add cert step

2025-09-20 16:34:28 -06:00 · 2025-09-20 16:34:28 -06:00 · cf7725fd53
parent 0e2ac5c9d1
commit cf7725fd53
2 changed files with 44 additions and 4 deletions
--- a/.github/workflows/database-migrations.yml
+++ b/.github/workflows/database-migrations.yml
@ -59,8 +59,26 @@ jobs:
      - name: Install dependencies
        run: pnpm install --frozen-lockfile --prefer-offline
      
+      - name: Download SSL Certificate from S3
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          CERT_S3_URL: ${{ secrets.CERT_S3_URL }}
+        run: |
+          # Create certs directory
+          mkdir -p /tmp/certs
+          
+          # Download the certificate from S3
+          aws s3 cp "$CERT_S3_URL" /tmp/certs/db-cert.pem
+          
+          # Set proper permissions
+          chmod 600 /tmp/certs/db-cert.pem
+          
+          echo "Certificate downloaded successfully"
+      
      - name: Run migrations
        run: pnpm run db:migrate
        env:
          DATABASE_URL: ${{ secrets.DB_URL }}
-          NODE_TLS_REJECT_UNAUTHORIZED: '0'
+          DATABASE_SSL_CERT: /tmp/certs/db-cert.pem
--- a/packages/database/drizzle.config.ts
+++ b/packages/database/drizzle.config.ts
@ -1,5 +1,6 @@
 import { config } from 'dotenv';
 import { defineConfig } from 'drizzle-kit';
+import * as fs from 'fs';

 // Load specific .env file
 config({ path: '../../.env' }); // or '.env.development', '.env.production', etc.
@ -10,15 +11,36 @@ if (!connectionString) {
  throw new Error('DATABASE_URL environment variable is not defined');
 }

+// Check if we have a certificate file specified
+const certPath = process.env.DATABASE_SSL_CERT;
+const isLocalhost = connectionString.includes('localhost') || connectionString.includes('127.0.0.1');
+
+// Configure SSL based on environment
+let sslConfig: any = undefined;
+if (!isLocalhost) {
+  if (certPath && fs.existsSync(certPath)) {
+    // Use the certificate if available
+    sslConfig = {
+      ca: fs.readFileSync(certPath),
+      rejectUnauthorized: true, // With a proper cert, we can validate
+    };
+    console.log('Using SSL certificate from:', certPath);
+  } else {
+    // Fallback to allowing self-signed certificates
+    sslConfig = {
+      rejectUnauthorized: false,
+    };
+    console.log('SSL certificate not found, allowing self-signed certificates');
+  }
+}
+
 export default defineConfig({
  schema: './src/schema.ts',
  out: './drizzle',
  dialect: 'postgresql',
  dbCredentials: {
    url: connectionString || '',
-    ssl: {
-      rejectUnauthorized: false, // Allow self-signed certificates
-    },
+    ...(sslConfig && { ssl: sslConfig }),
  },
  verbose: true,
  strict: true,