update example with app and ro users

Author: westonplatter

README.md

@@ -1,4 +1,4 @@
-[![Banner][banner-image]](https://masterpoint.io/)
+![Banner][banner-image]](https://masterpoint.io/)
 
 # terraform-postgres-logical-dbs
 

examples/complete/README.md

@@ -0,0 +1,34 @@
+# Example: Complete Setup for PostgreSQL Logical Databases
+
+This example demonstrates how to set up PostgreSQL logical databases using Terraform. It includes configurations for both an application user and a read-only user.
+
+## Prerequisites
+
+- Terraform installed on your local machine.
+- Access to a PostgreSQL instance where you can apply these configurations.
+
+## Usage
+
+1. Clone the repository and navigate to the `examples/complete` directory.
+2. Review and update the `fixtures.tfvars` file with your specific configuration details.
+3. Run the following Terraform commands to apply the configuration:
+
+   ```bash
+   terraform init
+   terraform plan -var-file="fixtures.tfvars"
+   terraform apply -var-file="fixtures.tfvars"
+   ```
+
+## Roles and Permissions
+
+The `fixtures.tfvars` file defines two roles:
+
+- **app1_app_user**: This role is intended for application use with the following permissions:
+
+  - Can log in and is not a superuser.
+  - Has all privileges on tables and sequences in the `app1_db` database.
+  - Can use and create within the `public` schema.
+
+- **app1_readonly_user**: This role is intended for read-only access with the following permissions:
+  - Can log in and is not a superuser.
+  - Has `SELECT` privileges on tables and `USAGE`, `SELECT` on sequences in the `app1_db` database.

examples/complete/fixtures.tfvars

@@ -8,20 +8,106 @@ db_password  = "insecure-pass-for-demo"
 db_scheme    = "postgres"
 db_hostname  = "localhost"
 db_port      = 5432
-db_superuser = true
+db_superuser = false
 db_sslmode   = "disable"
 
 databases = [
   {
     name             = "app1_db"
     connection_limit = 10
-  },
+  }
+]
+
+roles = [
   {
-    name             = "app2_db"
-    connection_limit = 20
+    role = {
+      name      = "app1_app_user"
+      login     = true
+      superuser = false
+      password  = "securepassword1"
+    }
+
+    table_grants = {
+      role        = "app1_app_user"
+      database    = "app1_db"
+      schema      = "public"
+      object_type = "table"
+      objects     = [] # empty list to grant all tables
+      privileges  = ["ALL"]
+    }
+
+    schema_grants = {
+      role        = "app1_app_user"
+      database    = "app1_db"
+      schema      = "public"
+      object_type = "schema"
+      privileges  = ["USAGE", "CREATE"]
+    }
+
+    sequence_grants = {
+      role        = "app1_app_user"
+      database    = "app1_db"
+      schema      = "public"
+      object_type = "sequence"
+      objects     = [] # empty list to grant all sequences
+      privileges  = ["ALL"]
+    }
+
+    default_privileges = [{
+      role        = "app1_app_user"
+      database    = "app1_db"
+      schema      = "public"
+      owner       = "app1_app_user"
+      object_type = "table"
+      objects     = [] # empty list to grant all tables
+      privileges  = ["DELETE", "INSERT", "REFERENCES", "SELECT", "TRIGGER", "TRUNCATE", "UPDATE"]
+    }]
   },
   {
-    name             = "app3_db"
-    connection_limit = 30
+    role = {
+      name      = "app1_readonly_user"
+      login     = true
+      password  = "readonlypassword1"
+      superuser = false
+    }
+
+    table_grants = {
+      role        = "app1_readonly_user"
+      database    = "app1_db"
+      schema      = "public"
+      object_type = "table"
+      objects     = [] # empty list to grant all tables
+      privileges  = ["SELECT"]
+    }
+
+    sequence_grants = {
+      role        = "app1_readonly_user"
+      database    = "app1_db"
+      schema      = "public"
+      object_type = "sequence"
+      objects     = [] # empty list to grant all sequences
+      privileges  = ["USAGE", "SELECT"]
+    }
+
+    default_privileges = [
+      {
+        role        = "app1_readonly_user"
+        database    = "app1_db"
+        schema      = "public"
+        owner       = "app1_app_user"
+        object_type = "table"
+        objects     = [] # empty list to grant all tables
+        privileges  = ["SELECT"]
+      },
+      {
+        role        = "app1_readonly_user"
+        database    = "app1_db"
+        schema      = "public"
+        owner       = "app1_app_user"
+        object_type = "sequence"
+        objects     = [] # empty list to grant all sequences
+        privileges  = ["USAGE", "SELECT"]
+      },
+    ]
   }
 ]

examples/complete/main.tf

@@ -4,4 +4,6 @@ module "app_dbs" {
   source = "../../"
 
