Replies: 1 comment 1 reply
-
|
I found a way to do it, even if it is not perfect. The drawback is that it leads to a big state... resource "postgresql_database" "db" {
for_each = var.enabled ? toset([for db in var.db_names : db if db != var.master_db]) : []
name = each.key
template = "template1"
}
resource "postgresql_role" "role" {
for_each = local.credentials
name = each.value["username"]
password = each.value["password"]
login = true
lifecycle {
ignore_changes = [
password
]
}
depends_on = [
postgresql_grant.revoke_connect_to_all_db,
postgresql_grant.revoke_all_to_all_db
]
}
# Shared Database Hosting https://wiki.postgresql.org/wiki/Shared_Database_Hosting
# REVOKE DB CONNEXION FROM ALL NEW USERS
resource "postgresql_grant" "revoke_connect_to_all_db" {
for_each = var.enabled ? toset(var.db_names) : []
database = each.value
role = "public"
object_type = "database"
privileges = []
depends_on = [
postgresql_database.db
]
}
# REVOKE ALL FROM ALL NEW USERS
resource "postgresql_grant" "revoke_all_to_all_db" {
for_each = var.enabled ? toset(var.db_names) : []
database = each.value
role = "public"
schema = "public"
object_type = "table"
privileges = []
depends_on = [
postgresql_database.db
]
}
# GRANT DB CONNEXION ONLY TO THE USER DB
resource "postgresql_grant" "connect_to_db" {
for_each = local.credentials
database = each.value["dbname"]
role = each.value["username"]
object_type = "database"
privileges = ["CONNECT", "TEMPORARY"]
depends_on = [
postgresql_database.db,
postgresql_role.role
]
}
# GRANT ALL WITHOUT TRUNCATE IN SCHEMA public ON ALL TABLES
resource "postgresql_grant" "all_on_public" {
for_each = local.credentials
database = each.value["dbname"]
role = each.value["username"]
schema = "public"
object_type = "table"
privileges = ["SELECT", "INSERT", "UPDATE", "DELETE", "REFERENCES", "TRIGGER"]
depends_on = [
postgresql_database.db,
postgresql_role.role
]
}
# ALTER DEFAULT PRIVILEGES ALL WITHOUT TRUNCATE IN SCHEMA public ON ALL TABLES
resource "postgresql_default_privileges" "default_all_on_public" {
for_each = local.credentials
database = each.value["dbname"]
role = each.value["username"]
schema = "public"
owner = var.master_username
object_type = "table"
privileges = ["SELECT", "INSERT", "UPDATE", "DELETE", "REFERENCES", "TRIGGER"]
depends_on = [
postgresql_database.db,
postgresql_role.role
]
}
# GRANT USAGE ON SCHEMA pg_catalog
resource "postgresql_grant" "usage_on_pg_catalog" {
for_each = local.credentials
database = each.value["dbname"]
role = each.value["username"]
schema = "public"
object_type = "schema"
privileges = ["USAGE"]
depends_on = [
postgresql_database.db,
postgresql_role.role
]
} |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
If you have another way to do it, you're welcome because it is not scalable at all. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello community,
I tried lot of things with that provider but impossible to achieve what I want. I have an AWS RDS shared database between several applications. I created 1 user per database and I want to restrict access to only one database for each user.
I tried to :
allow_connections = falseduring base creation and after add CONNECT grant per user per database but it doesn't work. AWS give a normal user (not superuser) to manage the database so I cannot connect to the DB and change grantsThanks for your help
Beta Was this translation helpful? Give feedback.
All reactions