dfe-analytical-services
diff --git a/‎data/public-api-db/00-init.sh
+16-4 b/‎data/public-api-db/00-init.sh
+16-4
diff --git a/‎infrastructure/templates/public-api/main.bicep
-21 b/‎infrastructure/templates/public-api/main.bicep
-21
diff --git a/‎src/GovUk.Education.ExploreEducationStatistics.Common/Extensions/MigrationBuilderExtensions.cs
+10-2 b/‎src/GovUk.Education.ExploreEducationStatistics.Common/Extensions/MigrationBuilderExtensions.cs
+10-2
diff --git a/‎src/GovUk.Education.ExploreEducationStatistics.Public.Data.Model/Database/PublicDataDbContext.cs
+1 b/‎src/GovUk.Education.ExploreEducationStatistics.Public.Data.Model/Database/PublicDataDbContext.cs
+1
diff --git a/‎src/GovUk.Education.ExploreEducationStatistics.Public.Data.Model/Migrations/20240501113006_InitialMigration.cs
+13-62 b/‎src/GovUk.Education.ExploreEducationStatistics.Public.Data.Model/Migrations/20240501113006_InitialMigration.cs
+13-62
@@ -17,15 +17,27 @@ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-E
 
     /*
      * Grant the other application user roles privileges to look up objects on the public schema.
-     * Additional privileges are granted to these application user roles by the initial migration.
      */
     GRANT USAGE ON SCHEMA public TO app_public_data_processor;
     GRANT USAGE ON SCHEMA public TO app_admin;
     GRANT USAGE ON SCHEMA public TO app_publisher;
 
     /*
-     * Create an admin group role which can be granted to user roles requiring privileges on public schema objects.
-     * Privileges are granted to this admin group role by the initial migration.
+     * Create a public_data_read_write group role which can be granted to user roles requiring read and write privileges on public schema objects.
      */
-    CREATE ROLE public_data_admin WITH NOLOGIN;
+    CREATE ROLE public_data_read_write WITH NOLOGIN;
+
+    /*
+     * Grant privileges to the public_data_read_write group role for all tables and sequences in the public schema subsequently created by app_public_data_api.
+     */
+    ALTER DEFAULT PRIVILEGES FOR ROLE app_public_data_api IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES ON TABLES TO public_data_read_write;
+    ALTER DEFAULT PRIVILEGES FOR ROLE app_public_data_api IN SCHEMA public GRANT SELECT, UPDATE ON SEQUENCES TO public_data_read_write;
+
+    /*
+     * Grant membership of the public_data_read_write group role to the application user roles.
+     */
+    GRANT public_data_read_write TO app_public_data_api;
+    GRANT public_data_read_write TO app_public_data_processor;
+    GRANT public_data_read_write TO app_admin;
+    GRANT public_data_read_write TO app_publisher;
 EOSQL
@@ -309,27 +309,6 @@ module apiContainerAppModule 'components/containerApp.bicep' = if (deployContain
         name: 'DataFiles__BasePath'
         value: dataFilesFileShareMountPath
       }
-      {
-        // This property informs the Container App of the name of the Admin's system-assigned identity.
-        // It uses this to grant permissions to the Admin user in order for it to be able to access
-        // tables in the "public_data" database successfully.
-        name: 'AdminAppServiceIdentityName'
-        value: adminAppServiceFullName
-      }
-      {
-        // This property informs the Container App of the name of the Data Processor's system-assigned identity.
-        // It uses this to grant permissions to the Data Processor user in order for it to be able to access
-        // tables in the "public_data" database successfully.
-        name: 'DataProcessorFunctionAppIdentityName'
-        value: dataProcessorFunctionAppManagedIdentity.name
-      }
-      {
-        // This property informs the Container App of the name of the Publisher's system-assigned identity.
-        // It uses this to grant permissions to the Publisher user in order for it to be able to access
-        // tables in the "public_data" database successfully.
-        name: 'PublisherFunctionAppIdentityName'
-        value: publisherFunctionAppFullName
-      }
     ]
     tagValues: tagValues
   }
 
@@ -1,4 +1,5 @@
 #nullable enable
+using System;
 using System.IO;
 using System.Reflection;
 using Microsoft.EntityFrameworkCore.Migrations;
@@ -7,7 +8,13 @@ namespace GovUk.Education.ExploreEducationStatistics.Common.Extensions
 {
     public static class MigrationBuilderExtensions
     {
-        public static void SqlFromFile(this MigrationBuilder migrationBuilder,
+        public static bool IsEnvironment(
+            this MigrationBuilder _,
+            string environmentName) =>
+            Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") == environmentName;
+
+        public static void SqlFromFile(
+            this MigrationBuilder migrationBuilder,
             string migrationsPath,
             string filename,
             bool suppressTransaction = false)
@@ -19,7 +26,8 @@ public static void SqlFromFile(this MigrationBuilder migrationBuilder,
             migrationBuilder.Sql(File.ReadAllText(file), suppressTransaction);
         }
 
-        public static void SqlFromFileByLine(this MigrationBuilder migrationBuilder,
+        public static void SqlFromFileByLine(
+            this MigrationBuilder migrationBuilder,
             string migrationsPath,
             string filename)
         {
 
