buster/api/migrations/2025-04-23-133127_migrate_s.../up.sql

-- Your SQL goes here

-- Migrate existing secrets linked to data_sources to use the vault functions.
-- This assumes the previous link was via data_sources.id = vault.secrets.id
-- and that data_sources has a nullable UUID column named 'secret_id' to store the new link.

-- Create a temporary table to store the mapping between old IDs and new IDs generated by vault.create_secret
CREATE TEMP TABLE temp_secret_migration (
    old_secret_id UUID PRIMARY KEY,
    data_source_id UUID NOT NULL UNIQUE, -- The data_source.id used as the 'name'
    new_secret_id UUID NOT NULL,         -- The new UUID returned by vault.create_secret
    secret_value TEXT NOT NULL           -- Store the value in case it's needed (e.g., for complex down migration)
);

-- Populate the temporary table by iterating over existing data_sources that have a corresponding secret
-- Assuming the old link was data_sources.id = vault.secrets.id
-- Read the decrypted secret value to pass to the new function
INSERT INTO temp_secret_migration (old_secret_id, data_source_id, new_secret_id, secret_value)
SELECT
    ds.id AS old_secret_id,
    ds.id AS data_source_id,
    -- Call vault.create_secret: Use decrypted value, data_source.id as name, and a description
    vault.create_secret(
        sec.decrypted_secret,
        ds.id::text, -- Use data_source.id as the 'name'
        'Migrated secret for data source ' || ds.id::text -- Add a helpful description
    ) AS new_secret_id,
    sec.decrypted_secret AS secret_value
FROM
    data_sources ds
JOIN
    -- Read the decrypted value using the ID that matches the data_source id
    -- If the join was different (e.g., on data_sources.secret_id), adjust here.
    vault.decrypted_secrets sec ON ds.id = sec.id;

-- Update the data_sources table to point to the newly created secret ID
-- This assumes data_sources has a 'secret_id' column to store the new reference
UPDATE data_sources ds
SET secret_id = tsm.new_secret_id
FROM temp_secret_migration tsm
WHERE ds.id = tsm.data_source_id; -- Match based on the data_source_id

-- Drop the temporary table
DROP TABLE temp_secret_migration;
stored values sync on background job 2025-04-24 01:46:56 +08:00			`-- Your SQL goes here`

			`-- Migrate existing secrets linked to data_sources to use the vault functions.`
			`-- This assumes the previous link was via data_sources.id = vault.secrets.id`
			`-- and that data_sources has a nullable UUID column named 'secret_id' to store the new link.`

			`-- Create a temporary table to store the mapping between old IDs and new IDs generated by vault.create_secret`
			`CREATE TEMP TABLE temp_secret_migration (`
			`old_secret_id UUID PRIMARY KEY,`
			`data_source_id UUID NOT NULL UNIQUE, -- The data_source.id used as the 'name'`
			`new_secret_id UUID NOT NULL, -- The new UUID returned by vault.create_secret`
			`secret_value TEXT NOT NULL -- Store the value in case it's needed (e.g., for complex down migration)`
			`);`

			`-- Populate the temporary table by iterating over existing data_sources that have a corresponding secret`
			`-- Assuming the old link was data_sources.id = vault.secrets.id`
			`-- Read the decrypted secret value to pass to the new function`
			`INSERT INTO temp_secret_migration (old_secret_id, data_source_id, new_secret_id, secret_value)`
			`SELECT`
			`ds.id AS old_secret_id,`
			`ds.id AS data_source_id,`
			`-- Call vault.create_secret: Use decrypted value, data_source.id as name, and a description`
			`vault.create_secret(`
			`sec.decrypted_secret,`
			`ds.id::text, -- Use data_source.id as the 'name'`
			`'Migrated secret for data source ' \|\| ds.id::text -- Add a helpful description`
			`) AS new_secret_id,`
			`sec.decrypted_secret AS secret_value`
			`FROM`
			`data_sources ds`
			`JOIN`
			`-- Read the decrypted value using the ID that matches the data_source id`
			`-- If the join was different (e.g., on data_sources.secret_id), adjust here.`
			`vault.decrypted_secrets sec ON ds.id = sec.id;`

			`-- Update the data_sources table to point to the newly created secret ID`
			`-- This assumes data_sources has a 'secret_id' column to store the new reference`
			`UPDATE data_sources ds`
			`SET secret_id = tsm.new_secret_id`
			`FROM temp_secret_migration tsm`
			`WHERE ds.id = tsm.data_source_id; -- Match based on the data_source_id`

			`-- Drop the temporary table`
			`DROP TABLE temp_secret_migration;`