fix(database): escape DO block dollar-quote for HCL templating (#317) #318

Merged

forgejo_admin merged 1 commit from 317-fix-do-block-dollar-escape into main

2026-04-30 11:30:33 +00:00

forgejo_admin commented

2026-04-30 11:15:47 +00:00

Contributor

Summary

Fix the SQL anonymous DO block's dollar-quote so it survives HCL string templating. Replace DO $$ ... $$; with DO $body$ ... $body$;.

Why

HCL strings interpret $$ as a literal-$ escape (to prevent Terraform's ${expression} interpolation). The Job's SQL heredoc had DO $$ ... $$; which rendered as DO $ ... $; in the final Job spec. Postgres rejected with syntax error at or near "$" at character 4. Job hit BackoffLimitExceeded after 4 retries; apply errored.

Discovered when Ava ran make tofu-apply — postgres pod logs showed the rendered SQL with single dollars where doubles were intended.

Named dollar-quote ( $body$ ) is the cleanest fix: postgres treats any matched $tag$ as a delimiter, and $body$ contains no $$ so HCL doesn't touch it. Self-documenting too.

Changes

terraform/modules/database/main.tf line 193: DO $$ → DO $body$
terraform/modules/database/main.tf line 201: $$; → $body$;
2 lines changed, 0 added, 0 removed

Test Plan

Diff is exactly the 2 dollar-quote token changes (no other collateral)
After merge: tofu apply -target=module.database -lock=false runs without Job failure
Job pod completes with status Succeeded (vs current failure state)
Pod logs show ==> admin_app role provisioned successfully
Postgres \du admin_app shows the role exists with login + password

Review Checklist

Two-token fix, minimum diff
Postgres dollar-quote semantics preserved (any matched $tag$ )
HCL escape collision avoided ( $body$ has no $$)
No password/permissions/grant logic changed
Closes #317
Story+arch trace present (story:admin-row-crud, arch:postgres)

Caused by: PR #304 (Postgres provisioning Job, merged unblocked)
Sibling lessons: pal-e-platform#315 (label value /), salt master crash 12 days ago — third post-merge runtime gap during this bootstrap
Memory: feedback_tofu_validate_not_k8s_api, feedback_verification_before_completion

Closes #317

## Summary Fix the SQL anonymous DO block's dollar-quote so it survives HCL string templating. Replace `DO $$ ... $$;` with `DO $body$ ... $body$;`. ## Why HCL strings interpret `$$` as a literal-`$` escape (to prevent Terraform's `${expression}` interpolation). The Job's SQL heredoc had `DO $$ ... $$;` which rendered as `DO $ ... $;` in the final Job spec. Postgres rejected with `syntax error at or near "$" at character 4`. Job hit BackoffLimitExceeded after 4 retries; apply errored. Discovered when Ava ran `make tofu-apply` — postgres pod logs showed the rendered SQL with single dollars where doubles were intended. Named dollar-quote (`$body$`) is the cleanest fix: postgres treats any matched `$tag$` as a delimiter, and `$body$` contains no `$$` so HCL doesn't touch it. Self-documenting too. ## Changes - `terraform/modules/database/main.tf` line 193: `DO $$` → `DO $body$` - `terraform/modules/database/main.tf` line 201: `$$;` → `$body$;` - 2 lines changed, 0 added, 0 removed ## Test Plan - [x] Diff is exactly the 2 dollar-quote token changes (no other collateral) - [ ] After merge: `tofu apply -target=module.database -lock=false` runs without Job failure - [ ] Job pod completes with status `Succeeded` (vs current failure state) - [ ] Pod logs show `==> admin_app role provisioned successfully` - [ ] Postgres `\du admin_app` shows the role exists with login + password ## Review Checklist - [x] Two-token fix, minimum diff - [x] Postgres dollar-quote semantics preserved (any matched `$tag$`) - [x] HCL escape collision avoided (`$body$` has no `$$`) - [x] No password/permissions/grant logic changed - [x] `Closes #317` - [x] Story+arch trace present (`story:admin-row-crud`, `arch:postgres`) ## Related Notes - Caused by: PR #304 (Postgres provisioning Job, merged unblocked) - Sibling lessons: `pal-e-platform#315` (label value `/`), salt master crash 12 days ago — third post-merge runtime gap during this bootstrap - Memory: `feedback_tofu_validate_not_k8s_api`, `feedback_verification_before_completion` Closes #317

forgejo_admin added 1 commit

2026-04-30 11:15:47 +00:00

fix(database): escape DO block dollar-quote for HCL templating (#317 )

ci/woodpecker/push/woodpecker Pipeline was successful

Details

ci/woodpecker/pr/woodpecker Pipeline was successful

Details

ci/woodpecker/pull_request_closed/woodpecker Pipeline was successful

Details

84a88dbb53

HCL strings interpret $$ as a literal-$ escape (to prevent ${...}
interpolation). The SQL heredoc had `DO $$ ... $$;` which rendered
as `DO $ ... $;` — postgres rejected with syntax error at character 4.

