infra: scope shared-cluster postgres resources by lane

Use lane-specific Postgres role and database names for non-prod stacks so dev deploys can share the managed cluster without colliding with prod objects or failing on reruns.

Made-with: Cursor

Author: gankoji

infra/README.md

@@ -123,6 +123,8 @@ Hostnames are derived in `infra/platform` from `platform:hostname` and `platform
 
 `layer_1` and `layer_2` stack names are environment-specific when a lane has its own substrate (for example `dev` on the dedicated `dev-staging` node) and remain `layer_1` / `layer_2` on the production manager; confirm with `pulumi stack ls` per project before apply.
 
+When multiple lanes share the same DigitalOcean Postgres cluster, non-prod stacks scope service roles and service databases by stack name (for example `grafana-dev` and `replicated-telegraf-telegraf-dev`) so reruns do not collide with prod. The bootstrap connection DB defaults to `sprocket_main` and can be overridden per stack with `postgres-management-database`.
+
 ## GitHub Actions
 
 ### Container image tags (CI)

infra/global/helpers/datastore/PostgresUser.ts

@@ -1,6 +1,7 @@
 import * as pulumi from "@pulumi/pulumi";
 import * as postgres from "@pulumi/postgresql";
 import {ServiceCredentials} from "../ServiceCredentials";
+import { EnsureSharedClusterRole, laneScopedPostgresName, usesLegacySharedClusterNames } from "./SharedClusterPostgres";
 
 
 export interface PostgresUserArgs {
@@ -17,23 +18,34 @@ export class PostgresUser extends pulumi.ComponentResource {
     readonly password: pulumi.Output<string>;
 
     private readonly credentials: ServiceCredentials;
-    private readonly role: postgres.Role;
+    private readonly role: EnsureSharedClusterRole | postgres.Role;
 
     constructor(name: string, args: PostgresUserArgs, opts?: pulumi.ComponentResourceOptions) {
         super("sprocket:PostgresUser", name, {}, opts)
 
+        const scopedUsername = laneScopedPostgresName(args.username);
+
         this.credentials = new ServiceCredentials(`${name}-pw`, {
-            username: args.username,
+            username: scopedUsername,
         }, {parent: this});
 
         this.username = this.credentials.username;
         this.password = this.credentials.password;
 
-        this.role = new postgres.Role(`${name}-role`, {
-            name: this.credentials.username,
-            login: true,
-            password: this.credentials.password,
+        if (usesLegacySharedClusterNames()) {
+            this.role = new postgres.Role(`${name}-role`, {
+                name: this.credentials.username,
+                login: true,
+                password: this.credentials.password,
+                replication: args.replication ?? false,
+            }, {provider: args.providers.postgres, parent: this, import: args.importId});
+            return;
+        }
+
+        this.role = new EnsureSharedClusterRole(`${name}-role`, {
+            roleName: this.credentials.username,
+            rolePassword: this.credentials.password,
             replication: args.replication ?? false,
-        }, {provider: args.providers.postgres, parent: this, import: args.importId});
+        }, { parent: this });
     }
 }

