feat: add AWS SSL profiles and migration log retrieval script

claudfuen · claudfuen · commit 9ba32a3e628b · 2025-07-15T16:28:27.000Z
- Introduced `aws-ssl-profiles` dependency for improved SSL verification with AWS RDS.
- Added a new script `get-migration-logs.sh` to fetch recent migration logs from AWS CloudWatch.
- Updated Dockerfile to enhance logging and error reporting during migration execution.
- Refactored database connection to utilize AWS CA bundle for SSL in production environments.
diff --git a/apps/infra/index.ts b/apps/infra/index.ts
@@ -147,7 +147,10 @@ const db = new aws.rds.Instance("pathfinder-db", {
   password: dbPassword.result, // Use the generated secure password
   vpcSecurityGroupIds: [dbSecurityGroup.id],
   dbSubnetGroupName: dbSubnetGroup.name,
-
+  
+  // Use default parameter group (requires SSL - AWS best practice)
+  applyImmediately: true, // Apply parameter changes immediately (requires restart)
+  
   skipFinalSnapshot: true, // For dev - set to false in production
   deletionProtection: false, // For dev - set to true in production
   backupRetentionPeriod: 7, // Keep backups for 7 days
@@ -461,10 +464,10 @@ const service = new awsx.ecs.FargateService("pathfinder-service", {
             name: "PORT",
             value: "3000",
           },
-          {
-            name: "DATABASE_URL",
-            value: pulumi.interpolate`postgresql://${db.username}:${db.password}@${db.endpoint}/${db.dbName}`,
-          },
+                  {
+          name: "DATABASE_URL",
+          value: pulumi.interpolate`postgresql://${db.username}:${db.password}@${db.endpoint}/${db.dbName}`,
+        },
           {
             name: "ENABLE_DEBUG_ENDPOINTS",
             value: "true", // Temporary: for debugging environment variables
diff --git a/apps/web/Dockerfile.migration b/apps/web/Dockerfile.migration
@@ -3,15 +3,27 @@ FROM oven/bun:1.2.18-alpine
 
 WORKDIR /app
 
-# Copy only what's needed for migrations
+# Copy package files first for better caching
 COPY package.json bun.lock* ./
-COPY src/db ./src/db
-COPY src/env.ts ./src/env.ts
-COPY scripts ./scripts
+
+# Install all dependencies (including dev deps like tsx if needed)
+RUN bun install --frozen-lockfile
+
+# Copy the entire src directory to avoid import path issues
+COPY src/ ./src/
+COPY scripts/ ./scripts/
 COPY drizzle.config.ts ./
 
-# Install only production dependencies
-RUN bun install --frozen-lockfile --production
+# Verify migration files exist and show structure
+RUN echo "=== Directory structure ===" && \
+    find . -type f -name "*.ts" -o -name "*.sql" | head -20 && \
+    echo "=== Migration files ===" && \
+    ls -la src/db/migrations/ && \
+    echo "=== Environment check ===" && \
+    printenv | grep -E "(DATABASE_URL|NODE_ENV)" || echo "No DB env vars yet"
+
+# Set environment for better error reporting
+ENV NODE_ENV=production
 
-# Default command runs migrations
-CMD ["bun", "run", "scripts/run-migrations.ts"] 
+# Default command runs migrations with verbose output
+CMD ["sh", "-c", "echo 'Starting migration container...' && bun run scripts/run-migrations.ts"] 
diff --git a/apps/web/package.json b/apps/web/package.json
@@ -20,6 +20,7 @@
   },
   "dependencies": {
     "@t3-oss/env-nextjs": "^0.13.8",
+    "aws-ssl-profiles": "^1.1.2",
     "axios": "^1.10.0",
     "dotenv": "^17.1.0",
     "drizzle-orm": "^0.44.2",
diff --git a/apps/web/src/db/index.ts b/apps/web/src/db/index.ts
@@ -1,3 +1,4 @@
+import awsCaBundle from "aws-ssl-profiles";
 import { drizzle } from "drizzle-orm/node-postgres";
 import { Pool } from "pg";
 import { env } from "../env";
@@ -6,7 +7,8 @@ import * as schema from "./schema";
 // Create a connection pool using validated environment variables
 const pool = new Pool({
   connectionString: env.DATABASE_URL,
-  // ssl: env.NODE_ENV === "production" ? { rejectUnauthorized: false } : false,
+  // Use AWS RDS CA bundle for proper SSL verification
+  ssl: env.DATABASE_URL.includes("localhost") ? false : awsCaBundle,
 });
 
 // Create the database instance
diff --git a/bun.lock b/bun.lock
diff --git a/get-migration-logs.sh b/get-migration-logs.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+LOG_GROUP="pathfinder-logs-a5c296d"
+REGION="us-east-1"
+
+echo "Getting recent log streams for migration..."
+aws logs describe-log-streams \
+  --log-group-name "$LOG_GROUP" \
+  --order-by LastEventTime \
+  --descending \
+  --region "$REGION" \
+  --max-items 10 \
+  --output table \
+  --query 'logStreams[].{StreamName:logStreamName,LastEvent:lastEventTime}'
+
+echo ""
+echo "Getting recent migration task logs..."
+MIGRATION_STREAM=$(aws logs describe-log-streams \
+  --log-group-name "$LOG_GROUP" \
+  --order-by LastEventTime \
+  --descending \
+  --region "$REGION" \
+  --max-items 10 \
+  --query 'logStreams[?contains(logStreamName, `migration-task`)].logStreamName' \
+  --output text | head -1)
+
+if [ -n "$MIGRATION_STREAM" ]; then
+  echo "Found migration stream: $MIGRATION_STREAM"
+  echo "Migration logs:"
+  echo "=================================="
+  aws logs get-log-events \
+    --log-group-name "$LOG_GROUP" \
+    --log-stream-name "$MIGRATION_STREAM" \
+    --region "$REGION" \
+    --query 'events[].message' \
+    --output text
+else
+  echo "No migration log stream found"
+fi 
