feat: use a randomly generated password for the owner when empty (#5)

greut · Cyril Gaudin · vthiery · web-flow · commit 078c52c11ecb · 2021-10-12T08:35:05.000+02:00
Signed-off-by: Yoan Blanc &lt;yblanc@edgelab.ch&gt;
Co-authored-by: Cyril Gaudin &lt;cgaudin@edgelab.ch&gt;
Co-authored-by: Vincent Thiery &lt;vjmthiery@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -19,17 +19,20 @@ In particular:
   - `${vault_backend_path}/${DB_NAME}_ro`, that obtains credentials for the `${DB_NAME}_ro` role;
   - `${vault_backend_path}/${DB_NAME}_rw`, that obtains credentials for the `${DB_NAME}_rw` role.
 
+- When the intent is to use Vault, it's recommended to **NOT** provide the `owner_password`. In this case, it's not possible to log directly with the owner username, but only with the credentials generated by Vault.
+
 
 ## Usage
 
 ```hcl
 module "foo" {
-  source = "git@github.com:edgelaboratories/terraform-postgresql-db?ref=v0.3.1"
+  source = "git@github.com:edgelaboratories/terraform-postgresql-db?ref=v0.4.0"
 
   database       = "foo"
-  owner          = "admin"
-  owner_password = "admin"
+  owner          = "admin"  # Optional, default to database name
+  owner_password = "admin"  # Optional when using Vault
 
+  # Optional
   vault_backend_path       = "postgresql/elmer"
   vault_db_connection_name = "elmer"
 }
diff --git a/database.tf b/database.tf
@@ -1,6 +1,6 @@
 resource "postgresql_role" "owner" {
-  name     = var.owner
-  login    = true
+  name     = coalesce(var.owner, var.database)
+  login    = var.owner_password != null ? true : false
   password = var.owner_password
   roles    = var.roles
 
diff --git a/variables.tf b/variables.tf
@@ -15,11 +15,14 @@ variable "schemas" {
 }
 
 variable "owner" {
-  description = "The name of the owner of the database"
+  description = "The name of the owner of the database, defaults to database name"
+  default     = ""
 }
 
 variable "owner_password" {
   description = "The password for the owner of the database"
+  type        = string
+  default     = null
 }
 
 variable "roles" {
diff --git a/vault.tf b/vault.tf
@@ -1,6 +1,6 @@
 locals {
   vault_roles = var.vault_backend_path == "" ? {} : {
-    "${postgresql_database.this.name}"    = postgresql_role.owner.name
+    "${postgresql_role.owner.name}"       = postgresql_role.owner.name
     "${postgresql_database.this.name}-ro" = postgresql_role.read_only.name
     "${postgresql_database.this.name}-rw" = postgresql_role.read_write.name
   }

Original file line number	Diff line number	Diff line change
`@@ -15,11 +15,14 @@ variable "schemas" {`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`variable "owner" {`
`18`		`- description = "The name of the owner of the database"`
	`18`	`+ description = "The name of the owner of the database, defaults to database name"`
	`19`	`+ default = ""`
`19`	`20`	`}`
`20`	`21`
`21`	`22`	`variable "owner_password" {`
`22`	`23`	`description = "The password for the owner of the database"`
	`24`	`+ type = string`
	`25`	`+ default = null`
`23`	`26`	`}`
`24`	`27`
`25`	`28`	`variable "roles" {`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`locals {`
`2`	`2`	`vault_roles = var.vault_backend_path == "" ? {} : {`
`3`		`- "${postgresql_database.this.name}" = postgresql_role.owner.name`
	`3`	`+ "${postgresql_role.owner.name}" = postgresql_role.owner.name`
`4`	`4`	`"${postgresql_database.this.name}-ro" = postgresql_role.read_only.name`
`5`	`5`	`"${postgresql_database.this.name}-rw" = postgresql_role.read_write.name`
`6`	`6`	`}`