-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #8 from bcgov/SD-128488-BCTS-ODS-GRANT-MANAGEMENT
Sd 128488 bcts ods grant management
- Loading branch information
Showing
36 changed files
with
1,685 additions
and
511 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
name: Push to GHCR | ||
|
||
on: | ||
push: | ||
branches: ["main"] | ||
|
||
env: | ||
REGISTRY: ghcr.io | ||
DOCKERFILE_PATH: shared/bcts_adhoc_sql | ||
IMAGE_NAME: ${{ github.repository }}-bctsAdhocSql | ||
|
||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
packages: write | ||
id-token: write | ||
|
||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v3 | ||
|
||
- name: Install cosign | ||
if: github.event_name != 'pull_request' | ||
uses: sigstore/cosign-installer@v3.3.0 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | ||
|
||
- name: Log into registry ${{ env.REGISTRY }} | ||
if: github.event_name != 'pull_request' | ||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | ||
with: | ||
registry: ${{ env.REGISTRY }} | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Extract Docker metadata | ||
id: meta | ||
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 | ||
with: | ||
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | ||
|
||
- name: Build and push Docker image | ||
id: build-and-push | ||
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 | ||
with: | ||
# DF-NOTE: to help the action find the Dockerfile to build from | ||
context: ${{ env.DOCKERFILE_PATH }}/ | ||
push: ${{ github.event_name != 'pull_request' }} | ||
tags: ${{ steps.meta.outputs.tags }} | ||
labels: ${{ steps.meta.outputs.labels }} | ||
cache-from: type=gha | ||
cache-to: type=gha,mode=max | ||
|
||
- name: Sign the published Docker image | ||
if: ${{ github.event_name != 'pull_request' }} | ||
env: | ||
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable | ||
TAGS: ${{ steps.meta.outputs.tags }} | ||
DIGEST: ${{ steps.build-and-push.outputs.digest }} | ||
|
||
run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
name: Push to GHCR | ||
|
||
on: | ||
push: | ||
branches: ["main"] | ||
|
||
env: | ||
REGISTRY: ghcr.io | ||
DOCKERFILE_PATH: shared/bcts_access_management | ||
IMAGE_NAME: ${{ github.repository }}-bctsGrantMngmt | ||
|
||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
packages: write | ||
id-token: write | ||
|
||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v3 | ||
|
||
- name: Install cosign | ||
if: github.event_name != 'pull_request' | ||
uses: sigstore/cosign-installer@v3.3.0 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | ||
|
||
- name: Log into registry ${{ env.REGISTRY }} | ||
if: github.event_name != 'pull_request' | ||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | ||
with: | ||
registry: ${{ env.REGISTRY }} | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Extract Docker metadata | ||
id: meta | ||
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 | ||
with: | ||
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | ||
|
||
- name: Build and push Docker image | ||
id: build-and-push | ||
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 | ||
with: | ||
# DF-NOTE: to help the action find the Dockerfile to build from | ||
context: ${{ env.DOCKERFILE_PATH }}/ | ||
push: ${{ github.event_name != 'pull_request' }} | ||
tags: ${{ steps.meta.outputs.tags }} | ||
labels: ${{ steps.meta.outputs.labels }} | ||
cache-from: type=gha | ||
cache-to: type=gha,mode=max | ||
|
||
- name: Sign the published Docker image | ||
if: ${{ github.event_name != 'pull_request' }} | ||
env: | ||
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable | ||
TAGS: ${{ steps.meta.outputs.tags }} | ||
DIGEST: ${{ steps.build-and-push.outputs.digest }} | ||
|
||
run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
name: Push to GHCR | ||
|
||
on: | ||
push: | ||
branches: ["main"] | ||
|
||
env: | ||
REGISTRY: ghcr.io | ||
DOCKERFILE_PATH: shared/bcts_reports_etl | ||
IMAGE_NAME: ${{ github.repository }}-bctsTransformations | ||
|
||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
packages: write | ||
id-token: write | ||
|
||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v3 | ||
|
||
- name: Install cosign | ||
if: github.event_name != 'pull_request' | ||
uses: sigstore/cosign-installer@v3.3.0 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | ||
|
||
