Address pgweb feedback (#331)

pantherman594 · web-flow · commit 958d8bc8f7bf · 2026-03-03T09:49:24.000-05:00
Addresses feedback left on #329 Also downgrades to pgweb user and shows a disabled prompt when attempting to access an aurora database in another region <img width="1856" height="1681" alt="image" src="https://github.com/user-attachments/assets/41b15d55-d570-45a6-89e0-e2cb3b5dbfea" />
diff --git a/src/pgweb/.devcontainer.json b/src/pgweb/.devcontainer.json
@@ -13,15 +13,10 @@
   ],
   "postStartCommand": "/workspace/start-bookmark-refresh.sh",
   "features": {
-    "ghcr.io/devcontainers/features/common-utils:2": {
-      "installZsh": false,
-      "installOhMyZsh": false,
-      "upgradePackages": false
-    },
-    "ghcr.io/devcontainers/features/java:1": {
+    "ghcr.io/devcontainers/features/java@sha256:e75d274ac969b29a59ba6f34c2d098f6a52144d0ec027ef326b724ea4b8b7b4e": {
       "version": "17"
     },
-    "ghcr.io/devcontainers/features/aws-cli:1": {}
+    "ghcr.io/devcontainers/features/aws-cli@sha256:bbc9fd513c22e331953126c75ad7b2ed1f9044f1cd5890b7073b634810459b18": {}
   },
   "remoteUser": "root"
 }
diff --git a/src/pgweb/Dockerfile b/src/pgweb/Dockerfile
@@ -0,0 +1,12 @@
+FROM sosedoff/pgweb
+
+USER root
+
+RUN apt-get update && \
+    apt-get -y install sudo && \
+    apt-get -y clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    mkdir -p /pgweb && \
+    chown pgweb:pgweb /pgweb
+
+USER pgweb
diff --git a/src/pgweb/README.md b/src/pgweb/README.md
@@ -18,6 +18,9 @@ Once deployed in Workbench, access the pgweb UI at the app URL (port 8081).
 
 The app automatically discovers all Aurora databases in your Workbench workspace and creates pre-configured connection bookmarks with fresh IAM authentication tokens.
 
+For more information on how pgweb bookmarks work, see [Server Connection
+Bookmarks](https://github.com/sosedoff/pgweb/wiki/Server-Connection-Bookmarks).
+
 ### How It Works
 
 1. **Auto-Discovery**: Every 10 minutes, the app queries `wb resource list` to find all Aurora databases
diff --git a/src/pgweb/docker-compose.yaml b/src/pgweb/docker-compose.yaml
@@ -3,13 +3,9 @@ services:
     # The container name must be "application-server"
     container_name: "application-server"
     # This can be either a pre-existing image or built from a Dockerfile
-    image: "sosedoff/pgweb"
-    # build:
-    #   context: .
-    # Override the default entrypoint to use our custom script
-    entrypoint: []
-    command: ["pgweb", "--sessions", "--bind=0.0.0.0", "--listen=8081", "--bookmarks-dir=/root/.pgweb/bookmarks"]
-    user: "root"
+    build:
+      context: .
+    command: ["--sessions", "--bookmarks-dir=/pgweb/bookmarks"]
     restart: always
     volumes:
       - .:/workspace:cached
diff --git a/src/pgweb/refresh-bookmarks.sh b/src/pgweb/refresh-bookmarks.sh
@@ -5,12 +5,22 @@ set -o nounset
 
 # Allow overriding via environment for local testing
 readonly WB_EXE="${WB_EXE:-/usr/bin/wb}"
-readonly PGWEB_BASE="${PGWEB_BASE:-/root/.pgweb}"
+readonly PGWEB_BASE="${PGWEB_BASE:-/pgweb}"
 readonly BOOKMARK_DIR="${PGWEB_BASE}/bookmarks"
 
 # Create base directory if it doesn't exist
 mkdir -p "${PGWEB_BASE}"
 
+# Helper function to get AWS region
+get_region() {
+  local imds_token
+  imds_token="$(wget --method=PUT --header "X-aws-ec2-metadata-token-ttl-seconds:600" -q -O - http://169.254.169.254/latest/api/token)"
+  local region
+  region="$(wget --header "X-aws-ec2-metadata-token: ${imds_token}" -q -O - http://169.254.169.254/latest/meta-data/placement/region)"
+
+  echo "${region}"
+}
+
 # Helper function to get credentials and generate IAM auth token
 generate_iam_token() {
   local resource_id="${1}"
@@ -76,6 +86,10 @@ refresh_bookmarks() {
   RESOURCES=$(${WB_EXE} resource list --format json)
   readonly RESOURCES
 
+  local VM_REGION
+  VM_REGION=$(get_region)
+  readonly VM_REGION
+
   # Process each resource
   echo "${RESOURCES}" | jq -c '.[]' | while read -r resource; do
     local RESOURCE_TYPE
@@ -119,6 +133,12 @@ refresh_bookmarks() {
       continue
     fi
 
+    if [[ "${REGION}" != "${VM_REGION}" ]]; then
+      echo "    Resource region (${REGION}) does not match VM region (${VM_REGION}), skipping"
+      touch "${TEMP_DIR}/${RESOURCE_ID} (Disabled - Cross Region).toml"
+      continue
+    fi
+
     # Try to create READ_ONLY bookmark
     echo "    Checking read access..."
     local RO_TOKEN
diff --git a/src/pgweb/start-bookmark-refresh.sh b/src/pgweb/start-bookmark-refresh.sh
@@ -3,10 +3,12 @@ set -o errexit
 set -o pipefail
 set -o nounset
 
+readonly PGWEB_BASE="${PGWEB_BASE:-/pgweb}"
+
 echo "Starting bookmark refresh for pgweb..."
 
 # Create base directory (but not bookmarks subdirectory - that will be a symlink)
-mkdir -p /root/.pgweb
+mkdir -p "${PGWEB_BASE}"
 
 # Make sure refresh script is executable
 chmod +x /workspace/refresh-bookmarks.sh
@@ -24,7 +26,7 @@ nohup bash -c '
     sleep 600  # 10 minutes
     /workspace/refresh-bookmarks.sh || echo "$(date): WARNING: Bookmark refresh failed"
   done
-' >> /root/.pgweb/refresh.log 2>&1 &
+' >> "${PGWEB_BASE}/refresh.log" 2>&1 &
 
 REFRESH_PID=$!
 echo "Bookmark refresh service configured (background PID: ${REFRESH_PID})"
