Update the version of the PostGIS image for Azure mock DB: 12 -> 15

.github/renovate.json5

@@ -1,7 +1,7 @@
 {
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
   extends: [
-    "github>HSLdevcom/jore4-tools//renovatebot/jore4-default-preset.json5",
+    "github>HSLdevcom/jore4-tools/renovatebot/jore4-default-preset.json5",
   ],
 
   // repository-specific additional rules about grouping, exclusions and inclusions

azuredbmock/Dockerfile

@@ -1,25 +1,22 @@
-# Builder docker image.
-FROM postgis/postgis:12-3.1
+# As of 2025-02, in Azure PostgreSQL Flexible Server v15, the most recent
+# available version of the PostGIS extension is 3.3.1.
+FROM postgis/postgis:15-3.3
 
 # fix collations to use fi_FI
 RUN localedef -i fi_FI -c -f UTF-8 -A /usr/share/locale/locale.alias fi_FI.UTF-8
 ENV LANG fi_FI.utf8
 
-# install curl
-RUN apt-get update && \
-  apt-get install curl -y
-
 # download script for reading docker secrets
-RUN curl -o /tmp/read-secrets.sh "https://raw.githubusercontent.com/HSLdevcom/jore4-tools/main/docker/read-secrets.sh"
+ADD https://raw.githubusercontent.com/HSLdevcom/jore4-tools/main/docker/read-secrets.sh /jore4/scripts/read-secrets.sh
 
-COPY 00-initialize.sql /migrations/00-initialize.sql
-COPY replace-placeholders-in-sql-schema-migrations.sh /scripts/replace-placeholders-in-sql-schema-migrations.sh
+COPY migrations/ /jore4/migrations/
+COPY replace-placeholders-in-sql-schema-migrations.sh /jore4/scripts/replace-placeholders-in-sql-schema-migrations.sh
 
-COPY entrypoint.sh /usr/local/bin/
+COPY docker-entrypoint.sh /jore4/scripts/
 
-ENTRYPOINT ["entrypoint.sh"]
+ENTRYPOINT ["/jore4/scripts/docker-entrypoint.sh"]
 CMD ["postgres"]
 
 # have to source the secrets here as well, otherwise the POSTGRES_USER and/or POSTGRES_DB variables might not exist
 HEALTHCHECK --interval=5s --timeout=5s --start-period=10s --retries=20 \
-  CMD bash -c "source /tmp/read-secrets.sh && pg_isready -h localhost -U \${POSTGRES_USER} -d \${POSTGRES_DB}"
+  CMD bash -c "source /jore4/scripts/read-secrets.sh && pg_isready -h localhost -U \${POSTGRES_USER} -d \${POSTGRES_DB}"

azuredbmock/entrypoint.sh → azuredbmock/docker-entrypoint.sh

@@ -3,16 +3,16 @@
 set -Eeuo pipefail
 
 # read the secrets to environment variables
-source /tmp/read-secrets.sh
+source /jore4/scripts/read-secrets.sh
 
 # copy the migrations scripts to the docker-entrypoint-initdb.d folder so that the postgres entrypoint
 # executes them (together with the other migrations that might have been mapped as a volume)
 mkdir -p /docker-entrypoint-initdb.d
-cp /migrations/* /docker-entrypoint-initdb.d/
+cp /jore4/migrations/* /docker-entrypoint-initdb.d/
 
 # replace placeholders with secrets within the all migration SQL scripts
 SECRET_STORE_BASE_PATH="${SECRET_STORE_BASE_PATH:-/run/secrets}"
-REPLACE_PLACEHOLDERS_SCRIPT='/scripts/replace-placeholders-in-sql-schema-migrations.sh'
+REPLACE_PLACEHOLDERS_SCRIPT='/jore4/scripts/replace-placeholders-in-sql-schema-migrations.sh'
 MIGRATIONS_DIR="/docker-entrypoint-initdb.d/"
 "${REPLACE_PLACEHOLDERS_SCRIPT}" "${SECRET_STORE_BASE_PATH}" "${MIGRATIONS_DIR}"
 

azuredbmock/migrations/01-create-roles.sql

@@ -0,0 +1,14 @@
+-- These database roles are also created in the azure-infra-jore4aks (Azure
+-- DevOps) repository.
+CREATE USER xxx_db_auth_username_xxx PASSWORD 'xxx_db_auth_password_xxx';
+CREATE USER xxx_db_jore3importer_username_xxx PASSWORD 'xxx_db_jore3importer_password_xxx';
+CREATE USER xxx_db_hasura_username_xxx PASSWORD 'xxx_db_hasura_password_xxx';
+CREATE USER xxx_db_tiamat_username_xxx PASSWORD 'xxx_db_tiamat_password_xxx';
+CREATE USER xxx_db_timetables_api_username_xxx PASSWORD 'xxx_db_timetables_api_password_xxx';
+
+-- Make the hasura role a member of jore3importer role because both roles must
+-- have ownership of tables and sequences in the default database (network and
+-- routes) since both are responsible for populating and truncating tables in
+-- the aforementioned database. In particular, sequence reset requires an
+-- ownership and cannot be granted as a privilege.
+GRANT xxx_db_jore3importer_username_xxx TO xxx_db_hasura_username_xxx;

