feat: define module (#1)

Author: vthiery

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: daily

.github/workflows/lint.yml

@@ -0,0 +1,23 @@
+name: Lint
+
+on: [push, pull_request]
+jobs:
+  lint:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
+        terraform-versions: [0.15.x]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2.3.4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1.3.2
+        with:
+          terraform_version: ${{ matrix['terraform-versions'] }}
+          terraform_wrapper: false
+
+      - name: Terraform fmt
+        id: fmt
+        run: terraform fmt -check

.gitignore

@@ -0,0 +1,9 @@
+# Terraform
+*.auto.tfvars*
+.terraform/
+*.tfstate*
+terraform.tfstate.d
+.terraform.lock.hcl
+
+# Terratest
+.test-data/

README.md

@@ -17,7 +17,7 @@ In particular:
 
 ```hcl
 module "foo" {
-  source = "git@github.com:edgelaboratories/terraform-modules//postgresql/db?ref=v0.1.0"
+  source = "git@github.com:edgelaboratories/terraform-postgresql-db?ref=v0.1.0"
 
   database       = "foo"
   owner          = "admin"

database.tf

@@ -0,0 +1,50 @@
+resource "postgresql_role" "owner" {
+  name     = var.owner
+  login    = true
+  password = var.owner_password
+  roles    = var.roles
+
+  connection_limit = var.connection_limit
+
+  # We don't want to reassign objects especially because it's executed
+  # in the current database (so 'postgres') so it makes no sense.
+  skip_reassign_owned = true
+}
+
+resource "postgresql_database" "this" {
+  name  = var.database
+  owner = postgresql_role.owner.name
+
+  # CREATE DATABASE uses template1 by default, but the Terraform provider uses template0.
+  # In RDS, the owner of the schema 'public' is 'postgres' in template1, so we can manage owner of tables
+  # but 'rdsadmin' in template0 so we don't have all the permissions.
+  template = "template1"
+
+  lc_collate = var.lc_collate
+  lc_ctype   = coalesce(var.lc_ctype, var.lc_collate)
+}
+
+resource "postgresql_extension" "this" {
+  count = length(var.extensions)
+
+  name     = element(var.extensions, count.index)
+  database = postgresql_database.this.name
+
+  # On destroy, force the deletion of the extension even if things not managed by Terraform depend on it.
+  # This can happen if a database and/or a schema has been created using
+  # Terraform, but tables depending on features of an extension were created
+  # outside of Terraform.
+  # In that case, it's not possible to drop the extension on the first try.
+  drop_cascade = true
+}
+
+## Schemas
+resource "postgresql_schema" "this" {
+  count = length(var.schemas)
+
+  name          = element(var.schemas, count.index)
+  owner         = var.schemas[count.index] == "public" ? null : postgresql_role.owner.name
+  database      = postgresql_database.this.name
+  if_not_exists = true
+  drop_cascade  = true
+}

outputs.tf

@@ -0,0 +1,15 @@
+output "database" {
+  value = postgresql_database.this.name
+}
+
+output "owner" {
+  value = postgresql_role.owner.name
+}
+
+output "role_ro" {
+  value = postgresql_role.read_only.name
+}
+
+output "role_rw" {
+  value = postgresql_role.read_write.name
+}

provider.tf

@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    postgresql = {
+      source = "cyrilgdn/postgresql"
+    }
+  }
+}

read-only.tf

@@ -0,0 +1,52 @@
+resource "postgresql_role" "read_only" {
+  name                = "${var.database}_ro"
+  skip_reassign_owned = true
+}
+
+## Tables
+resource "postgresql_grant" "read_only_tables" {
+  count = length(postgresql_schema.this)
+
+  role     = postgresql_role.read_only.name
+  database = postgresql_database.this.name
+  schema   = postgresql_schema.this[count.index].name