@@ -7,6 +7,7 @@ namespace GovUk.Education.ExploreEducationStatistics.Public.Data.Model.Database;
 
 public class PublicDataDbContext : DbContext
 {
+    public const string PublicDataReadWriteRole = "public_data_read_write";
     public const string FilterOptionMetaLinkSequence = "FilterOptionMetaLink_seq";
     public const string LocationOptionMetasIdSequence = "LocationOptionMetas_Id_seq";
 
 
@@ -1,5 +1,7 @@
 using System;
 using System.Collections.Generic;
+using GovUk.Education.ExploreEducationStatistics.Common.Extensions;
+using GovUk.Education.ExploreEducationStatistics.Public.Data.Model.Database;
 using Microsoft.EntityFrameworkCore.Migrations;
 using Microsoft.Extensions.Hosting;
 using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
@@ -14,6 +16,17 @@ public partial class InitialMigration : Migration
         /// <inheritdoc />
         protected override void Up(MigrationBuilder migrationBuilder)
         {
+            if (migrationBuilder.IsEnvironment(Environments.Production))
+            {
+                // Grant privileges to the 'public_data_read_write' group role for objects in the public schema
+                // subsequently created by this applications user role. Membership of the role will be granted to other
+                // application and indvidual user roles who require read and write privileges on public schema objects.
+                migrationBuilder.Sql(
+                    $"ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES ON TABLES TO {PublicDataDbContext.PublicDataReadWriteRole}");
+                migrationBuilder.Sql(
+                    $"ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, UPDATE ON SEQUENCES TO {PublicDataDbContext.PublicDataReadWriteRole}");
+            }
+
             migrationBuilder.CreateTable(
                 name: "FilterOptionMetas",
                 columns: table => new
@@ -579,68 +592,6 @@ protected override void Up(MigrationBuilder migrationBuilder)
                 column: "LatestLiveVersionId",
                 principalTable: "DataSetVersions",
                 principalColumn: "Id");
-
-            var isLocalEnvironment = 
-                Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") == Environments.Development;
-
-            // Grant privileges on objects created by this resource's database user to the Admin App Service user.
-            var adminAppServiceRoleName = isLocalEnvironment
-                ? "app_admin" 
-                : Environment.GetEnvironmentVariable("AdminAppServiceIdentityName");
-            if (adminAppServiceRoleName != null)
-            {
-                migrationBuilder.Sql(
-                    $"""GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO {adminAppServiceRoleName}""");
-                migrationBuilder.Sql(
-                    $"""ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO {adminAppServiceRoleName}""");
-            }
-
-            // Grant privileges on objects created by this resource's database user to the Public API Data Processor Function App user.
-            var dataProcessorFunctionAppRoleName = isLocalEnvironment
-                ? "app_public_data_processor" 
-                : Environment.GetEnvironmentVariable("DataProcessorFunctionAppIdentityName");
-            if (dataProcessorFunctionAppRoleName != null)
-            {
-                migrationBuilder.Sql(
-                    $"""GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO {dataProcessorFunctionAppRoleName}""");
-                migrationBuilder.Sql(
-                    $"""ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO {dataProcessorFunctionAppRoleName}""");
-
-                migrationBuilder.Sql(
-                    $"""GRANT SELECT, UPDATE ON ALL SEQUENCES IN SCHEMA public TO {dataProcessorFunctionAppRoleName}""");
-                migrationBuilder.Sql(
-                    $"""ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, UPDATE ON SEQUENCES TO {dataProcessorFunctionAppRoleName}""");
-            }
-
-            // Grant privileges on objects created by this resource's database user to the Publisher Function App user.
-            var publisherFunctionAppRoleName = isLocalEnvironment
-                ? "app_publisher" 
-                : Environment.GetEnvironmentVariable("PublisherFunctionAppIdentityName");
-            if (publisherFunctionAppRoleName != null)
-            {
-                migrationBuilder.Sql(
-                    $"""GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO {publisherFunctionAppRoleName}""");
-                migrationBuilder.Sql(
-                    $"""ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO {publisherFunctionAppRoleName}""");
-            }
-
-            // Grant privileges on objects created by this resource's database user to the 'public_data_admin' role.
-            // The 'public_data_admin' role represents a group of admin users. Membership of it will be granted to
-            // indvidual user roles who require write privileges on public schema objects.
-            // Locally this is created in the initialisation script run by the Docker entrypoint.
-            // In Azure this role needs to be created manually after the database is created.
-            migrationBuilder.Sql(
-                """
-                DO $$
-                BEGIN
-                    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'public_data_admin') THEN
-                        GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES ON ALL TABLES IN SCHEMA public TO public_data_admin;
-                        GRANT SELECT, UPDATE ON ALL SEQUENCES IN SCHEMA public TO public_data_admin;
-                        ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES ON TABLES TO public_data_admin;
-                        ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, UPDATE ON SEQUENCES TO public_data_admin;
-                    END IF;
-                END $$;
-                """);
         }
 
         /// <inheritdoc />
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ namespace GovUk.Education.ExploreEducationStatistics.Public.Data.Model.Database;`
`7`	`7`
`8`	`8`	`public class PublicDataDbContext : DbContext`
`9`	`9`	`{`
	`10`	`+ public const string PublicDataReadWriteRole = "public_data_read_write";`
`10`	`11`	`public const string FilterOptionMetaLinkSequence = "FilterOptionMetaLink_seq";`
`11`	`12`	`public const string LocationOptionMetasIdSequence = "LocationOptionMetas_Id_seq";`
`12`	`13`