azuredbmock/migrations/02-create-network-database.sql

@@ -0,0 +1,33 @@
+-- Make the JORE4 admin role the owner of the public schema.
+ALTER SCHEMA public OWNER TO CURRENT_USER;
+
+-- Create the extensions used, see https://hasura.io/docs/latest/graphql/core/deployment/postgres-requirements.html
+-- Create the extensions in the public schema, since we'd need to give additional privileges ("use schema") to any
+-- user who wishes to use these in the future. Also, Hasura would require additional setup to be able to use the
+-- extensions from another schema.
+CREATE EXTENSION IF NOT EXISTS btree_gist WITH SCHEMA public;
+CREATE EXTENSION IF NOT EXISTS pgcrypto WITH SCHEMA public;
+CREATE EXTENSION IF NOT EXISTS postgis WITH SCHEMA public;
+
+-- Allow Hasura to connect and create new schemas.
+GRANT CONNECT, CREATE ON DATABASE xxx_db_hasura_name_xxx TO xxx_db_hasura_username_xxx;
+
+-- Grant required privileges in the public schema to the Hasura user.
+GRANT ALL ON SCHEMA public TO xxx_db_hasura_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO xxx_db_hasura_username_xxx;
+GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO xxx_db_hasura_username_xxx;
+
+-- Grant select permissions on information_schema and pg_catalog to the Hasura
+-- user.
+GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO xxx_db_hasura_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO xxx_db_hasura_username_xxx;
+
+-- Allow the JORE3-Importer role to connect to the network database.
+GRANT CONNECT ON DATABASE xxx_db_hasura_name_xxx TO xxx_db_jore3importer_username_xxx;
+
+-- Grant the JORE3-Importer role to access the public schema and the objects and
+-- functions created by extensions. Other schema-specific privileges are granted
+-- in Hasura migrations.
+GRANT USAGE ON SCHEMA public TO xxx_db_jore3importer_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO xxx_db_jore3importer_username_xxx;
+GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO xxx_db_jore3importer_username_xxx;

azuredbmock/migrations/03-create-auth-database.sql

@@ -0,0 +1,12 @@
+CREATE DATABASE xxx_db_auth_name_xxx;
+
+-- Allow the auth role to connect and create new schemas.
+GRANT CONNECT, CREATE ON DATABASE xxx_db_auth_name_xxx TO xxx_db_auth_username_xxx;
+
+\connect xxx_db_auth_name_xxx;
+
+-- Make the JORE4 admin role the owner of the public schema.
+ALTER SCHEMA public OWNER TO CURRENT_USER;
+
+-- Grant full schema access to the public schema to the auth role.
+GRANT ALL ON SCHEMA public TO xxx_db_auth_username_xxx;

azuredbmock/migrations/04-create-jore3importer-database.sql

@@ -0,0 +1,25 @@
+CREATE DATABASE xxx_db_jore3importer_name_xxx;
+
+-- Allow the jore3importer role to connect and create new schemas.
+GRANT CONNECT, CREATE ON DATABASE xxx_db_jore3importer_name_xxx TO xxx_db_jore3importer_username_xxx;
+
+\connect xxx_db_jore3importer_name_xxx;
+
+-- Make the JORE4 admin role the owner of the public schema.
+ALTER SCHEMA public OWNER TO CURRENT_USER;
+
+-- Create the extensions that JORE3-Importer needs. In PostgreSQL v15 server,
+-- an ordinary user (without admin roles) may not be able to create extensions.
+CREATE EXTENSION IF NOT EXISTS btree_gist WITH SCHEMA public;
+CREATE EXTENSION IF NOT EXISTS pgcrypto WITH SCHEMA public;
+
+-- Grant privileges in the public schema to the jore3importer role.
+GRANT USAGE ON SCHEMA public TO xxx_db_jore3importer_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO xxx_db_jore3importer_username_xxx;
+GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO xxx_db_jore3importer_username_xxx;
+
+-- Grant permission on the pg_catalog schema to conditionally create an
+-- extension if the extension is not already created. This must be granted so
+-- that the JORE3-Importer role can conditionally create the extension depending
+-- on which database is involved (there are several in the importer's test setup).
+GRANT SELECT ON TABLE pg_catalog.pg_extension TO xxx_db_jore3importer_username_xxx;

