bash
+        run: |
+          if ! COMPOSE_PROFILES=ci docker compose up \
+               --exit-code-from dbreadonlycheck \
+               dbreadonlycheck
+          then
+            echo 'ERROR: dbreadonlycheck did not exit with 0'
+            exit 1
+          fi
+
+          if ! docker compose down; then
+            echo 'ERROR: docker compose down failed'
+          fi
+
+      - name: sites-smoke-test
+        shell: bash
+        run: |
+          if ! docker compose up --wait; then
+            echo 'ERROR: docker compose up --wait did not exit with 0'
+            exit 1
+          fi
+
+          if ! curl --fail http://127.0.0.1:3001; then
+            echo 'ERROR: partners site is not accessible. Logs:'
+            docker compose logs partners
+            exit 1
+          fi
+
+          if ! curl --fail http://127.0.0.1:3000; then
+            echo 'ERROR: public site is not accessible. Logs:'
+            docker compose logs public
+            exit 1
+          fi
+
+          if ! docker compose down; then
+            echo 'ERROR: docker compose down failed'
+            exit 1
+          fi
@@ -31,6 +31,10 @@ jobs:
             docker_context: "{{defaultContext}}:api"
             dockerfile: Dockerfile.dbseed
             platforms: linux/amd64
+          - container: dbinit
+            docker_context: "{{defaultContext}}:api/dbinit"
+            dockerfile: Dockerfile
+            platforms: linux/amd64
           - container: partners
             docker_context: "{{defaultContext}}"
             dockerfile: Dockerfile.sites.partners
 
@@ -33,7 +33,7 @@ RUN yarn build
 #
 # IMPORTANT: keep the 'build' layer above in sync.
 FROM node:22@sha256:23c24e85395992be118734a39903e08c8f7d1abc73978c46b6bda90060091a49 AS run
-WORKDIR /run
+WORKDIR /bloom_api
 
 # Copy over build artifacts.
 COPY --from=build /build/runtime_dependencies/ .
@@ -47,9 +47,9 @@ COPY --from=build /build/prisma/migrations ./prisma/migrations
 COPY --from=build /build/node_modules/.prisma ./node_modules/.prisma
 
 # Create a non-root user to run (principle of least privilege).
-WORKDIR /run
-RUN groupadd --gid 2002 run && useradd --gid 2002 --uid 2002 --home /run run
-RUN chown --recursive 2002:2002 /run
+WORKDIR /bloom_api
+RUN groupadd --gid 2002 bloom_api && useradd --gid 2002 --uid 2002 --home /bloom_api bloom_api
+RUN chown --recursive 2002:2002 /bloom_api
 USER 2002:2002
 
 # Run any DB migrations then start the server.
 
@@ -187,6 +187,7 @@ The tests require the TIME_ZONE environment variable to be set. Create a `.env`
 
 ```bash
 echo 'TIME_ZONE=America/Los_Angeles' > .env
+echo 'CLOUDINARY_CLOUD_NAME=exygy' >> .env
 ```
 