- name: Log into registry ${{ env.REGISTRY }} | ||
if: github.event_name != 'pull_request' | ||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | ||
with: | ||
registry: ${{ env.REGISTRY }} | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Extract Docker metadata | ||
id: meta | ||
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 | ||
with: | ||
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | ||
|
||
- name: Build and push Docker image | ||
id: build-and-push | ||
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 | ||
with: | ||
# DF-NOTE: to help the action find the Dockerfile to build from | ||
context: ${{ env.DOCKERFILE_PATH }}/ | ||
push: ${{ github.event_name != 'pull_request' }} | ||
tags: ${{ steps.meta.outputs.tags }} | ||
labels: ${{ steps.meta.outputs.labels }} | ||
cache-from: type=gha | ||
cache-to: type=gha,mode=max | ||
|
||
- name: Sign the published Docker image | ||
if: ${{ github.event_name != 'pull_request' }} | ||
env: | ||
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable | ||
TAGS: ${{ steps.meta.outputs.tags }} | ||
DIGEST: ${{ steps.build-and-push.outputs.digest }} | ||
|
||
run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
-- Create BCTS ETL executor role. Password should be available only to the DBA | ||
-- 1. Create the etl superuser | ||
CREATE USER bcts_etl_user WITH PASSWORD '<place_holder>'; | ||
|
||
CREATE SCHEMA lrm_replication; | ||
CREATE SCHEMA bcts_staging; | ||
CREATE SCHEMA bcts_reporting; | ||
|
||
-- Create roles for ETL and data consumption | ||
CREATE ROLE BCTS_ETL_ROLE; | ||
CREATE ROLE BCTS_DEV_ROLE; | ||
CREATE ROLE BCTS_STAGE_ANALYST_ROLE; | ||
CREATE ROLE BCTS_STAGE_ANALYST_PI_ROLE; | ||
CREATE ROLE BCTS_ANALYST_ROLE; | ||
CREATE ROLE BCTS_ANALYST_PI_ROLE; | ||
|
||
-- 2. Grant access to schemas lrm_replication, bcts_staging, and bcts_reporting | ||
GRANT USAGE ON SCHEMA lrm_replication TO bcts_etl_user WITH GRANT OPTION; | ||
GRANT USAGE ON SCHEMA bcts_staging TO bcts_etl_user WITH GRANT OPTION; | ||
GRANT USAGE ON SCHEMA bcts_reporting TO bcts_etl_user WITH GRANT OPTION; | ||
|
||
-- 3. Grant read and write access to existing tables in schemas lrm_replication, bcts_staging, and bcts_reporting | ||
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA lrm_replication TO bcts_etl_user WITH GRANT OPTION; | ||
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA bcts_staging TO bcts_etl_user WITH GRANT OPTION; | ||
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA bcts_reporting TO bcts_etl_user WITH GRANT OPTION; | ||
|
||
GRANT USAGE ON SCHEMA ods_data_management TO bcts_etl_user; | ||
GRANT SELECT, INSERT, UPDATE, DELETE ON ods_data_management.cdc_master_table_list TO bcts_etl_user; | ||
GRANT SELECT, INSERT, UPDATE, DELETE ON ods_data_management.audit_batch_status TO bcts_etl_user; | ||
|
||
-- 4. Grant permission to create new tables, functions, etc., in schemas lrm_replication, bcts_staging, and bcts_reporting | ||
GRANT CREATE ON SCHEMA lrm_replication TO bcts_etl_user; | ||
GRANT CREATE ON SCHEMA bcts_staging TO bcts_etl_user; | ||
GRANT CREATE ON SCHEMA bcts_reporting TO bcts_etl_user; | ||
|
||
-- 5. Grant privileges to automatically apply on any new tables created in schemas lrm_replication, bcts_staging, and bcts_reporting | ||
ALTER DEFAULT PRIVILEGES IN SCHEMA lrm_replication GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO bcts_etl_user; | ||
ALTER DEFAULT PRIVILEGES IN SCHEMA bcts_staging GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO bcts_etl_user; | ||
ALTER DEFAULT PRIVILEGES IN SCHEMA bcts_reporting GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO bcts_etl_user; | ||
|
||
-- Grant usage on sequences if needed for ID generation or other purposes | ||
GRANT USAGE ON ALL SEQUENCES IN SCHEMA lrm_replication TO bcts_etl_user; | ||
GRANT USAGE ON ALL SEQUENCES IN SCHEMA bcts_staging TO bcts_etl_user; | ||
GRANT USAGE ON ALL SEQUENCES IN SCHEMA bcts_reporting TO bcts_etl_user; | ||
|
||
-- Set default privileges for sequences | ||
ALTER DEFAULT PRIVILEGES IN SCHEMA lrm_replication GRANT USAGE ON SEQUENCES TO bcts_etl_user; | ||
ALTER DEFAULT PRIVILEGES IN SCHEMA bcts_staging GRANT USAGE ON SEQUENCES TO bcts_etl_user; | ||
ALTER DEFAULT PRIVILEGES IN SCHEMA bcts_reporting GRANT USAGE ON SEQUENCES TO bcts_etl_user; |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.