feat(infra): allow runner egress to PostgreSQL 5432 for DB migrations#82
Merged
Conversation
The self-hosted runner security group only allowed egress on 443/80/53, so deploy-dev/prd's pre-deploy 'apply DB migrations' step could not reach the Supabase Postgres: the direct host is IPv6-only (no IPv6 egress -> network unreachable) and the session pooler on tcp/5432 had its SYN silently dropped (no egress rule -> connection hang). Add a tcp/5432 egress rule to the runner security group in both the CloudFormation template and the Terraform module, so runners can reach the Supabase session pooler (aws-1-<region>.pooler.supabase.com:5432, IPv4, advisory-lock-capable). Updates the stale '443/80/53' references in docs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Kaio Fellipe <kaio6fellipe@gmail.com>
OpenSSF Scorecard — 8.3/10 ✅
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (2)
📝 WalkthroughWalkthroughSelf-hosted runner egress rules now allow outbound TCP port 5432 for PostgreSQL session pooler access, and the matching workflow documentation is updated to list the expanded allowlist. ChangesSelf-hosted Runner PostgreSQL Access
Estimated code review effort: 2 (Simple) | ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…stgres-5432 Signed-off-by: Kaio Fellipe <kaio6fellipe@gmail.com> # Conflicts: # CLAUDE.md
…stgres-5432 Signed-off-by: Kaio Fellipe <kaio6fellipe@gmail.com> # Conflicts: # CLAUDE.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
vulcan-saas PR #151 added a pre-deploy
apply DB migrationsstep todeploy-dev.yml/deploy-prd.yml. It fails because the self-hosted runner can't reach the Supabase Postgres:db.<ref>.supabase.co:5432is IPv6-only →dial tcp [2600:...]:5432: connect: network is unreachable(runner SG has no IPv6 egress / subnet likely no IPv6).aws-1-<region>.pooler.supabase.com:5432(IPv4) → the migrate step hangs ~8 min: the runner SG egress allows only 443/80/53, so the tcp/5432 SYN is silently dropped.Verified against the live SG
sg-0b7b1cd1a8e9c77ca(us-east-2): egress = tcp/80, tcp/443, udp/53 only.Change
Add a tcp/5432 egress rule to the runner security group in both IaC paths (CloudFormation template — the deployed stack — and the Terraform module for parity), so runners can reach the Supabase session pooler (IPv4, port 5432, advisory-lock-capable; the transaction pooler on 6543 is intentionally not used as it breaks golang-migrate's advisory lock). Updates the now-stale
443/80/53references in CLAUDE.md / AGENTS.md / docs.cfn-lintclean;tofu validatepasses. Egress-only change on ephemeral runners.Deploy
After merge, redeploy the CloudFormation stack (
aws cloudformation deploy … --template-file infra/cloudformation/template.yaml) to apply the new egress rule. Then vulcan-saasdeploy-devwill connect to the session pooler and apply migrations.🤖 Generated with Claude Code
Summary by CodeRabbit