neoloc/droneci #148
@ -84,6 +84,16 @@ class profiles::sql::patroni (
|
||||
],
|
||||
}
|
||||
|
||||
$connect_settings = {
|
||||
|
||||
}
|
||||
|
||||
# collect exported resources
|
||||
$tag = "${facts['country']}-${facts['region']}-${facts['environment']}"
|
||||
Profiles::Sql::Postgres::Db <<| tag == $tag |>> {}
|
||||
Profiles::Sql::Postgres::User <<| tag == $tag |>> {}
|
||||
Profiles::Sql::Postgres::Grant <<| tag == $tag |>> {}
|
||||
|
||||
if $postgres_exporter_enabled {
|
||||
class { 'prometheus::postgres_exporter':
|
||||
postgres_user => $postgres_exporter_user,
|
||||
|
||||
9
site/profiles/manifests/sql/postgres/db.pp
Normal file
9
site/profiles/manifests/sql/postgres/db.pp
Normal file
@ -0,0 +1,9 @@
|
||||
define profiles::sql::postgres::db (
|
||||
String $dbname,
|
||||
) {
|
||||
postgresql_psql { "create_database_${dbname}":
|
||||
command => "CREATE DATABASE \"${dbname}\"",
|
||||
unless => "SELECT 1 FROM pg_database WHERE datname = '${dbname}'",
|
||||
}
|
||||
}
|
||||
|
||||
38
site/profiles/manifests/sql/postgres/grant.pp
Normal file
38
site/profiles/manifests/sql/postgres/grant.pp
Normal file
@ -0,0 +1,38 @@
|
||||
define profiles::sql::postgres::grant (
|
||||
String $username,
|
||||
Enum['SCHEMA', 'DATABASE'] $type = 'DATABASE',
|
||||
Optional[String] $dbname = undef,
|
||||
Optional[String] $schema = undef,
|
||||
String $privilege = 'ALL PRIVILEGES',
|
||||
) {
|
||||
# Validate parameters based on type
|
||||
if $type == 'DATABASE' and $dbname == undef {
|
||||
fail('The dbname parameter must be provided when type is DATABASE')
|
||||
}
|
||||
|
||||
if $type == 'SCHEMA' and ($dbname == undef or $schema == undef) {
|
||||
fail('Both dbname and schema parameters must be provided when type is SCHEMA')
|
||||
}
|
||||
|
||||
# Determine the appropriate SQL command and unless condition
|
||||
$command = $type ? {
|
||||
'DATABASE' => "GRANT ${privilege} ON DATABASE ${dbname} TO ${username}",
|
||||
'SCHEMA' => "GRANT ${privilege} ON SCHEMA ${schema} TO ${username}",
|
||||
}
|
||||
|
||||
$unless = $type ? {
|
||||
'DATABASE' => "SELECT 1 FROM pg_roles r WHERE r.rolname='${username}' AND has_database_privilege('${username}', '${dbname}', 'CONNECT')", # lint:ignore:140chars
|
||||
'SCHEMA' => "SELECT 1 FROM pg_namespace n JOIN pg_roles r ON r.oid = n.nspowner WHERE nspname = '${schema}' AND r.rolname = '${username}'", # lint:ignore:140chars
|
||||
}
|
||||
# Ensure the db parameter is set correctly when type is SCHEMA
|
||||
$effective_dbname = $type ? {
|
||||
'SCHEMA' => $dbname,
|
||||
'DATABASE' => $dbname,
|
||||
}
|
||||
|
||||
postgresql_psql { "grant_${privilege}_on_${type}_${effective_dbname}_${schema}_to_${username}":
|
||||
command => $command,
|
||||
unless => $unless,
|
||||
db => $effective_dbname,
|
||||
}
|
||||
}
|
||||
9
site/profiles/manifests/sql/postgres/user.pp
Normal file
9
site/profiles/manifests/sql/postgres/user.pp
Normal file
@ -0,0 +1,9 @@
|
||||
define profiles::sql::postgres::user (
|
||||
String $username,
|
||||
String $password,
|
||||
) {
|
||||
postgresql_psql { "create_user_${username}":
|
||||
command => "CREATE USER \"${username}\" WITH ENCRYPTED PASSWORD '${password}'",
|
||||
unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}'",
|
||||
}
|
||||
}
|
||||
61
site/profiles/manifests/sql/postgresdb.pp
Normal file
61
site/profiles/manifests/sql/postgresdb.pp
Normal file
@ -0,0 +1,61 @@
|
||||
class profiles::sql::postgresdb (
|
||||
String $dbname,
|
||||
String $dbuser,
|
||||
String $dbpass,
|
||||
Boolean $create_host_users = false,
|
||||
Boolean $members_lookup = false,
|
||||
String $members_role = undef,
|
||||
Array $servers = [],
|
||||
){
|
||||
|
||||
# if lookup is enabled
|
||||
if $members_lookup {
|
||||
|
||||
# check that the role is also set
|
||||
unless !($members_role == undef) {
|
||||
fail("members_role must be provided for ${title} when members_lookup is True")
|
||||
}
|
||||
|
||||
# if it is, find hosts, sort them so they dont cause changes every run
|
||||
$servers_array = sort(query_nodes("enc_role='${members_role}' and region='${facts['region']}'", 'networking.fqdn'))
|
||||
|
||||
# else use provided array from params
|
||||
}else{
|
||||
$servers_array = $servers
|
||||
}
|
||||
|
||||
$tag = "${facts['country']}-${facts['region']}-${facts['environment']}"
|
||||
|
||||
# only export from the first server in a cluster
|
||||
if $servers_array[0] == $facts['networking']['fqdn'] {
|
||||
|
||||
# manage the postgres db
|
||||
@@profiles::sql::postgres::db { "${facts['networking']['fqdn']}_db_${dbname}":
|
||||
dbname => $dbname,
|
||||
tag => $tag,
|
||||
}
|
||||
|
||||
@@profiles::sql::postgres::user { "${facts['networking']['fqdn']}_role_${dbuser}":
|
||||
username => $dbuser,
|
||||
password => $dbpass,
|
||||
tag => $tag,
|
||||
}
|
||||
|
||||
@@profiles::sql::postgres::grant { "${facts['networking']['fqdn']}_grant_db_${dbuser}_${dbuser}}":
|
||||
dbname => $dbname,
|
||||
username => $dbuser,
|
||||
type => 'DATABASE',
|
||||
privilege => 'ALL PRIVILEGES',
|
||||
tag => $tag,
|
||||
}
|
||||
|
||||
@@profiles::sql::postgres::grant { "${facts['networking']['fqdn']}_grant_schema_${dbuser}_${dbuser}}":
|
||||
dbname => $dbname,
|
||||
username => $dbuser,
|
||||
type => 'SCHEMA',
|
||||
schema => 'public',
|
||||
privilege => 'ALL PRIVILEGES',
|
||||
tag => $tag,
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user