feat: version control branch configs with terraform (#23299)

.github/workflows/config-preview.yaml

@@ -0,0 +1,63 @@
+name: Config (Preview)
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+    branches:
+      - master
+    paths:
+      - "supabase/**"
+  workflow_dispatch:
+
+jobs:
+  wait:
+    runs-on: ubuntu-latest
+    outputs:
+      status: ${{ steps.check.outputs.conclusion }}
+    steps:
+      - uses: fountainhead/action-wait-for-check@v1.2.0
+        id: check
+        with:
+          checkName: Supabase
+          ref: ${{ github.event.pull_request.head.sha }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+  apply:
+    needs:
+      - wait
+    if: ${{ needs.wait.outputs.status == 'success' }}
+    runs-on: ubuntu-latest
+    env:
+      SUPABASE_ACCESS_TOKEN: ${{ secrets.SUPABASE_ACCESS_TOKEN }}
+      TF_VAR_linked_project: xguihxuzqibwxjnimxev
+      TF_VAR_git_branch: ${{ github.head_ref }}
+      TF_CLI_ARGS_apply: -target=supabase_settings.preview
+    defaults:
+      run:
+        working-directory: supabase/remotes
+    outputs:
+      db_user: ${{ steps.branch.outputs.user }}
+      db_pass: ${{ steps.branch.outputs.password }}
+      db_host: ${{ steps.branch.outputs.host }}
+      db_port: ${{ steps.branch.outputs.port }}
+      jwt_secret: ${{ steps.branch.outputs.jwt_secret }}
+      ref: ${{ steps.branch.outputs.id }}
+      status: ${{ steps.branch.outputs.status }}
+      version: ${{ steps.branch.outputs.version }}
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_wrapper: false
+
+      - run: terraform init
+      - run: terraform apply -auto-approve -no-color
+      - id: branch
+        run: |
+          terraform output -json branch_database \
+          | jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" \
+          >> "$GITHUB_OUTPUT"

.github/workflows/config-production.yaml

@@ -0,0 +1,28 @@
+name: Config (Production)
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - "supabase/remotes/**"
+  workflow_dispatch:
+
+jobs:
+  apply:
+    runs-on: ubuntu-latest
+    env:
+      SUPABASE_ACCESS_TOKEN: ${{ secrets.SUPABASE_ACCESS_TOKEN }}
+      TF_VAR_linked_project: xguihxuzqibwxjnimxev
+    defaults:
+      run:
+        working-directory: supabase/remotes
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_wrapper: false
+
+      - run: terraform init
+      - run: terraform apply -auto-approve -no-color

supabase/remotes/.gitignore

@@ -0,0 +1,34 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

supabase/remotes/preview.tf

@@ -0,0 +1,41 @@
+variable "git_branch" {
+  type    = string
+  default = null
+}
+
+# Fetch all branches of a linked project
+data "supabase_branch" "all" {
+  parent_project_ref = var.linked_project
+}
+
+# Import an existing branch database
+import {
+  for_each = {
+    for b in data.supabase_branch.all.branches :
+    b.git_branch => b
+    if b.git_branch == var.git_branch
+  }
+  to = supabase_branch.imported[0]
+  id = each.value.id
+}
+
+resource "supabase_branch" "imported" {
+  count              = length(var.git_branch[*])
+  parent_project_ref = var.linked_project
+  git_branch         = var.git_branch
+}
+
+# Override auth settings for the current branch
+resource "supabase_settings" "preview" {
+  count       = length(var.git_branch[*])
+  project_ref = supabase_branch.imported[0].database.id
+
+  auth = jsonencode({
+    site_url = "http://localhost:3001"
+  })
+}
+
+output "branch_database" {
+  value     = one(supabase_branch.imported[*].database)
+  sensitive = true
+}

supabase/remotes/production.tf

@@ -0,0 +1,17 @@
+# Define a linked project variable as user input
+variable "linked_project" {
+  type = string
+}
+
+# Configure api settings for the linked project
+resource "supabase_settings" "production" {
+  project_ref = var.linked_project
+
+  database = jsonencode({})
+
+  api = jsonencode({
+    db_schema            = "public, storage, graphql_public"
+    db_extra_search_path = "public, extensions"
+    max_rows             = 1000
+  })
+}

supabase/remotes/provider.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    supabase = {
+      source  = "supabase/supabase"
+      version = "~> 1.0"
+    }
+  }
+}
+
+provider "supabase" {}