Note: Routine migrations are now handled automatically during Helm deployments. See Database Migrations for details. This guide is for manual access when needed (debugging, emergency fixes, Prisma Studio).
This guide walks through connecting to the remote PostgreSQL RDS instance in the dev environment to run Prisma migrations and queries.
- AWS CLI v2 with SSO configured for the
lfx-dev-poweruserprofile - kubectl installed
- Kubeconfig for the dev EKS cluster saved at
~/.kube/dev-lfx-v2
If you don't have the kubeconfig file, ask the platform team for access to the lfx-v2 EKS cluster in us-west-2 (account 788942260905).
aws sso login --profile lfx-dev-poweruserThis opens your browser to complete the SSO flow. Once authenticated, your session is valid for the duration configured by your org (typically 8-12 hours).
Point kubectl to the dev cluster:
export KUBECONFIG=~/.kube/dev-lfx-v2Verify you can reach the cluster:
kubectl get namespacesYou should see namespaces like lfx, ui, argocd, etc.
The lfx namespace has an rds-proxy pod that bridges to the RDS instance. Forward its PostgreSQL port to your local machine:
kubectl port-forward -n lfx deployment/rds-proxy 5433:5432Note: We use port
5433locally to avoid conflicting with a local PostgreSQL on5432.
Leave this running in a dedicated terminal tab.
In apps/lfx-changelog/.env, swap the DATABASE_URL to point at the tunnel:
# Comment out the local DB
# DATABASE_URL="postgresql://changelog:changelog_dev@localhost:5432/lfx_changelog?schema=public"
# Use the remote RDS via tunnel
DATABASE_URL="postgresql://changelog:<PASSWORD>@localhost:5433/changelog?schema=public&sslmode=require"The RDS credentials are stored in AWS Secrets Manager:
aws secretsmanager get-secret-value \
--profile lfx-dev-poweruser \
--region us-west-2 \
--secret-id '/cloudops/rds-managed/lfx-v2/changelog' \
--query 'SecretString' \
--output textImportant: The password may contain special characters that must be percent-encoded for use in a URL connection string. Use a URL encoder or Node.js encodeURIComponent() to encode the password before placing it in the DATABASE_URL.
With the tunnel active and DATABASE_URL pointing at it, run Prisma from the app directory:
cd apps/lfx-changelog
# Check migration status
yarn prisma migrate status
# Apply pending migrations
yarn prisma migrate deploy
# Open Prisma Studio to browse data
yarn prisma studioWarning:
migrate deployapplies migrations to the remote database. Double-check you're targeting the correct environment before running.
When you're done:
- Restore your
.envback to the local database URL - Stop the port forward with
Ctrl+Cin the terminal running it
| Local (Docker) | Remote (RDS) | |
|---|---|---|
| Host | localhost:5432 |
localhost:5433 (via tunnel) |
| Database name | lfx_changelog |
changelog |
| SSL | Not required | Required (sslmode=require) |
| Credentials | changelog / changelog_dev |
From AWS Secrets Manager |
The RDS requires SSL. Add &sslmode=require to your DATABASE_URL.
The port forward likely dropped. Restart it with the kubectl port-forward command from step 3.
Re-run aws sso login --profile lfx-dev-poweruser.
Make sure KUBECONFIG is set: export KUBECONFIG=~/.kube/dev-lfx-v2