-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.tf
More file actions
144 lines (113 loc) · 5.56 KB
/
main.tf
File metadata and controls
144 lines (113 loc) · 5.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
locals {
_roles_with_passwords = [for idx, role_data in var.roles : merge(role_data,
{
role : merge(role_data["role"],
lookup(role_data["role"], "password", null) != null ?
{
password : role_data["role"]["password"]
} :
{
password : random_password.user_password[idx].result
}
)
}
)]
_default_privileges = flatten([for role in local._roles_with_passwords : role.default_privileges if try(role.default_privileges, null) != null])
default_privileges_map = { for grant in local._default_privileges : format("%s-%s-%s-%s", grant.role, grant.database, grant.schema, grant.object_type) => grant }
_database_grants = [for role in local._roles_with_passwords : role.database_grants if try(role.database_grants, null) != null]
database_grants_map = { for grant in local._database_grants : format("%s-%s", grant.role, grant.database) => grant }
_schema_grants = [for role in local._roles_with_passwords : role.schema_grants if try(role.schema_grants, null) != null]
schema_grants_map = { for grant in local._schema_grants : format("%s-%s-%s", grant.role, grant.schema, grant.database) => grant }
_sequence_grants = [for role in local._roles_with_passwords : role.sequence_grants if try(role.sequence_grants, null) != null]
sequence_grants_map = { for grant in local._sequence_grants : format("%s-%s-%s", grant.role, grant.schema, grant.database) => grant }
_table_grants = [for role in local._roles_with_passwords : role.table_grants if try(role.table_grants, null) != null]
table_grants_map = { for grant in local._table_grants : format("%s-%s-%s", grant.role, grant.schema, grant.database) => grant }
roles_map = { for role in local._roles_with_passwords : role.role.name => role }
databases_map = { for database in var.databases : database.name => database }
}
resource "random_password" "user_password" {
# If no password passed in, then use this to generate one
count = length(var.roles)
length = 33
# Leave special characters out to avoid quoting and other issues.
# Special characters have no additional security compared to increasing length.
special = false
override_special = "!#$%^&*()<>-_"
}
resource "postgresql_database" "logical_dbs" {
for_each = local.databases_map
name = each.value.name
connection_limit = each.value.connection_limit
}
# In Postgres 15, now new users cannot create tables or write data to Postgres public schema by default. You have to grant create privilege to the new user manually.
# https://www.postgresql.org/docs/current/ddl-priv.html#DDL-PRIV-CREATE
resource "postgresql_role" "role" {
for_each = local.roles_map
name = each.value.role.name
superuser = each.value.role.superuser
create_database = each.value.role.create_database
create_role = each.value.role.create_role
inherit = each.value.role.inherit
login = each.value.role.login
replication = each.value.role.replication
bypass_row_level_security = each.value.role.bypass_row_level_security
connection_limit = each.value.role.connection_limit
encrypted_password = each.value.role.encrypted_password
password = each.value.role.password
roles = each.value.role.roles
search_path = each.value.role.search_path
valid_until = each.value.role.valid_until
skip_drop_role = each.value.role.skip_drop_role
skip_reassign_owned = each.value.role.skip_reassign_owned
statement_timeout = each.value.role.statement_timeout
assume_role = each.value.role.assume_role
depends_on = [postgresql_database.logical_dbs]
}
resource "postgresql_default_privileges" "privileges" {
# Postgres documentation specific to default privileges
# https://www.postgresql.org/docs/current/sql-alterdefaultprivileges.html
for_each = local.default_privileges_map
role = each.value.role
database = each.value.database
schema = each.value.schema
owner = each.value.owner
object_type = each.value.object_type
privileges = each.value.privileges
depends_on = [postgresql_database.logical_dbs, postgresql_role.role]
}
resource "postgresql_grant" "database_access" {
for_each = local.database_grants_map
role = each.value.role
database = each.value.database
object_type = each.value.object_type
privileges = each.value.privileges
depends_on = [postgresql_database.logical_dbs, postgresql_role.role]
}
resource "postgresql_grant" "schema_access" {
for_each = local.schema_grants_map
role = each.value.role
database = each.value.database
schema = each.value.schema
object_type = each.value.object_type
privileges = each.value.privileges
depends_on = [postgresql_database.logical_dbs, postgresql_role.role]
}
resource "postgresql_grant" "table_access" {
for_each = local.table_grants_map
role = each.value.role
database = each.value.database
schema = each.value.schema
object_type = each.value.object_type
privileges = each.value.privileges
objects = each.value.objects
depends_on = [postgresql_database.logical_dbs]
}
resource "postgresql_grant" "sequence_access" {
for_each = local.sequence_grants_map
role = each.value.role
database = each.value.database
schema = each.value.schema
object_type = each.value.object_type
privileges = each.value.privileges
depends_on = [postgresql_database.logical_dbs, postgresql_role.role]
}