{"id":50759311,"url":"https://github.com/datarocks-ag/postgres-provisioner","last_synced_at":"2026-06-11T08:30:34.866Z","repository":{"id":353813621,"uuid":"1152726890","full_name":"datarocks-ag/postgres-provisioner","owner":"datarocks-ag","description":"A Go CLI tool that idempotently provisions PostgreSQL resources (roles, databases, extensions, schemas, grants) from a YAML config file. Designed as a Docker Compose init container that runs before your application starts.","archived":false,"fork":false,"pushed_at":"2026-04-25T18:09:31.000Z","size":141,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"develop","last_synced_at":"2026-04-25T18:28:01.776Z","etag":null,"topics":["devops","docker","go","postgres","provisioner"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/datarocks-ag.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-08T10:37:09.000Z","updated_at":"2026-04-25T18:09:33.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/datarocks-ag/postgres-provisioner","commit_stats":null,"previous_names":["datarocks-ag/postgres-provisioner"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/datarocks-ag/postgres-provisioner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datarocks-ag%2Fpostgres-provisioner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datarocks-ag%2Fpostgres-provisioner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datarocks-ag%2Fpostgres-provisioner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datarocks-ag%2Fpostgres-provisioner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/datarocks-ag","download_url":"https://codeload.github.com/datarocks-ag/postgres-provisioner/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datarocks-ag%2Fpostgres-provisioner/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34190582,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-11T02:00:06.485Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devops","docker","go","postgres","provisioner"],"created_at":"2026-06-11T08:30:34.073Z","updated_at":"2026-06-11T08:30:34.860Z","avatar_url":"https://github.com/datarocks-ag.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# postgres-provisioner\n\n[![CI](https://github.com/datarocks-ag/postgres-provisioner/actions/workflows/ci.yaml/badge.svg)](https://github.com/datarocks-ag/postgres-provisioner/actions/workflows/ci.yaml)\n![coverage](https://raw.githubusercontent.com/datarocks-ag/postgres-provisioner/badges/.badges/develop/coverage.svg)\n\nA Go CLI tool that idempotently provisions PostgreSQL resources (roles, databases, extensions, schemas, grants, migrations) from a YAML config file. Designed as a Docker Compose init container that runs before your application starts.\n\n## Quick Start\n\n```yaml\n# docker-compose.yaml\nservices:\n  postgres-provisioner:\n    image: ghcr.io/datarocks-ag/postgres-provisioner:latest\n    environment:\n      POSTGRES_USER: admin\n      POSTGRES_PASSWORD: adminpass\n      POSTGRES_HOST: postgres\n      PGHELPER_CONFIG_PATH: /config.yaml\n    volumes:\n      - ./config.yaml:/config.yaml:ro\n```\n\n## Configuration\n\nCreate a `config.yaml` (see [config.example.yaml](config.example.yaml)):\n\n```yaml\nroles:\n  - name: \"app_user\"\n    password: \"${APP_DB_PASSWORD}\"    # env var interpolation\n    options:\n      login: true\n      superuser: false\n\ndatabases:\n  - name: \"myapp\"\n    owner: \"app_user\"\n    extensions: [\"uuid-ossp\", \"pgcrypto\"]\n    schemas:\n      - name: \"app\"\n        owner: \"app_user\"\n    grants:\n      - role: \"app_user\"\n        privileges: [\"ALL\"]\n        on_schema: \"app\"\n      - role: \"readonly_user\"\n        privileges: [\"CONNECT\"]\n        on_database: true\n      - role: \"readonly_user\"\n        privileges: [\"SELECT\"]\n        on_tables_in_schema: \"app\"\n    migrations:\n      directory: \"./migrations/myapp\"\n```\n\n## Environment Variables\n\n| Variable | Required | Default | Description |\n|---|---|---|---|\n| `POSTGRES_USER` | yes | - | Admin user |\n| `POSTGRES_PASSWORD` | yes | - | Admin password |\n| `POSTGRES_HOST` | no | `localhost` | PostgreSQL host |\n| `POSTGRES_PORT` | no | `5432` | PostgreSQL port |\n| `POSTGRES_DB` | no | `postgres` | Admin database |\n| `POSTGRES_SSLMODE` | no | `disable` | SSL mode |\n| `PGHELPER_CONFIG_PATH` | no | `./config.yaml` | Path to YAML config |\n| `MIGRATIONS_ENABLED` | no | `true` | Set to `false` to skip all migrations at runtime |\n| `DRY_RUN` | no | `false` | Set to `true` to log every mutation as a preview without applying it |\n| `LOG_LEVEL` | no | `info` | Log level (debug/info/warn/error) |\n\n## Strategy\n\nControl whether existing resources are updated or skipped using the `strategy` field:\n\n- `update` (default) — create resources if missing, update if they already exist\n- `create` — create resources if missing, skip if they already exist. For databases,\n  this also skips all sub-resources (extensions, schemas, grants) if the database\n  already exists.