@acsrujanchecks…feat/iam-migration-fallback → production2 files · +61 −11review: @abir-taheerreview: @anshugarg15updated 2w agoWhen ADMIN_DATABASE_URL (Apollo) or THERMOS_ADMIN_DATABASE_URL / THERMOS_WORKER_ADMIN_DB (Thermos) are not present in Doppler, migration jobs now generate a short-lived RDS IAM auth token for the postgres master user instead of requiring a stored password.
Logic per migration step:
aws rds generate-db-auth-token → URL-encode token → build connection URL on the flyWhy IAM-only makes sense here:
self-hosted runner (EC2), which already has an instance profile — no credentials to store or rotatepostgres master user has rds_iam granted and its password has been rotated to an unknown valuedoppler run subshell and never written to disk or logsScope:
.github/workflows/apollo_migrations_and_deploy.yaml — wraps the make migrate call.github/workflows/thermos_prod_docker_and_deploy.yaml — wraps both registrydb and workerdb Atlas stepsStaging is unaffected: staging uses ubuntu-latest (no instance profile), so ADMIN_DATABASE_URL must still be set in Doppler for staging — the aws sts get-caller-identity check will fail and the step errors out clearly.
aws sts get-caller-identity guard correctly gates the IAM path🤖 Generated with Claude Code
Based on git blame analysis of 2 file(s):
| Contributor | Contribution | Files |
|---|---|---|
| anshugarg15 | 38% | 2 |
| Zen | 36% | 2 |
| lingalarahul7 | 12% | 2 |
| sarthak | 11% | 2 |
| devin-ai-integration[bot] | 2% | 1 |
Based on git history, anshugarg15 or Zen would be good reviewer(s) for this PR.
🤖 Based on git blame with recency weighting (recent edits count more).