Database migration architecture

Status: proposed
Deciders: @lorenyu, @daphnegold, @chouinar, @Nava-JoshLong, @addywolf-nava, @sawyerh, @acouch, @SammySteiner
Date: 2023-06-05

Context and Problem Statement

What is the most optimal setup for database migrations infrastructure and deployment? This will break down the different options for how the migration is run, but not the tools or languages the migration will be run with, that will be dependent on the framework the application is using.

Questions that need to be addressed:

How will the method get the latest migration code to run?
What infrastructure is required to use this method?
How is the migration deployment re-run in case of errors?

Decision Drivers

Security
Simplicity
Flexibility

Considered Options

Run migrations from GitHub Actions
Run migrations from a Lambda function
Run migrations from an ECS task
Run migrations from self-hosted GitHub Actions runners

Decision Outcome

Run migrations from an ECS task using the same container image that is used for running the web service. Require a db-migrate script in the application container image that performs the migration. When running the migration task using AWS CLI's run-task command, use the --overrides option to override the command to the db-migrate command.

Default to rolling forward instead of rolling back when issues arise (See Pitfalls with SQL rollbacks and automated database deployments). Do not support rolling back out of the box, but still project teams to easily implement database rollbacks through the mechanism of running an application-specific database rollback script through a general purpose run-command.sh script.

Pros

No changes to the database network configuration are needed. The database can remain inaccessible from the public internet.
Database migrations are agnostic to the migration framework that the application uses as long as the application is able to provide a db-migrate script that is accessible from the container's PATH and is able to use IAM authentication for connecting to the database. Applications can use alembic, flyway, prisma, another migration framework, or custom built migrations.
Database migrations use the same application image and task definition as the base application.

Cons

Running migrations require doing a targeted terraform apply to update the task definition without updating the service. Terraform recommends against targeting individual resources as part of a normal workflow. However, this is done to ensure migrations are run before the service is updated.

Other options considered

Run migrations from GitHub Actions using a direct database connection

Temporarily update the database to be accessible from the internet and allow incoming network traffic from the GitHub Action runner's IP address. Then run the migrations directly from the GitHub Action runner. At the end, revert the database configuration changes.

Pros:

Simple. Requires no additional infrastructure

Cons:

This method requires temporarily exposing the database to incoming connections from the internet, which may not comply with agency security policies.

Run migrations from a Lambda function

Run migrations from an AWS Lambda function that uses the application's container image. The application container image needs to implement the lambda runtime api either by using an AWS base image for Lambda or by implementing the Lambda runtime (see Working with Lambda container images).