+
+  object_type = "table"
+  privileges  = ["SELECT"]
+}
+
+resource "postgresql_default_privileges" "read_only_tables" {
+  count = length(postgresql_schema.this)
+
+  role     = postgresql_role.read_only.name
+  database = postgresql_database.this.name
+  schema   = postgresql_schema.this[count.index].name
+
+  owner       = postgresql_role.owner.name
+  object_type = "table"
+  privileges  = ["SELECT"]
+}
+
+## Sequences
+resource "postgresql_grant" "read_only_sequences" {
+  count = length(postgresql_schema.this)
+
+  role     = postgresql_role.read_only.name
+  database = postgresql_database.this.name
+  schema   = postgresql_schema.this[count.index].name
+
+  object_type = "sequence"
+  privileges  = ["SELECT"]
+}
+
+resource "postgresql_default_privileges" "read_only_sequences" {
+  count = length(postgresql_schema.this)
+
+  role     = postgresql_role.read_only.name
+  database = postgresql_database.this.name
+  schema   = postgresql_schema.this[count.index].name
+
+  owner       = postgresql_role.owner.name
+  object_type = "sequence"
+  privileges  = ["SELECT"]
+}

read-write.tf

@@ -0,0 +1,52 @@
+resource "postgresql_role" "read_write" {
+  name                = "${var.database}_rw"
+  skip_reassign_owned = true
+}
+
+## Tables
+resource "postgresql_grant" "read_write_tables" {
+  count = length(postgresql_schema.this)
+
+  role     = postgresql_role.read_write.name
+  database = postgresql_database.this.name
+  schema   = postgresql_schema.this[count.index].name
+
+  object_type = "table"
+  privileges  = ["SELECT", "INSERT", "UPDATE", "DELETE", "TRUNCATE"]
+}
+
+resource "postgresql_default_privileges" "read_write_tables" {
+  count = length(postgresql_schema.this)
+
+  role     = postgresql_role.read_write.name
+  database = postgresql_database.this.name
+  schema   = postgresql_schema.this[count.index].name
+
+  owner       = postgresql_role.owner.name
+  object_type = "table"
+  privileges  = ["SELECT", "INSERT", "UPDATE", "DELETE", "TRUNCATE"]
+}
+
+## Sequences
+resource "postgresql_grant" "read_write_sequences" {
+  count = length(postgresql_schema.this)
+
+  role     = postgresql_role.read_write.name
+  database = postgresql_database.this.name
+  schema   = postgresql_schema.this[count.index].name
+
+  object_type = "sequence"
+  privileges  = ["SELECT", "UPDATE"]
+}
+
+resource "postgresql_default_privileges" "read_write_sequences" {
+  count = length(postgresql_schema.this)
+
+  role     = postgresql_role.read_write.name
+  database = postgresql_database.this.name
+  schema   = postgresql_schema.this[count.index].name
+
+  owner       = postgresql_role.owner.name
+  object_type = "sequence"
+  privileges  = ["SELECT", "UPDATE"]
+}

variables.tf

@@ -0,0 +1,43 @@
+variable "database" {
+  description = "The name of the database"
+}
+
+variable "schemas" {
+  description = "The schemas to create"
+  default     = ["public"]
+}
+
+variable "owner" {
+  description = "The name of the owner of the database"
+}
+
+variable "owner_password" {
+  description = "The password for the owner of the database"
+}
+
+variable "roles" {
+  type        = list(string)
+  description = "A list of roles to grant to the owner of the database"
+  default     = []
+}
+
+variable "extensions" {
+  type        = list(string)
+  description = "A list of PostgreSQL extensions to install in the database"
+  default     = []
+}
+
+variable "connection_limit" {
+  default     = -1
+  description = "Maximum number of connections for the owner role"
+}
+
+variable "lc_collate" {
+  default     = "en_US.UTF-8"
+  description = "Controls the sort order"
+}
+
+variable "lc_ctype" {
+  default = null
+  type    = string
+}