fix: run migrations via CodeBuild instead of non-existent ECS task

- Add VPC access and DATABASE_URL to migration CodeBuild project
- Modify buildspec-migration.yml to run migrations when RUN_MIGRATIONS=true
- Update deploy.sh to use CodeBuild for migrations instead of ECS tasks
- Update GitHub Actions workflow to use same CodeBuild approach
- Fixes 'Invalid revision number. Number: latest' error

Author: claudfuen

.github/workflows/deploy.yml

@@ -78,31 +78,24 @@ jobs:
           
       - name: Run database migrations
         run: |
-          # Get subnet and security group for migration task
-          PRIVATE_SUBNET=$(aws ec2 describe-subnets --filters "Name=tag:Type,Values=private" --query 'Subnets[0].SubnetId' --output text)
-          CODEBUILD_SG=$(aws ec2 describe-security-groups --filters "Name=tag:Name,Values=pathfinder-codebuild-sg" --query 'SecurityGroups[0].GroupId' --output text)
-          
-          echo "Using subnet: $PRIVATE_SUBNET"
-          echo "Using security group: $CODEBUILD_SG"
-          
-          TASK_ARN=$(aws ecs run-task \
-            --cluster pathfinder \
-            --task-definition pathfinder-migration:latest \
-            --launch-type FARGATE \
-            --network-configuration "awsvpcConfiguration={subnets=[$PRIVATE_SUBNET],securityGroups=[$CODEBUILD_SG],assignPublicIp=ENABLED}" \
-            --query 'tasks[0].taskArn' --output text)
+          # Run migrations via CodeBuild (which has VPC access to database)
+          MIGRATION_RUN_ID=$(aws codebuild start-build \
+            --project-name pathfinder-migration-build \
+            --environment-variables-override name=RUN_MIGRATIONS,value=true \
+            --query 'build.id' --output text)
           
-          echo "Migration task started: $TASK_ARN"
+          echo "Migration run started: $MIGRATION_RUN_ID"
           
-          # Wait for migration task to complete
-          aws ecs wait tasks-stopped --cluster pathfinder --tasks $TASK_ARN
+          # Wait for migration run to complete
+          while [ "$(aws codebuild batch-get-builds --ids $MIGRATION_RUN_ID --query 'builds[0].buildStatus' --output text)" = "IN_PROGRESS" ]; do
+            echo "Waiting for migrations to complete..."
+            sleep 30
+          done
           
           # Check if migration succeeded
-          EXIT_CODE=$(aws ecs describe-tasks --cluster pathfinder --tasks $TASK_ARN \
-            --query 'tasks[0].containers[0].exitCode' --output text)
-          
-          if [ "$EXIT_CODE" != "0" ]; then
-            echo "Migration failed with exit code: $EXIT_CODE"
+          STATUS=$(aws codebuild batch-get-builds --ids $MIGRATION_RUN_ID --query 'builds[0].buildStatus' --output text)
+          if [ "$STATUS" != "SUCCEEDED" ]; then
+            echo "Migration failed with status: $STATUS"
             exit 1
           fi
           echo "Migrations completed successfully"

apps/infra/modules/build.ts

@@ -165,10 +165,10 @@ export function createBuildSystem(config: CommonConfig, network: NetworkOutputs,
     },
   });
 
-  // CodeBuild project for building migration image (no database access needed)
+  // CodeBuild project for building migration image (with database access for running migrations)
   const migrationProject = new aws.codebuild.Project("pathfinder-migration-build", {
     name: "pathfinder-migration-build",
-    description: "Build migration Docker image (standalone)",
+    description: "Build migration Docker image and run migrations",
     serviceRole: codebuildRole.arn,
     artifacts: {
       type: "NO_ARTIFACTS",
@@ -189,14 +189,24 @@ export function createBuildSystem(config: CommonConfig, network: NetworkOutputs,
           value: "pathfinder",
           type: "PLAINTEXT",
         },
+        {
+          name: "DATABASE_URL",
+          value: database.connectionString,
+          type: "PLAINTEXT",
+        },
         {
           name: "AWS_DEFAULT_REGION",
           value: config.awsRegion,
           type: "PLAINTEXT",
         },
       ],
     },
-    // No VPC config - doesn't need database access
+    // Add VPC config for database access
+    vpcConfig: {
+      vpcId: network.vpcId,
+      subnets: network.privateSubnetIds,
+      securityGroupIds: [network.securityGroups.codeBuild],
+    },
     source: {
       type: "GITHUB",
       location: `https://github.com/${config.githubOrg}/${config.githubRepo}.git`,

