revert permissions

Author: davidgamez

.github/workflows/db-update-dev.yml

@@ -34,7 +34,6 @@ jobs:
       USER_DB_ENVIRONMENT: ${{ vars.DEV_MOBILITY_FEEDS_ENVIRONMENT }}
       # DRY_RUN: use provided input if defined (workflow_dispatch/workflow_call); fallback to false on push events
       DRY_RUN: ${{ inputs.DRY_RUN || false }}
-      USERS_APP_ROLE_1PASSWORD: ${{ vars.DEV_POSTGRE_USER_APP_NAME_1PASSWORD }}
     secrets:
       DB_USER_PASSWORD: ${{ secrets.DEV_POSTGRE_USER_PASSWORD }}
       DB_USER_NAME: ${{ secrets.DEV_POSTGRE_USER_NAME }}

.github/workflows/db-update-prod.yml

@@ -26,7 +26,6 @@ jobs:
       DB_ENVIRONMENT: ${{ vars.PROD_MOBILITY_FEEDS_ENVIRONMENT }}
       # DRY_RUN is passed through directly from inputs
       DRY_RUN: ${{ inputs.DRY_RUN }}
-      USERS_APP_ROLE_1PASSWORD: ${{ vars.PROD_POSTGRE_USER_APP_NAME_1PASSWORD }}
     secrets:
       # DB auth and connectivity
       DB_USER_PASSWORD: ${{ secrets.PROD_POSTGRE_USER_PASSWORD }}

.github/workflows/db-update-qa.yml

@@ -26,7 +26,6 @@ jobs:
       DB_ENVIRONMENT: ${{ vars.QA_MOBILITY_FEEDS_ENVIRONMENT }}
       # DRY_RUN is passed through directly from inputs
       DRY_RUN: ${{ inputs.DRY_RUN }}
-      USERS_APP_ROLE_1PASSWORD: ${{ vars.QA_POSTGRE_USER_APP_NAME_1PASSWORD }}
     secrets:
       # DB auth and connectivity
       DB_USER_PASSWORD: ${{ secrets.QA_POSTGRE_USER_PASSWORD }}

.github/workflows/db-update.yml

@@ -29,11 +29,6 @@ on:
         required: false
         default: ''
         type: string
-      USERS_APP_ROLE_1PASSWORD:
-        description: 1Password reference for the PostgreSQL role used by the users-DB application (e.g. op://vault/item/field).
-        required: false
-        default: ''
-        type: string
     secrets:
       DB_USER_PASSWORD: #
         description: PostgreSQL User Password
@@ -81,7 +76,6 @@ jobs:
         GCP_FEED_SSH_USER: "op://rbiv7rvkkrsdlpcrz3bmv7nmcu/GCP_FEED_SSH_USER/username"
         GCP_FEED_BASTION_NAME: "op://rbiv7rvkkrsdlpcrz3bmv7nmcu/GCP_FEED_BASTION_NAME/username"
         GCP_FEED_BASTION_SSH_KEY: "op://rbiv7rvkkrsdlpcrz3bmv7nmcu/GCP_FEED_BASTION_SSH_KEY/private key"
-        USERS_APP_ROLE: ${{ inputs.USERS_APP_ROLE_1PASSWORD }}
 
     - name: Tunnel
       run: |
@@ -140,5 +134,5 @@ jobs:
         export LIQUIBASE_COMMAND_USERNAME=${{ secrets.DB_USER_NAME }}
         export LIQUIBASE_COMMAND_PASSWORD=${{ secrets.DB_USER_PASSWORD }}
         export LIQUIBASE_LOG_LEVEL=FINE
-        liquibase update -Dusers_app_role=${{ env.USERS_APP_ROLE }}
+        liquibase update
 

docker-compose.yaml

@@ -103,7 +103,6 @@ services:
       - --log-level=1
       - --classpath=postgresql-42.7.8.jar
       - update
-      - -Dusers_app_role=${POSTGRES_USER}
     depends_on:
       postgres:
         condition: service_healthy
@@ -123,7 +122,6 @@ services:
       - --log-level=1
       - --classpath=postgresql-42.7.8.jar
       - update
-      - -Dusers_app_role=${POSTGRES_USER}
     depends_on:
       postgres-test:
         condition: service_healthy

liquibase/changelog_user.xml

@@ -15,6 +15,4 @@
     <include file="changes_user/feat_1684.sql" relativeToChangelogFile="true"/>
     <!-- Add feature_flag and user_feature_flag tables -->
     <include file="changes_user/feat_1694.sql" relativeToChangelogFile="true"/>
-    <!-- Grant app role access to all users DB tables (covers future tables via ALTER DEFAULT PRIVILEGES) -->
-    <include file="changes_user/feat_1694_grants.sql" relativeToChangelogFile="true"/>
 </databaseChangeLog>