azuredbmock/migrations/05-create-timetables-database.sql

@@ -0,0 +1,36 @@
+CREATE DATABASE xxx_db_timetables_name_xxx;
+
+-- Allow Hasura to connect and create new schemas.
+GRANT CONNECT, CREATE ON DATABASE xxx_db_timetables_name_xxx TO xxx_db_hasura_username_xxx;
+
+-- Interval outputs by default are using the sql format ('3 4:05:06'). Here we
+-- are switching to ISO 8601 format ('P3DT4H5M6S').
+ALTER DATABASE xxx_db_timetables_name_xxx SET intervalstyle = 'iso_8601';
+
+-- Switch database context to be able to add extensions there.
+\connect xxx_db_timetables_name_xxx;
+
+-- Make the JORE4 admin role the owner of the public schema.
+ALTER SCHEMA public OWNER TO CURRENT_USER;
+
+CREATE EXTENSION IF NOT EXISTS btree_gist WITH SCHEMA public;
+CREATE EXTENSION IF NOT EXISTS pgcrypto WITH SCHEMA public;
+
+-- Grant required privileges in the public schema to Hasura.
+GRANT ALL ON SCHEMA public TO xxx_db_hasura_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO xxx_db_hasura_username_xxx;
+GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO xxx_db_hasura_username_xxx;
+
+-- Grant select permissions on information_schema and pg_catalog to Hasura.
+GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO xxx_db_hasura_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO xxx_db_hasura_username_xxx;
+
+-- Allow the timetables-api role to connect to the timetables database.
+GRANT CONNECT ON DATABASE xxx_db_timetables_name_xxx TO xxx_db_timetables_api_username_xxx;
+
+-- Grant the timetables-api role to access the public schema and the objects and
+-- functions created by extensions. Other schema-specific privileges are granted
+-- in Hasura migrations.
+GRANT USAGE ON SCHEMA public TO xxx_db_timetables_api_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO xxx_db_timetables_api_username_xxx;
+GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO xxx_db_timetables_api_username_xxx;

azuredbmock/migrations/06-create-stopregistry-database.sql

@@ -0,0 +1,39 @@
+CREATE DATABASE xxx_db_tiamat_name_xxx;
+
+-- Allow Tiamat to connect and create new schemas.
+GRANT CONNECT, CREATE ON DATABASE xxx_db_tiamat_name_xxx TO xxx_db_tiamat_username_xxx;
+
+-- Switch database context to initialise it to the state where Tiamat can use
+-- it.
+\connect xxx_db_tiamat_name_xxx;
+
+-- Make the JORE4 admin role the owner of the public schema.
+ALTER SCHEMA public OWNER TO CURRENT_USER;
+
+CREATE EXTENSION IF NOT EXISTS pg_trgm WITH SCHEMA public;
+CREATE EXTENSION IF NOT EXISTS postgis WITH SCHEMA public;
+
+-- Grant required privileges in the public schema to Tiamat.
+GRANT ALL ON SCHEMA public TO xxx_db_tiamat_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO xxx_db_tiamat_username_xxx;
+GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO xxx_db_tiamat_username_xxx;
+
+-- Create "topology" schema and install the "postgis_topology" extension to it.
+-- The Tiamat role needs ownership to the schema and its tables.
+CREATE SCHEMA IF NOT EXISTS topology;
+CREATE EXTENSION IF NOT EXISTS postgis_topology WITH SCHEMA topology;
+ALTER SCHEMA topology OWNER TO xxx_db_tiamat_username_xxx;
+-- The "postgis_topology" extension creates two tables.
+ALTER TABLE topology.layer OWNER TO xxx_db_tiamat_username_xxx;
+ALTER TABLE topology.topology OWNER TO xxx_db_tiamat_username_xxx;
+
+-- Grant Hasura read permissions to the stop registry database.
+GRANT CONNECT ON DATABASE xxx_db_tiamat_name_xxx TO xxx_db_hasura_username_xxx;
+
+GRANT USAGE ON SCHEMA public TO xxx_db_hasura_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO xxx_db_hasura_username_xxx;
+ALTER DEFAULT PRIVILEGES FOR USER xxx_db_tiamat_username_xxx IN SCHEMA public GRANT SELECT ON TABLES TO xxx_db_hasura_username_xxx;
+
+GRANT USAGE ON SCHEMA topology TO xxx_db_hasura_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA topology TO xxx_db_hasura_username_xxx;
+ALTER DEFAULT PRIVILEGES FOR USER xxx_db_tiamat_username_xxx IN SCHEMA topology GRANT SELECT ON TABLES TO xxx_db_hasura_username_xxx;