fix(infra): fail loud when archiv-app is missing the readwrite policy

The previous `mc admin policy attach … || true` swallowed every failure mode: a renamed policy, an mc CLI signature change, or a transient MinIO error would leave the bootstrap container exiting zero with the service account possessing no permissions, and the backend would then fail every S3 call after a "successful" deploy. Replace the silent fallback with verify-after: keep the attach (idempotent in current mc, redundant in older versions), then assert via `mc admin user info` that `readwrite` ends up on archiv-app. A genuine attach failure now exits 1 and blocks the stack from starting. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-11 12:00:34 +02:00
parent a36f25cfc3
commit 47c5f77c81
1 changed files with 2 additions and 2 deletions
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -94,8 +94,8 @@ services:
      /usr/bin/mc mb myminio/familienarchiv --ignore-existing;
      /usr/bin/mc anonymous set private myminio/familienarchiv;
      /usr/bin/mc admin user add myminio archiv-app $$MINIO_APP_PASSWORD || /usr/bin/mc admin user enable myminio archiv-app;
-      /usr/bin/mc admin policy attach myminio readwrite --user archiv-app || true;
-      exit 0;
+      /usr/bin/mc admin policy attach myminio readwrite --user archiv-app 2>/dev/null || true;
+      /usr/bin/mc admin user info myminio archiv-app | grep -q readwrite || { echo 'FATAL: archiv-app is missing the readwrite policy'; exit 1; };
      "

  # Dev-only mail catcher; gated behind the staging profile so production