infra/global/helpers/datastore/SharedClusterPostgres.ts

@@ -0,0 +1,262 @@
+import * as pulumi from "@pulumi/pulumi";
+import { Client } from "pg";
+
+const LEGACY_SHARED_CLUSTER_STACKS = new Set(["layer_1", "layer_2", "prod"]);
+
+type SharedClusterConnection = {
+    host: string;
+    port: number;
+    username: string;
+    password: string;
+    database: string;
+};
+
+type SharedClusterRoleInputs = SharedClusterConnection & {
+    roleName: string;
+    rolePassword: string;
+    replication: boolean;
+};
+
+type SharedClusterDatabaseInputs = SharedClusterConnection & {
+    databaseName: string;
+    ownerRole: string;
+};
+
+export function usesLegacySharedClusterNames(stack = pulumi.getStack()): boolean {
+    return LEGACY_SHARED_CLUSTER_STACKS.has(stack);
+}
+
+export function laneScopedPostgresName(baseName: string, stack = pulumi.getStack()): string {
+    if (usesLegacySharedClusterNames(stack)) {
+        return baseName;
+    }
+
+    return `${baseName}-${normalizeStackName(stack)}`;
+}
+
+export function getPostgresManagementDatabaseName(config = new pulumi.Config()): string {
+    return config.get("postgres-management-database")?.trim() || "sprocket_main";
+}
+
+function normalizeStackName(stack: string): string {
+    const normalized = stack
+        .trim()
+        .toLowerCase()
+        .replace(/[^a-z0-9_-]+/g, "-")
+        .replace(/^-+|-+$/g, "");
+
+    return normalized || "stack";
+}
+
+function getSharedClusterConnectionInputs(config = new pulumi.Config()) {
+    return {
+        host: config.require("postgres-host"),
+        port: config.requireNumber("postgres-port"),
+        username: config.require("postgres-username"),
+        password: config.requireSecret("postgres-password"),
+        database: getPostgresManagementDatabaseName(config),
+    };
+}
+
+function quoteIdentifier(value: string): string {
+    return `"${value.replace(/"/g, "\"\"")}"`;
+}
+
+function quoteLiteral(value: string): string {
+    return `'${value.replace(/'/g, "''")}'`;
+}
+
+async function withClient<T>(connection: SharedClusterConnection, callback: (client: Client) => Promise<T>): Promise<T> {
+    const client = new Client({
+        host: connection.host,
+        port: connection.port,
+        user: connection.username,
+        password: connection.password,
+        database: connection.database,
+        ssl: {
+            rejectUnauthorized: false,
+        },
+    });
+
+    await client.connect();
+
+    try {
+        return await callback(client);
+    } finally {
+        await client.end();
+    }
+}
+
+async function ensureRole(inputs: SharedClusterRoleInputs): Promise<void> {
+    await withClient(inputs, async (client) => {
+        const existingRole = await client.query("select 1 from pg_roles where rolname = $1", [inputs.roleName]);
+        const replicationClause = inputs.replication ? "REPLICATION" : "NOREPLICATION";
+
+        if (existingRole.rowCount && existingRole.rowCount > 0) {
+            await client.query(
+                `ALTER ROLE ${quoteIdentifier(inputs.roleName)} WITH LOGIN ${replicationClause} PASSWORD ${quoteLiteral(inputs.rolePassword)}`,
+            );
+            return;
+        }
+
+        await client.query(
+            `CREATE ROLE ${quoteIdentifier(inputs.roleName)} WITH LOGIN ${replicationClause} PASSWORD ${quoteLiteral(inputs.rolePassword)}`,
+        );
+    });
+}
+
+async function ensureDatabase(inputs: SharedClusterDatabaseInputs): Promise<void> {
+    await withClient(inputs, async (client) => {
+        const existingDatabase = await client.query("select 1 from pg_database where datname = $1", [inputs.databaseName]);
+
+        if (existingDatabase.rowCount && existingDatabase.rowCount > 0) {
+            await client.query(
+                `ALTER DATABASE ${quoteIdentifier(inputs.databaseName)} OWNER TO ${quoteIdentifier(inputs.ownerRole)}`,
+            );
+            return;
+        }
+
+        await client.query(
+            `CREATE DATABASE ${quoteIdentifier(inputs.databaseName)} OWNER ${quoteIdentifier(inputs.ownerRole)}`,
+        );
+    });
+}
+
+class SharedClusterRoleProvider implements pulumi.dynamic.ResourceProvider {
+    async create(inputs: SharedClusterRoleInputs) {
+        await ensureRole(inputs);
+
+        return {
+            id: inputs.roleName,
+            outs: {
+                ...inputs,
+                roleName: inputs.roleName,
+            },
+        };
+    }
+
+    async diff(id: string, olds: SharedClusterRoleInputs, news: SharedClusterRoleInputs) {
+        const replaces = olds.roleName !== news.roleName ? ["roleName"] : [];
+        const changes = replaces.length > 0
+            || olds.rolePassword !== news.rolePassword
+            || olds.replication !== news.replication
+            || olds.host !== news.host
+            || olds.port !== news.port
+            || olds.username !== news.username
+            || olds.password !== news.password
+            || olds.database !== news.database;
+
+        return { changes, replaces };
+    }
+
+    async update(id: string, olds: SharedClusterRoleInputs, news: SharedClusterRoleInputs) {
+        await ensureRole(news);
+
+        return {
+            outs: {
+                ...news,
+                roleName: news.roleName,
+            },
+        };
+    }
+
+    async delete(id: string, props: SharedClusterRoleInputs) {
+        return;
+    }
+}
+
+class SharedClusterDatabaseProvider implements pulumi.dynamic.ResourceProvider {
+    async create(inputs: SharedClusterDatabaseInputs) {
+        await ensureDatabase(inputs);
+
+        return {
+            id: inputs.databaseName,
+            outs: {
+                ...inputs,
+                databaseName: inputs.databaseName,
+            },
+        };
+    }
+
+    async diff(id: string, olds: SharedClusterDatabaseInputs, news: SharedClusterDatabaseInputs) {
+        const replaces = olds.databaseName !== news.databaseName ? ["databaseName"] : [];
+        const changes = replaces.length > 0
+            || olds.ownerRole !== news.ownerRole
+            || olds.host !== news.host
+            || olds.port !== news.port
+            || olds.username !== news.username
+            || olds.password !== news.password
+            || olds.database !== news.database;
+
+        return { changes, replaces };
+    }
+
+    async update(id: string, olds: SharedClusterDatabaseInputs, news: SharedClusterDatabaseInputs) {
+        await ensureDatabase(news);
+
+        return {
+            outs: {
+                ...news,
+                databaseName: news.databaseName,
+            },
+        };
+    }
+
+    async delete(id: string, props: SharedClusterDatabaseInputs) {
+        return;
+    }
+}
+
+export interface EnsureSharedClusterRoleArgs {
+    roleName: pulumi.Input<string>;
+    rolePassword: pulumi.Input<string>;
+    replication?: pulumi.Input<boolean>;
+}
+
+export class EnsureSharedClusterRole extends pulumi.dynamic.Resource {
+    readonly roleName!: pulumi.Output<string>;
+
+    constructor(name: string, args: EnsureSharedClusterRoleArgs, opts?: pulumi.CustomResourceOptions) {
+        const connection = getSharedClusterConnectionInputs();
+
+        super(new SharedClusterRoleProvider(), name, {
+            host: connection.host,
+            port: connection.port,
+            username: connection.username,
+            password: connection.password,
+            database: connection.database,
+            roleName: args.roleName,
+            rolePassword: args.rolePassword,
+            replication: args.replication ?? false,
+        }, {
+            ...opts,
+            additionalSecretOutputs: ["password", "rolePassword"],
+        });
+    }
+}
+
+export interface EnsureSharedClusterDatabaseArgs {
+    databaseName: pulumi.Input<string>;
+    ownerRole: pulumi.Input<string>;
+}
+
+export class EnsureSharedClusterDatabase extends pulumi.dynamic.Resource {
+    readonly databaseName!: pulumi.Output<string>;
+
+    constructor(name: string, args: EnsureSharedClusterDatabaseArgs, opts?: pulumi.CustomResourceOptions) {
+        const connection = getSharedClusterConnectionInputs();
+
+        super(new SharedClusterDatabaseProvider(), name, {
+            host: connection.host,
+            port: connection.port,
+            username: connection.username,
+            password: connection.password,
+            database: connection.database,
+            databaseName: args.databaseName,
+            ownerRole: args.ownerRole,
+        }, {
+            ...opts,
+            additionalSecretOutputs: ["password"],
+        });
+    }
+}

infra/global/package.json

@@ -22,7 +22,11 @@
     "@types/axios": "^0.14.0",
     "@types/yaml": "^1.9.7",
     "axios": "^0.27.1",
+    "pg": "^8.20.0",
     "remove": "^0.1.5",
     "yaml": "^2.0.1"
+  },
+  "devDependencies": {
+    "@types/pg": "^8.20.0"
   }
 }

infra/global/providers/SprocketPostgresProvider.ts

@@ -1,5 +1,6 @@
 import * as pulumi from "@pulumi/pulumi"
 import * as postgres from "@pulumi/postgresql";
+import { getPostgresManagementDatabaseName } from "../helpers/datastore/SharedClusterPostgres";
 
 export interface SprocketPostgresProviderArgs extends Omit<postgres.ProviderArgs, "username" | "password" | "host" | "sslmode" | "port"> {
 }
@@ -18,6 +19,7 @@ export class SprocketPostgresProvider extends postgres.Provider {
         const password = config.require('postgres-password');
         const host = config.require('postgres-host');
         const port = config.requireNumber('postgres-port');
+        const database = getPostgresManagementDatabaseName(config);
 
         super("SprocketPostgresProvider", {
             ...args,
@@ -26,7 +28,7 @@ export class SprocketPostgresProvider extends postgres.Provider {
             host: host,
             sslmode: 'require',
             port: port,
-            database: 'sprocket_main',
+            database: database,
             superuser: false
         }, opts);