Run migrations on PR environments (#1440)

* Create separate tables for PR envs
* Use commit hash for checkout / teardown
* Loud error

Author: bencalegari

.github/workflows/ci-app-pr-environment-destroy.yml

@@ -6,6 +6,10 @@ on:
         description: "Pull request number"
         required: true
         type: string
+      commit_hash:
+        description: "Commit hash whose scripts to use for teardown"
+        required: true
+        type: string
   # !! Uncomment the following lines once you've set up the dev environment and are ready to enable PR environments
   pull_request:
     types: [closed]
@@ -24,3 +28,4 @@ jobs:
       app_name: "app"
       environment: "dev"
       pr_number: ${{ inputs.pr_number || github.event.number }}
+      commit_hash: ${{ inputs.commit_hash || github.event.pull_request.head.sha }}

.github/workflows/pr-environment-checks.yml

@@ -42,6 +42,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.commit_hash }}
 
       - name: Set up Terraform
         uses: ./.github/actions/setup-terraform

.github/workflows/pr-environment-destroy.yml

@@ -12,6 +12,9 @@ on:
       pr_number:
         required: true
         type: string
+      commit_hash:
+        required: true
+        type: string
 jobs:
   destroy:
     name: Destroy environment
@@ -27,6 +30,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.commit_hash }}
 
       - name: Set up Terraform
         uses: ./.github/actions/setup-terraform

app/bin/db-drop-schema

@@ -0,0 +1,5 @@
+#!/bin/sh
+echo "Dropping schema..."
+echo "  DB_SCHEMA=$DB_SCHEMA"
+
+./bin/rake db:drop_schema

app/bin/db-migrate

@@ -6,4 +6,9 @@ echo "  DB_USER=$DB_USER"
 echo "  DB_NAME=$DB_NAME"
 echo "  DB_SCHEMA=$DB_SCHEMA"
 
+if [ -n "$DB_SCHEMA" ] && [ "$DB_SCHEMA" != "public" ] && [ "$DB_SCHEMA" != "app" ]; then
+  echo "Creating schema $DB_SCHEMA if it doesn't exist..."
+  ./bin/rake db:create_schema
+fi
+
 ./bin/rake --trace db:migrate

app/config/database.yml

@@ -131,6 +131,7 @@ queue:
   password: <%= ENV.fetch("DB_PASS") { nil } %>
   port: <%= ENV.fetch("DB_PORT") { 5432 } %>
   host: <%= ENV.fetch("DB_HOST") { "localhost" } %>
+  schema_search_path: <%= ENV.fetch("DB_SCHEMA", "app") %>
   aws_rds_iam_auth_token_generator: default
 
 production:
@@ -140,6 +141,7 @@ production:
   password: <%= ENV.fetch("DB_PASS") { nil } %>
   port: <%= ENV.fetch("DB_PORT") { 5432 } %>
   host: <%= ENV.fetch("DB_HOST") { "localhost" } %>
+  schema_search_path: <%= ENV.fetch("DB_SCHEMA", "app") %>
   aws_rds_iam_auth_token_generator: default
 ci:
   <<: *default

app/lib/tasks/schema.rake

@@ -0,0 +1,23 @@
+namespace :db do
+  desc "Create the PostgreSQL schema specified by DB_SCHEMA"
+  task create_schema: :environment do
+    schema = ENV["DB_SCHEMA"]
+    abort("DB_SCHEMA must be set to a non-'public' value (got: #{schema.inspect})") if schema.blank? || schema == "public"
+
+    ActiveRecord::Base.connection.execute(
+      "CREATE SCHEMA IF NOT EXISTS #{ActiveRecord::Base.connection.quote_column_name(schema)}"
+    )
+    Rails.logger.info("Schema '#{schema}' created or already exists.")
+  end
+
+  desc "Drop the PostgreSQL schema specified by DB_SCHEMA"
+  task drop_schema: :environment do
+    schema = ENV["DB_SCHEMA"]
+    abort("DB_SCHEMA must be set to a non-'public' value (got: #{schema.inspect})") if schema.blank? || schema == "public"
+
+    ActiveRecord::Base.connection.execute(
+      "DROP SCHEMA IF EXISTS #{ActiveRecord::Base.connection.quote_column_name(schema)} CASCADE"
+    )
+    Rails.logger.info("Schema '#{schema}' dropped.")
+  end
+end

bin/destroy-pr-environment

@@ -27,6 +27,25 @@ if ! terraform -chdir="infra/${app_name}/service" workspace select "${workspace}
   exit 0
 fi
 