 Running the following will run all unit tests: `yarn test`
 
@@ -0,0 +1,9 @@
+# To update, find the latest stable version from:
+# https://hub.docker.com/_/postgres/tags
+#
+# Explicitly pin the version tag and image sha.
+FROM docker.io/postgres:18.1@sha256:5773fe724c49c42a7a9ca70202e11e1dff21fb7235b335a73f39297d200b73a2
+
+COPY --chown=postgres:postgres *.sql .
+
+USER postgres:postgres
@@ -0,0 +1,3 @@
+# dbinit
+
+Creates a docker container that is used to initialize the Bloom postgres database.
@@ -0,0 +1,17 @@
+-- Test the bloom_readonly expected permissions.
+\set ON_ERROR_STOP on
+
+DO $$
+BEGIN
+  -- Should succeed (PERFORM is like a SELECT but the results are discarded).
+  PERFORM id FROM jurisdictions;
+  RAISE NOTICE 'SELECT: OK';
+
+  -- Should fail
+  BEGIN
+    INSERT INTO applicant DEFAULT VALUES;
+    RAISE EXCEPTION 'INSERT unexpectedly succeeded';
+  EXCEPTION WHEN insufficient_privilege THEN
+      RAISE NOTICE 'INSERT: correctly denied';
+  END;
+END $$;
@@ -0,0 +1,47 @@
+-- Creates the bloom_prisma database and database users.
+-- Follows examples from https://aws.amazon.com/blogs/database/managing-postgresql-users-and-roles/.
+
+\set ON_ERROR_STOP on
+
+-- Database
+SELECT 'CREATE DATABASE bloom_prisma'
+WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'bloom_prisma')\gexec
+\c bloom_prisma
+
+-- Revoke public privleges
+REVOKE CREATE ON SCHEMA public FROM PUBLIC;
+REVOKE ALL ON DATABASE bloom_prisma FROM PUBLIC;
+
+-- Roles
+-- bloom_api
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'bloom_api') THEN
+        CREATE USER bloom_api PASSWORD 'bloom_api_pw';
+        GRANT CONNECT ON DATABASE bloom_prisma TO bloom_api;
+        GRANT ALL PRIVILEGES ON DATABASE bloom_prisma TO bloom_api;
+        GRANT ALL PRIVILEGES ON SCHEMA public TO bloom_api;
+    END IF;
+END
+$$;
+
+
+-- bloom_readonly
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'bloom_readonly') THEN
+        CREATE USER bloom_readonly PASSWORD 'bloom_readonly_pw';
+        GRANT CONNECT ON DATABASE bloom_prisma TO bloom_readonly;
+        GRANT USAGE ON SCHEMA public TO bloom_readonly;
+        GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO bloom_readonly;
+    END IF;
+END
+$$;
+
+-- Set local role within transation.
+BEGIN;
+SET LOCAL ROLE bloom_api;
+
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO bloom_readonly;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO bloom_readonly;
+COMMIT;
@@ -0,0 +1,49 @@
+-- Creates the bloom_prisma database and database users.
+-- Follows examples from https://aws.amazon.com/blogs/database/managing-postgresql-users-and-roles/.
+
+\set ON_ERROR_STOP on
+
+-- Database
+SELECT 'CREATE DATABASE bloom_prisma'
+WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'bloom_prisma')\gexec
+\c bloom_prisma
+
+-- Revoke public privleges
+REVOKE CREATE ON SCHEMA public FROM PUBLIC;
+REVOKE ALL ON DATABASE bloom_prisma FROM PUBLIC;
+
+-- Roles
+-- bloom_api
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'bloom_api') THEN
+        CREATE USER bloom_api;
+        GRANT rds_iam TO bloom_api;
+        GRANT CONNECT ON DATABASE bloom_prisma TO bloom_api;
+        GRANT ALL PRIVILEGES ON DATABASE bloom_prisma TO bloom_api;
+        GRANT ALL PRIVILEGES ON SCHEMA public TO bloom_api;
+    END IF;
+END
+$$;
+
+
+-- bloom_readonly
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'bloom_readonly') THEN
+        CREATE USER bloom_readonly;
+        GRANT rds_iam TO bloom_readonly;
+        GRANT CONNECT ON DATABASE bloom_prisma TO bloom_readonly;
+        GRANT USAGE ON SCHEMA public TO bloom_readonly;
+        GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO bloom_readonly;
+    END IF;
+END
+$$;
+
+-- Set local role within transation.
+BEGIN;
+SET LOCAL ROLE bloom_api;
+
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO bloom_readonly;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO bloom_readonly;
+COMMIT;
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Dockerfile`
	`2`	`+.dockerignore`
	`3`	`+**/node_modules`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# dbinit`
	`2`	`+`
	`3`	`+Creates a docker container that is used to initialize the Bloom postgres database.`