Skip to content

feat(infra): allow runner egress to PostgreSQL 5432 for DB migrations#82

Merged
kaio6fellipe merged 3 commits into
mainfrom
feat/runner-egress-postgres-5432
Jul 2, 2026
Merged

feat(infra): allow runner egress to PostgreSQL 5432 for DB migrations#82
kaio6fellipe merged 3 commits into
mainfrom
feat/runner-egress-postgres-5432

Conversation

@kaio6fellipe

@kaio6fellipe kaio6fellipe commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Problem

vulcan-saas PR #151 added a pre-deploy apply DB migrations step to deploy-dev.yml/deploy-prd.yml. It fails because the self-hosted runner can't reach the Supabase Postgres:

  • Direct host db.<ref>.supabase.co:5432 is IPv6-onlydial tcp [2600:...]:5432: connect: network is unreachable (runner SG has no IPv6 egress / subnet likely no IPv6).
  • Session pooler aws-1-<region>.pooler.supabase.com:5432 (IPv4) → the migrate step hangs ~8 min: the runner SG egress allows only 443/80/53, so the tcp/5432 SYN is silently dropped.

Verified against the live SG sg-0b7b1cd1a8e9c77ca (us-east-2): egress = tcp/80, tcp/443, udp/53 only.

Change

Add a tcp/5432 egress rule to the runner security group in both IaC paths (CloudFormation template — the deployed stack — and the Terraform module for parity), so runners can reach the Supabase session pooler (IPv4, port 5432, advisory-lock-capable; the transaction pooler on 6543 is intentionally not used as it breaks golang-migrate's advisory lock). Updates the now-stale 443/80/53 references in CLAUDE.md / AGENTS.md / docs.

cfn-lint clean; tofu validate passes. Egress-only change on ephemeral runners.

Deploy

After merge, redeploy the CloudFormation stack (aws cloudformation deploy … --template-file infra/cloudformation/template.yaml) to apply the new egress rule. Then vulcan-saas deploy-dev will connect to the session pooler and apply migrations.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Documentation
    • Updated CI workflow guidance (AGENTS/CLAUDE and ami-prebaked) to reflect expanded self-hosted runner network egress rules, now including outbound port 5432.
  • Chores
    • Extended the EC2 runner security group egress configuration (Terraform and CloudFormation) to allow outbound TCP traffic on 5432 to 0.0.0.0/0 for PostgreSQL-related migration access.

The self-hosted runner security group only allowed egress on 443/80/53, so
deploy-dev/prd's pre-deploy 'apply DB migrations' step could not reach the
Supabase Postgres: the direct host is IPv6-only (no IPv6 egress -> network
unreachable) and the session pooler on tcp/5432 had its SYN silently dropped
(no egress rule -> connection hang).

Add a tcp/5432 egress rule to the runner security group in both the
CloudFormation template and the Terraform module, so runners can reach the
Supabase session pooler (aws-1-<region>.pooler.supabase.com:5432, IPv4,
advisory-lock-capable). Updates the stale '443/80/53' references in docs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Kaio Fellipe <kaio6fellipe@gmail.com>
@github-actions github-actions Bot added documentation Improvements or additions to documentation jit-runners feature labels Jun 4, 2026
@github-actions

github-actions Bot commented Jun 4, 2026

Copy link
Copy Markdown

OpenSSF Scorecard — 8.3/10 ✅

Check Score Details
Binary-Artifacts 10/10 no binaries found in the repo
CI-Tests 10/10 22 out of 22 merged PRs checked by a CI test -- score normalized to 10
Code-Review 0/10 Found 0/30 approved changesets -- score normalized to 0
Dangerous-Workflow 10/10 no dangerous workflow patterns detected
License 10/10 license file detected
Pinned-Dependencies 6/10 dependency not pinned by hash detected -- score normalized to 6
Security-Policy 10/10 security policy file detected
Token-Permissions 10/10 GitHub workflow tokens follow principle of least privilege
Vulnerabilities 10/10 0 existing vulnerabilities detected

Threshold: 7 | Full report

@coderabbitai

coderabbitai Bot commented Jun 4, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7f134128-bff2-479f-857c-a3d82d2dadeb

📥 Commits

Reviewing files that changed from the base of the PR and between 3156fa9 and 3853223.

📒 Files selected for processing (2)
  • CLAUDE.md
  • docs/ami-prebaked.md
✅ Files skipped from review due to trivial changes (2)
  • docs/ami-prebaked.md
  • CLAUDE.md

📝 Walkthrough

Walkthrough

Self-hosted runner egress rules now allow outbound TCP port 5432 for PostgreSQL session pooler access, and the matching workflow documentation is updated to list the expanded allowlist.

Changes

Self-hosted Runner PostgreSQL Access

Layer / File(s) Summary
Infrastructure egress rule updates
infra/cloudformation/template.yaml, infra/terraform/ec2.tf
CloudFormation and Terraform security group definitions each add an outbound rule permitting TCP port 5432 to 0.0.0.0/0 for PostgreSQL session pooler access.
Documentation port allowlist sync
AGENTS.md, CLAUDE.md, docs/ami-prebaked.md
The documented self-hosted runner egress allowlist is expanded to include port 5432 while retaining the SSH-blocked Packer timeout explanation.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: adding runner egress for PostgreSQL 5432 migrations.
Description check ✅ Passed The description covers the problem, fix, validation, and deploy steps; only template sections like related issues and checklist formatting are missing.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/runner-egress-postgres-5432

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

…stgres-5432

Signed-off-by: Kaio Fellipe <kaio6fellipe@gmail.com>

# Conflicts:
#	CLAUDE.md
…stgres-5432

Signed-off-by: Kaio Fellipe <kaio6fellipe@gmail.com>

# Conflicts:
#	CLAUDE.md
@kaio6fellipe kaio6fellipe merged commit 7be033c into main Jul 2, 2026
10 checks passed
@kaio6fellipe kaio6fellipe deleted the feat/runner-egress-postgres-5432 branch July 2, 2026 02:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation feature jit-runners

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant