chore: remove precreated storage objs from AMI build

Let services create these objects in their migrations.

Author: soedirgo

migrations/db/init-scripts/00000000000002-storage-schema.sql

@@ -2,119 +2,20 @@
 
 CREATE SCHEMA IF NOT EXISTS storage AUTHORIZATION supabase_admin;
 
-grant usage on schema storage to postgres, anon, authenticated, service_role;
-alter default privileges in schema storage grant all on tables to postgres, anon, authenticated, service_role;
-alter default privileges in schema storage grant all on functions to postgres, anon, authenticated, service_role;
-alter default privileges in schema storage grant all on sequences to postgres, anon, authenticated, service_role;
-
-CREATE TABLE "storage"."buckets" (
-    "id" text not NULL,
-    "name" text NOT NULL,
-    "owner" uuid,
-    "created_at" timestamptz DEFAULT now(),
-    "updated_at" timestamptz DEFAULT now(),
-    CONSTRAINT "buckets_owner_fkey" FOREIGN KEY ("owner") REFERENCES "auth"."users"("id"),
-    PRIMARY KEY ("id")
-);
-CREATE UNIQUE INDEX "bname" ON "storage"."buckets" USING BTREE ("name");
-
-CREATE TABLE "storage"."objects" (
-    "id" uuid NOT NULL DEFAULT extensions.uuid_generate_v4(),
-    "bucket_id" text,
-    "name" text,
-    "owner" uuid,
-    "created_at" timestamptz DEFAULT now(),
-    "updated_at" timestamptz DEFAULT now(),
-    "last_accessed_at" timestamptz DEFAULT now(),
-    "metadata" jsonb,
-    CONSTRAINT "objects_bucketId_fkey" FOREIGN KEY ("bucket_id") REFERENCES "storage"."buckets"("id"),
-    CONSTRAINT "objects_owner_fkey" FOREIGN KEY ("owner") REFERENCES "auth"."users"("id"),
-    PRIMARY KEY ("id")
-);
-CREATE UNIQUE INDEX "bucketid_objname" ON "storage"."objects" USING BTREE ("bucket_id","name");
-CREATE INDEX name_prefix_search ON storage.objects(name text_pattern_ops);
-
-ALTER TABLE storage.objects ENABLE ROW LEVEL SECURITY;
-
-CREATE FUNCTION storage.foldername(name text)
- RETURNS text[]
- LANGUAGE plpgsql
-AS $function$
-DECLARE
-_parts text[];
-BEGIN
-    select string_to_array(name, '/') into _parts;
-    return _parts[1:array_length(_parts,1)-1];
-END
-$function$;
-
-CREATE FUNCTION storage.filename(name text)
- RETURNS text
- LANGUAGE plpgsql
-AS $function$
-DECLARE
-_parts text[];
-BEGIN
-    select string_to_array(name, '/') into _parts;
-    return _parts[array_length(_parts,1)];
-END
-$function$;
-
-CREATE FUNCTION storage.extension(name text)
- RETURNS text
- LANGUAGE plpgsql
-AS $function$
-DECLARE
-_parts text[];
-_filename text;
-BEGIN
-    select string_to_array(name, '/') into _parts;
-    select _parts[array_length(_parts,1)] into _filename;
-    -- @todo return the last part instead of 2
-    return split_part(_filename, '.', 2);
-END
-$function$;
-
-CREATE FUNCTION storage.search(prefix text, bucketname text, limits int DEFAULT 100, levels int DEFAULT 1, offsets int DEFAULT 0)
- RETURNS TABLE (
-    name text,
-    id uuid,
-    updated_at TIMESTAMPTZ,
-    created_at TIMESTAMPTZ,
-    last_accessed_at TIMESTAMPTZ,
-    metadata jsonb
-  )
- LANGUAGE plpgsql
-AS $function$
-DECLARE
-_bucketId text;
-BEGIN
-    -- will be replaced by migrations when server starts
-    -- saving space for cloud-init
-END
-$function$;
-
--- create migrations table
--- https://github.com/ThomWright/postgres-migrations/blob/master/src/migrations/0_create-migrations-table.sql
--- we add this table here and not let it be auto-created so that the permissions are properly applied to it
-CREATE TABLE IF NOT EXISTS storage.migrations (
-  id integer PRIMARY KEY,
-  name varchar(100) UNIQUE NOT NULL,
-  hash varchar(40) NOT NULL, -- sha1 hex encoded hash of the file name and contents, to ensure it hasn't been altered since applying the migration
-  executed_at timestamp DEFAULT current_timestamp
-);
-
 CREATE USER supabase_storage_admin NOINHERIT CREATEROLE LOGIN NOREPLICATION;
-GRANT ALL PRIVILEGES ON SCHEMA storage TO supabase_storage_admin;
-GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA storage TO supabase_storage_admin;
-GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA storage TO supabase_storage_admin;
 ALTER USER supabase_storage_admin SET search_path = "storage";
-ALTER table "storage".objects owner to supabase_storage_admin;
-ALTER table "storage".buckets owner to supabase_storage_admin;
-ALTER table "storage".migrations OWNER TO supabase_storage_admin;
-ALTER function "storage".foldername(text) owner to supabase_storage_admin;
-ALTER function "storage".filename(text) owner to supabase_storage_admin;
-ALTER function "storage".extension(text) owner to supabase_storage_admin;
-ALTER function "storage".search(text,text,int,int,int) owner to supabase_storage_admin;
+GRANT CREATE ON DATABASE postgres TO supabase_storage_admin;
+
+do $$
+begin
+  if exists (select from pg_namespace where nspname = 'storage') then
+    grant usage on schema storage to postgres, anon, authenticated, service_role;
+    alter default privileges in schema storage grant all on tables to postgres, anon, authenticated, service_role;
+    alter default privileges in schema storage grant all on functions to postgres, anon, authenticated, service_role;
+    alter default privileges in schema storage grant all on sequences to postgres, anon, authenticated, service_role;
+
+    grant all on schema storage to supabase_storage_admin with grant option;
+  end if;
+end $$;
 
 -- migrate:down

migrations/db/init-scripts/00000000000003-post-setup.sql

@@ -105,15 +105,20 @@ CREATE ROLE dashboard_user NOSUPERUSER CREATEDB CREATEROLE REPLICATION;
 GRANT ALL ON DATABASE postgres TO dashboard_user;
 GRANT ALL ON SCHEMA auth TO dashboard_user;
 GRANT ALL ON SCHEMA extensions TO dashboard_user;
-GRANT ALL ON SCHEMA storage TO dashboard_user;
 GRANT ALL ON ALL TABLES IN SCHEMA auth TO dashboard_user;
 GRANT ALL ON ALL TABLES IN SCHEMA extensions TO dashboard_user;
 -- GRANT ALL ON ALL TABLES IN SCHEMA storage TO dashboard_user;
 GRANT ALL ON ALL SEQUENCES IN SCHEMA auth TO dashboard_user;
-GRANT ALL ON ALL SEQUENCES IN SCHEMA storage TO dashboard_user;
 GRANT ALL ON ALL SEQUENCES IN SCHEMA extensions TO dashboard_user;
 GRANT ALL ON ALL ROUTINES IN SCHEMA auth TO dashboard_user;
-GRANT ALL ON ALL ROUTINES IN SCHEMA storage TO dashboard_user;
 GRANT ALL ON ALL ROUTINES IN SCHEMA extensions TO dashboard_user;
+do $$
+begin
+  if exists (select from pg_namespace where nspname = 'storage') then
+    GRANT ALL ON SCHEMA storage TO dashboard_user;
+    GRANT ALL ON ALL SEQUENCES IN SCHEMA storage TO dashboard_user;
+    GRANT ALL ON ALL ROUTINES IN SCHEMA storage TO dashboard_user;
+  end if;
+end $$;
 
