Read hasura username from secrets

profiles/dev/config.properties

@@ -49,4 +49,5 @@ db.port=6432
 db.name=authdb
 db.username=dbauth
 db.password=authpassword
+db.hasura.username=dbhasura
 db.session.schema=public

profiles/integration-test/config.properties

@@ -48,3 +48,4 @@ logoutpage.url=https://mylogout.myhost.mydomain:9012
 # Data source config (persistent sessions)
 ############################################
 session.enabled=false
+db.hasura.username=dbhasura

profiles/prod/config.properties

@@ -46,4 +46,5 @@ db.port=5432
 db.name=
 db.username=
 db.password=
+db.hasura.username=
 db.session.schema=

src/main/resources/application.properties

@@ -56,6 +56,7 @@ [email protected]@
 [email protected]@
 [email protected]@
 [email protected]@
+[email protected]@
 [email protected]@
 
 ############################################
@@ -65,3 +66,5 @@ spring.flyway.enabled=true
 spring.flyway.baseline-on-migrate=true
 [email protected]@
 spring.flyway.locations=classpath:db/migration
+spring.flyway.placeholders.dbUsername=${db.username}
+spring.flyway.placeholders.dbHasuraUsername=${db.hasura.username}

src/main/resources/db/migration/V2__usernames_from_secrets.sql

@@ -0,0 +1,12 @@
+-- Grant permissions to login_audit table using secrets
+DO $$
+BEGIN
+    IF EXISTS (SELECT FROM pg_roles WHERE rolname = '${dbUsername}') THEN
+        GRANT SELECT, INSERT ON login_audit TO ${dbUsername};
+        GRANT USAGE, SELECT ON SEQUENCE login_audit_id_seq TO ${dbUsername};
+    END IF;
+    IF EXISTS (SELECT FROM pg_roles WHERE rolname = '${dbHasuraUsername}') THEN
+        GRANT SELECT ON login_audit TO ${dbHasuraUsername};
+        GRANT USAGE, SELECT ON SEQUENCE login_audit_id_seq TO ${dbHasuraUsername};
+    END IF;
+END $$;