SQL service registry templates
Table of Contents
This page is the literate source for the sql_service facet of the
codegen template library. Each section documents one template and
holds its source in a mustache block tangled to the sibling
.mustache file consumed by generator.py. The .mustache files are
generated artefacts — edit this document, then run the tangle
(compass build --direct tangle_codegen_templates or
projects/ores.lisp/src/ores-build-codegen-templates.el directly).
Output paths and profile membership come from
facet_catalogue.org.
Summary
Four templates projecting the service registry onto IAM SQL: one
PostgreSQL login role per service, the DML grants those roles need,
and the matching IAM application accounts with their role
assignments. All four belong to the service-registry profile, with
outputs under projects/ores.sql/create/iam/ and populate/iam/.
The sql_service facet
Driven by the service registry model — a services list carrying
name, description, env_key, iam_role and psql_var per
service — rather than by entities. Together the four artefacts give
every backend service a database identity (users + grants) and an
application identity (accounts + roles); shell_service_vars in the
assets facet is the shell projection of the same registry.
Mustache incantations
Passwords are never inlined: {{psql_var}} emits a psql :variable
reference resolved at execution time from the environment
({{env_key}}). dml_prefixes uses the {{^last}} comma idiom for
the grant lists. Otherwise the group's standard constructs.
Archetypes
| Archetype | Description |
|---|---|
| sql_service_users_create.mustache | One CREATE ROLE … LOGIN per registry service, password supplied via the service's psql variable. Output projects/ores.sql/create/iam/service_users_create.sql. |
| sql_service_db_grants.mustache | Grants each service role its DML surface: per-service dml_prefixes list the table-name prefixes the service may touch. Output projects/ores.sql/create/iam/iam_service_db_grants_create.sql. |
| sql_service_accounts_populate.mustache | IAM application accounts for the services (email, description, password via psql variable). Output projects/ores.sql/populate/iam/iam_service_accounts_populate.sql. |
| sql_service_account_roles_populate.mustache | Assigns each service account its {{iam_role}}. Output projects/ores.sql/populate/iam/iam_service_account_roles_populate.sql. |
See also
- (Parent template group doc:
<group>_group.org.) - Codegen template library — the groups overview.
- Facet — the MASD concept these templates project.
- SQL facet — the facet's modeling reference.
- Applied MASD — the facet catalogue and codegen routes.
- facet_catalogue.org — profile → template/output mapping.