Switch to named dollar-quote `DO $body$ ... $body$;`. Postgres treats
any matched $tag$ as a dollar-quote delimiter; $body$ contains no $$
so HCL doesn't touch it. Self-documenting and dodges the HCL escape
collision entirely.

Closes #317

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

forgejo_admin commented

2026-04-30 11:16:27 +00:00

Author

Contributor

PR #318 Review

DOMAIN REVIEW

Stack: Terraform/HCL + k8s Job rendering inline SQL via heredoc.

Correctness:

HCL templating: $$ is the escape for literal $ (to dodge ${...} interpolation). The previous DO $$ ... $$; rendered as DO $ ... $; in the Job spec — confirmed root cause of the postgres syntax error at or near "$".
Fix uses named dollar-quote $body$ . Postgres accepts any matched $tag$ as a delimiter (alphanumeric/underscore tag, must match on open/close) — $body$ is valid.
$body$ contains no $$ substring, so HCL leaves it untouched. Both ends symmetric.
Heredoc is single-quoted (<<'SQL') so shell doesn't expand inside, but HCL templating still applies at the Terraform layer — that's the layer being fixed here. Correct.
Surrounding logic intact: BEGIN/END, IF NOT EXISTS, format() with %L quoting, :'admin_pw' psql variable binding, GRANT statements all unchanged.
Diff is exactly +2/-2, single file, scoped to the two delimiter tokens.

BLOCKERS

None.

NITS

Test Plan post-merge boxes (tofu apply, Job Succeeded, pod logs, \du admin_app) are unchecked — expected, but should be ticked during validation column work, not silently skipped.

SOP COMPLIANCE

Branch 317-fix-do-block-dollar-escape follows {issue}-{kebab} convention
PR body has Summary / Why / Changes / Test Plan / Review Checklist / Related
Closes #317 present
Story+arch trace (story:admin-row-crud, arch:postgres) noted in body
No secrets, no scope creep
Minimum diff (2 tokens)

PROCESS OBSERVATIONS

Third post-merge runtime gap during bootstrap (alongside #315 label-value / and salt master crash) — pattern is tofu validate passes but k8s API rejects rendered output. Worth a convention note: HCL-templated inline scripts (SQL, shell, etc.) should prefer named delimiters over $$/%%-style doubles to dodge HCL escape rules. Add to validation pipeline: render Job spec and grep for \$\s / \$; before apply.

VERDICT: APPROVED

## PR #318 Review ### DOMAIN REVIEW **Stack:** Terraform/HCL + k8s Job rendering inline SQL via heredoc. **Correctness:** - HCL templating: `$$` is the escape for literal `$` (to dodge `${...}` interpolation). The previous `DO $$ ... $$;` rendered as `DO $ ... $;` in the Job spec — confirmed root cause of the postgres `syntax error at or near "$"`. - Fix uses named dollar-quote `$body$`. Postgres accepts any matched `$tag$` as a delimiter (alphanumeric/underscore tag, must match on open/close) — `$body$` is valid. - `$body$` contains no `$$` substring, so HCL leaves it untouched. Both ends symmetric. - Heredoc is single-quoted (`<<'SQL'`) so shell doesn't expand inside, but HCL templating still applies at the Terraform layer — that's the layer being fixed here. Correct. - Surrounding logic intact: `BEGIN`/`END`, `IF NOT EXISTS`, `format()` with `%L` quoting, `:'admin_pw'` psql variable binding, GRANT statements all unchanged. - Diff is exactly +2/-2, single file, scoped to the two delimiter tokens. ### BLOCKERS None. ### NITS - Test Plan post-merge boxes (tofu apply, Job Succeeded, pod logs, `\du admin_app`) are unchecked — expected, but should be ticked during validation column work, not silently skipped. ### SOP COMPLIANCE - [x] Branch `317-fix-do-block-dollar-escape` follows `{issue}-{kebab}` convention - [x] PR body has Summary / Why / Changes / Test Plan / Review Checklist / Related - [x] `Closes #317` present - [x] Story+arch trace (`story:admin-row-crud`, `arch:postgres`) noted in body - [x] No secrets, no scope creep - [x] Minimum diff (2 tokens) ### PROCESS OBSERVATIONS Third post-merge runtime gap during bootstrap (alongside #315 label-value `/` and salt master crash) — pattern is `tofu validate` passes but k8s API rejects rendered output. Worth a convention note: HCL-templated inline scripts (SQL, shell, etc.) should prefer named delimiters over `$$`/`%%`-style doubles to dodge HCL escape rules. Add to validation pipeline: render Job spec and grep for `\$\s` / `\$;` before apply. ### VERDICT: APPROVED