apps/web/buildspec-migration.yml

@@ -17,6 +17,15 @@ phases:
       - docker build -f Dockerfile.migration -t $IMAGE_REPO_NAME:migration-$IMAGE_TAG .
       - docker tag $IMAGE_REPO_NAME:migration-$IMAGE_TAG $REPOSITORY_URI:migration-$IMAGE_TAG
       - docker tag $IMAGE_REPO_NAME:migration-$IMAGE_TAG $REPOSITORY_URI:migration-latest
+      - |
+        if [ "$RUN_MIGRATIONS" = "true" ]; then
+          echo "Running database migrations..."
+          docker run --rm \
+            -e DATABASE_URL="$DATABASE_URL" \
+            -e NODE_ENV="production" \
+            $IMAGE_REPO_NAME:migration-$IMAGE_TAG
+          echo "Migrations completed successfully"
+        fi
 
   post_build:
     commands:

scripts/deploy.sh

@@ -67,46 +67,17 @@ migration_build_id=$(aws codebuild start-build \
 echo "Migration build ID: $migration_build_id"
 wait_for_build "$migration_build_id" "Migration"
 
-# Step 3: Run Database Migrations
-echo -e "${YELLOW}🗃️  Step 3: Running database migrations...${NC}"
+# Step 3: Run Database Migrations via CodeBuild
+echo -e "${YELLOW}🗃️  Step 3: Running database migrations via CodeBuild...${NC}"
 
-# Get subnet and security group for migration task
-private_subnet=$(aws ec2 describe-subnets \
-    --filters "Name=tag:Type,Values=private" \
-    --query 'Subnets[0].SubnetId' --output text)
-
-codebuild_sg=$(aws ec2 describe-security-groups \
-    --filters "Name=tag:Name,Values=pathfinder-codebuild-sg" \
-    --query 'SecurityGroups[0].GroupId' --output text)
-
-echo "Using subnet: $private_subnet"
-echo "Using security group: $codebuild_sg"
-
-# Run migration task with correct syntax
-migration_task_arn=$(aws ecs run-task \
-    --cluster "$CLUSTER_NAME" \
-    --task-definition pathfinder-migration:latest \
-    --launch-type FARGATE \
-    --network-configuration "awsvpcConfiguration={subnets=[$private_subnet],securityGroups=[$codebuild_sg],assignPublicIp=ENABLED}" \
-    --query 'tasks[0].taskArn' --output text)
-
-echo "Migration task ARN: $migration_task_arn"
-
-# Wait for migration to complete
-echo -e "${YELLOW}⏳ Waiting for migrations to complete...${NC}"
-aws ecs wait tasks-stopped --cluster "$CLUSTER_NAME" --tasks "$migration_task_arn"
-
-# Check migration exit code
-exit_code=$(aws ecs describe-tasks \
-    --cluster "$CLUSTER_NAME" \
-    --tasks "$migration_task_arn" \
-    --query 'tasks[0].containers[0].exitCode' --output text)
+# Run migration via CodeBuild (which has VPC access to database)
+migration_run_id=$(aws codebuild start-build \
+    --project-name pathfinder-migration-build \
+    --environment-variables-override name=RUN_MIGRATIONS,value=true \
+    --query 'build.id' --output text)
 
-if [ "$exit_code" != "0" ]; then
-    echo -e "${RED}❌ Migration failed with exit code: $exit_code${NC}"
-    exit 1
-fi
-echo -e "${GREEN}✅ Migrations completed successfully${NC}"
+echo "Migration run ID: $migration_run_id"
+wait_for_build "$migration_run_id" "Migration Run"
 
 # Step 4: Build Application Image
 echo -e "${YELLOW}🔨 Step 4: Building application image...${NC}"