 -- migrate:down

migrations/db/migrations/10000000000000_demote-postgres.sql

@@ -4,16 +4,21 @@
 GRANT ALL ON DATABASE postgres TO postgres;
 GRANT ALL ON SCHEMA auth TO postgres;
 GRANT ALL ON SCHEMA extensions TO postgres;
-GRANT ALL ON SCHEMA storage TO postgres;
 GRANT ALL ON ALL TABLES IN SCHEMA auth TO postgres;
-GRANT ALL ON ALL TABLES IN SCHEMA storage TO postgres;
 GRANT ALL ON ALL TABLES IN SCHEMA extensions TO postgres;
 GRANT ALL ON ALL SEQUENCES IN SCHEMA auth TO postgres;
-GRANT ALL ON ALL SEQUENCES IN SCHEMA storage TO postgres;
 GRANT ALL ON ALL SEQUENCES IN SCHEMA extensions TO postgres;
 GRANT ALL ON ALL ROUTINES IN SCHEMA auth TO postgres;
-GRANT ALL ON ALL ROUTINES IN SCHEMA storage TO postgres;
 GRANT ALL ON ALL ROUTINES IN SCHEMA extensions TO postgres;
+do $$
+begin
+  if exists (select from pg_namespace where nspname = 'storage') then
+    GRANT ALL ON SCHEMA storage TO postgres;
+    GRANT ALL ON ALL TABLES IN SCHEMA storage TO postgres;
+    GRANT ALL ON ALL SEQUENCES IN SCHEMA storage TO postgres;
+    GRANT ALL ON ALL ROUTINES IN SCHEMA storage TO postgres;
+  end if;
+end $$;
 ALTER ROLE postgres NOSUPERUSER CREATEDB CREATEROLE LOGIN REPLICATION BYPASSRLS;
 
 -- migrate:down

migrations/db/migrations/20250421084701_revoke_admin_roles_from_postgres.sql

@@ -1,10 +1,25 @@
 -- migrate:up
 revoke supabase_storage_admin from postgres;
-revoke create on schema storage from postgres;
-revoke all on storage.migrations from anon, authenticated, service_role, postgres;
+do $$
+begin
+  if exists (select from pg_namespace where nspname = 'storage') then
+    revoke create on schema storage from postgres;
+  end if;
+end $$;
+do $$
+begin
+  if exists (select from pg_class where relnamespace = (select oid from pg_namespace where nspname = 'storage') and relname = 'migrations') then
+    revoke all on storage.migrations from anon, authenticated, service_role, postgres;
+  end if;
+end $$;
 
 revoke supabase_auth_admin from postgres;
 revoke create on schema auth from postgres;
-revoke all on auth.schema_migrations from dashboard_user, postgres;
+do $$
+begin
+  if exists (select from pg_class where relnamespace = 'auth'::regnamespace and relname = 'schema_migrations') then
+    revoke all on auth.schema_migrations from dashboard_user, postgres;
+  end if;
+end $$;
 
 -- migrate:down

migrations/db/migrations/20250623125453_tmp_grant_storage_tables_to_postgres_with_grant_option.sql

@@ -1,6 +1,14 @@
 -- migrate:up
 -- TODO: remove this migration once STORAGE-211 is completed
 -- DRI: bobbie
-grant all on storage.buckets, storage.objects to postgres with grant option;
+do $$
+begin
+  if exists (select from pg_class where relnamespace = (select oid from pg_namespace where nspname = 'storage') and relname = 'buckets') then
+    grant all on storage.buckets to postgres with grant option;
+  end if;
+  if exists (select from pg_class where relnamespace = (select oid from pg_namespace where nspname = 'storage') and relname = 'objects') then
+    grant all on storage.objects to postgres with grant option;
+  end if;
+end $$;
 
 -- migrate:down

migrations/db/migrations/20250709135250_grant_storage_schema_to_postgres_with_grant_option.sql

@@ -1,4 +1,9 @@
 -- migrate:up
-grant usage on schema storage to postgres with grant option;
+do $$
+begin
+  if exists (select from pg_namespace where nspname = 'storage') then
+    grant usage on schema storage to postgres with grant option;
+  end if;
+end $$;
 
 -- migrate:down