\n\nStrategy can be set globally or per resource. Per-resource strategy overrides the global setting.\n\n```yaml\nstrategy: \"create\"           # global default: skip existing resources\n\nroles:\n  - name: \"app_user\"\n    strategy: \"update\"       # override: always reconcile this role\n    password: \"${APP_DB_PASSWORD}\"\n```\n\n## Environment Variable Expansion\n\nString values support `${VAR}` syntax. If the variable is set in the environment, it is replaced; if unset, the placeholder is preserved as-is (useful for detecting misconfigurations).\n\n```yaml\npassword: \"${APP_DB_PASSWORD}\"    # replaced with env var value at load time\n```\n\n## Provisioning Order\n\n1. **Roles** — created or updated idempotently\n2. **Databases** — created idempotently, owner set\n3. **Extensions** — `CREATE EXTENSION IF NOT EXISTS` (per-database)\n4. **Schemas** — `CREATE SCHEMA IF NOT EXISTS` with owner (per-database). Owner defaults to database owner if not specified.\n5. **Grants** — `GRANT` statements are inherently idempotent (per-database). `on_tables_in_schema` also sets `ALTER DEFAULT PRIVILEGES` for future tables.\n6. **Migrations** — Flyway-style SQL files executed per-database (if configured and enabled).\n\n## Grant Types\n\n- `on_database: true` — grants privileges on the database itself (e.g., `CONNECT`)\n- `on_schema: \"name\"` — grants privileges on a schema (e.g., `ALL`, `USAGE`)\n- `on_tables_in_schema: \"name\"` — grants on all existing tables + sets `ALTER DEFAULT PRIVILEGES` for future tables\n\n## Migrations\n\nFlyway-style SQL migrations can be configured per database. Migration files are discovered from a directory and executed in order.\n\n```yaml\ndatabases:\n  - name: \"myapp\"\n    owner: \"app_user\"\n    migrations:\n      directory: \"./migrations/myapp\"   # supports ${VAR} expansion\n```\n\n**File naming:**\n\n- `V0001__create_users.sql` — **Versioned**: run once, immutable. Checksum is verified on subsequent runs; a mismatch causes an error.\n- `R0001__seed_data.sql` — **Repeatable**: re-run whenever the file content changes.\n\nMigrations are tracked in a `_schema_migrations` table (created automatically) with SHA-256 checksums. Versioned migrations run first (sorted by version), then repeatable migrations.\n\n**Disabling migrations at runtime:**\n\nMigrations can be disabled without changing the config file using the `--migrations=false` CLI flag or `MIGRATIONS_ENABLED=false` environment variable. The CLI flag takes precedence over the env var.\n\n## CLI Flags\n\n| Flag | Default | Description |\n|---|---|---|\n| `--migrations` | `true` (or `MIGRATIONS_ENABLED` env var) | Enable/disable migrations |\n| `--dry-run` | `false` (or `DRY_RUN` env var) | Log mutations as a preview without executing them. Read-only queries (existence checks, applied-migration lookups) still run so the preview reflects live state. The CLI flag takes precedence over the env var. |\n| `--version` | — | Print version and exit |\n\n## SSL Mode\n\nSet `POSTGRES_SSLMODE` to control connection encryption. Defaults to `disable` for local development. For production, use `require`, `verify-ca`, or `verify-full`. See [PostgreSQL SSL documentation](https://www.postgresql.org/docs/current/libpq-ssl.html).\n\n## Connection Retry\n\nOn startup, the tool retries connecting to PostgreSQL with exponential backoff (1s initial, 30s cap, 15 retries, 5min total timeout). This handles Docker Compose startup ordering without requiring `wait-for-it` scripts.\n\n## Development\n\n```bash\nmake build            # Build binary\nmake test             # Run unit tests\nmake test-integration # Run integration tests (requires Docker)\nmake lint             # Run golangci-lint\nmake vet              # Run go vet\nmake docker           # Build Docker image\n```\n\n## Docker Compose Usage\n\n```yaml\nservices:\n  postgres:\n    image: postgres:16-alpine\n    environment:\n      POSTGRES_USER: admin\n      POSTGRES_PASSWORD: adminpass\n    healthcheck:\n      test: [\"CMD-SHELL\", \"pg_isready -U admin\"]\n      interval: 2s\n      timeout: 5s\n      retries: 10\n\n  postgres-provisioner:\n    image: ghcr.io/datarocks-ag/postgres-provisioner:latest\n    depends_on:\n      postgres:\n        condition: service_healthy\n    environment:\n      POSTGRES_USER: admin\n      POSTGRES_PASSWORD: adminpass\n      POSTGRES_HOST: postgres\n      PGHELPER_CONFIG_PATH: /config.yaml\n      APP_DB_PASSWORD: appsecret\n    volumes:\n      - ./config.yaml:/config.yaml:ro\n      - ./migrations:/migrations:ro\n\n  app:\n    image: your-app\n    depends_on:\n      postgres-provisioner:\n        condition: service_completed_successfully\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatarocks-ag%2Fpostgres-provisioner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdatarocks-ag%2Fpostgres-provisioner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatarocks-ag%2Fpostgres-provisioner/lists"}