+echo "::group::Drop PR database schema"
+terraform -chdir="infra/${app_name}/app-config" init > /dev/null
+terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
+has_database=$(terraform -chdir="infra/${app_name}/app-config" output -raw has_database)
+
+if [ "${has_database}" = "true" ]; then
+  migrator_role_arn=$(terraform -chdir="infra/${app_name}/service" output -raw migrator_role_arn)
+  ./bin/run-command \
+    --workspace "${workspace}" \
+    --task-role-arn "${migrator_role_arn}" \
+    "${app_name}" "${environment}" '["db-drop-schema"]'
+else
+  echo "Application does not have a database, skipping schema cleanup"
+fi
+echo "::endgroup::"
+
+# Re-select workspace after run-command reinitializes terraform
+terraform -chdir="infra/${app_name}/service" workspace select "${workspace}"
+
 echo "::group::Destroy resources"
 terraform -chdir="infra/${app_name}/service" destroy -var="environment_name=${environment}" -input=false -auto-approve
 echo "::endgroup::"

bin/run-command

@@ -87,6 +87,11 @@ if [ -n "${workspace}" ]; then
   terraform -chdir="infra/${app_name}/service" workspace select "${workspace}"
 fi
 
+if [ -n "${workspace}" ]; then
+  echo "Selecting Terraform workspace: ${workspace}"
+  terraform -chdir="infra/${app_name}/service" workspace select "${workspace}"
+fi
+
 # Use the same cluster, task definition, and network configuration that the application service uses
 cluster_name=$(terraform -chdir="infra/${app_name}/service" output -raw service_cluster_name)
 service_name=$(terraform -chdir="infra/${app_name}/service" output -raw service_name)

bin/run-database-migrations

@@ -5,6 +5,9 @@
 #    do not update the service
 # 2. Run the "db-migrate" command in the container as a new task
 #
+# Optional parameters:
+#   --workspace <name> – Terraform workspace to select (for PR environments)
+#
 # Positional parameters:
 #   app_name (required) – the name of subdirectory of /infra that holds the
 #     application's infrastructure code.
@@ -15,6 +18,19 @@
 
 set -euo pipefail
 
+workspace=""
+while :; do
+  case "${1:-}" in
+    --workspace)
+      workspace="$2"
+      shift 2
+      ;;
+    *)
+      break
+      ;;
+  esac
+done
+
 app_name="$1"
 image_tag="$2"
 environment="$3"
@@ -40,17 +56,32 @@ fi
 db_migrator_user=$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.database_config.migrator_username")
 
 ./bin/terraform-init "infra/${app_name}/service" "${environment}"
+
+if [ -n "${workspace}" ]; then
+  echo "Selecting Terraform workspace: ${workspace}"
+  terraform -chdir="infra/${app_name}/service" workspace select "${workspace}"
+fi
+
 migrator_role_arn=$(terraform -chdir="infra/${app_name}/service" output -raw migrator_role_arn)
 
 echo
-echo "::group::Step 1. Update task definition without updating service"
 
-TF_CLI_ARGS_apply="-input=false -auto-approve -var=image_tag=${image_tag}
-  -target=module.service.aws_ecs_task_definition.app
-  -target=module.service.aws_iam_role_policy.task_executor" \
-  make infra-update-app-service APP_NAME="${app_name}" ENVIRONMENT="${environment}"
+if [ -n "${workspace}" ]; then
+  # For PR environments, the task definition was already updated by the caller's
+  # terraform apply, so skip the targeted apply (which would reinitialize terraform
+  # and reset the workspace).
+  echo "Skipping task definition update (already applied in workspace ${workspace})"
+else
+  echo "::group::Step 1. Update task definition without updating service"
+
+  TF_CLI_ARGS_apply="-input=false -auto-approve -var=image_tag=${image_tag}
+    -target=module.service.aws_ecs_task_definition.app
+    -target=module.service.aws_iam_role_policy.task_executor" \
+    make infra-update-app-service APP_NAME="${app_name}" ENVIRONMENT="${environment}"
+
+  echo "::endgroup::"
+fi
 
-echo "::endgroup::"
 echo
 echo 'Step 2. Run "db-migrate" command'
 
@@ -64,4 +95,4 @@ environment_variables=$(cat << EOF
 EOF
 )
 
-./bin/run-command --task-role-arn "${migrator_role_arn}" --environment-variables "${environment_variables}" "${app_name}" "${environment}" "${command}"
+./bin/run-command ${workspace:+--workspace "${workspace}"} --task-role-arn "${migrator_role_arn}" --environment-variables "${environment_variables}" "${app_name}" "${environment}" "${command}"