   databases = var.databases
+
+  roles = var.roles
 }

examples/complete/outputs.tf

@@ -0,0 +1,15 @@
+output "database_access" {
+  value = module.app_dbs.database_access
+}
+
+output "default_privileges" {
+  value = module.app_dbs.default_privileges
+}
+
+output "schema_access" {
+  value = module.app_dbs.schema_access
+}
+
+output "table_access" {
+  value = module.app_dbs.table_access
+}

examples/complete/variables.tf

@@ -41,3 +41,68 @@ variable "databases" {
     connection_limit = number
   }))
 }
+
+
+variable "roles" {
+  type = list(object({
+    role = object({
+      # See defaults: https://registry.terraform.io/providers/cyrilgdn/postgresql/latest/docs/resources/postgresql_role
+      name                      = string
+      superuser                 = optional(bool)
+      create_database           = optional(bool)
+      create_role               = optional(bool)
+      inherit                   = optional(bool)
+      login                     = optional(bool)
+      replication               = optional(bool)
+      bypass_row_level_security = optional(bool)
+      connection_limit          = optional(number)
+      encrypted_password        = optional(bool)
+      password                  = optional(string)
+      roles                     = optional(list(string))
+      search_path               = optional(list(string))
+      valid_until               = optional(string)
+      skip_drop_role            = optional(bool)
+      skip_reassign_owned       = optional(bool)
+      statement_timeout         = optional(number)
+      assume_role               = optional(string)
+    })
+    default_privileges = optional(list(object({
+      role        = string
+      database    = string
+      schema      = string
+      owner       = string
+      object_type = string
+      privileges  = list(string)
+    })))
+    database_grants = optional(object({
+      role        = string
+      database    = string
+      object_type = string
+      privileges  = list(string)
+    }))
+    schema_grants = optional(object({
+      role        = string
+      database    = string
+      schema      = string
+      object_type = string
+      privileges  = list(string)
+    }))
+    table_grants = optional(object({
+      role        = string
+      database    = string
+      schema      = string
+      object_type = string
+      objects     = list(string)
+      privileges  = list(string)
+    }))
+    sequence_grants = optional(object({
+      role        = string
+      database    = string
+      schema      = string
+      object_type = string
+      objects     = list(string)
+      privileges  = list(string)
+    }))
+  }))
+  description = "List of static postgres roles to create and related permissions. These are for applications that use static credentials and don't use IAM DB Auth. See defaults: https://registry.terraform.io/providers/cyrilgdn/postgresql/latest/docs/resources/postgresql_role"
+}

main.tf

@@ -3,3 +3,120 @@ resource "postgresql_database" "logical_db" {
   name             = each.key
   connection_limit = each.value.connection_limit
 }
+
+
+locals {
+  roles_with_passwords = [for idx, role_data in var.roles : merge(role_data,
+    {
+      role : merge(role_data["role"],
+        lookup(role_data["role"], "password", null) != null ? # Or if it's empty string?
+        {
+          password : role_data["role"]["password"]
+        } :
+        {
+          password : random_password.user_password[idx].result
+        }
+      )
+    }
+  )]
+
+  _database_grants    = [for role in local.roles_with_passwords : role.database_grants if try(role.database_grants, null) != null]
+  _default_privileges = flatten([for role in local.roles_with_passwords : role.default_privileges if try(role.default_privileges, null) != null])
+  _schema_grants      = [for role in local.roles_with_passwords : role.schema_grants if try(role.schema_grants, null) != null]
+  _sequence_grants    = [for role in local.roles_with_passwords : role.sequence_grants if try(role.sequence_grants, null) != null]
+  _table_grants       = [for role in local.roles_with_passwords : role.table_grants if try(role.table_grants, null) != null]
+}
+
+# If no password passed in, then use this to generate one
+resource "random_password" "user_password" {
+  count = length(var.roles)
+
+  length = 33
+  # Leave special characters out to avoid quoting and other issues.
+  # Special characters have no additional security compared to increasing length.
+  special          = false
+  override_special = "!#$%^&*()<>-_"
+}
+
+# In Postgres 15, now new users cannot create tables or write data to Postgres public schema by default. You have to grant create privilege to the new user manually.
+# https://www.postgresql.org/docs/current/ddl-priv.html#DDL-PRIV-CREATE
+resource "postgresql_role" "role" {
+  depends_on = [postgresql_database.logical_db]
+
+  for_each = { for role in local.roles_with_passwords : role.role.name => role }
+
+  name                      = each.value.role.name
+  superuser                 = each.value.role.superuser
+  create_database           = each.value.role.create_database
+  create_role               = each.value.role.create_role
+  inherit                   = each.value.role.inherit
+  login                     = each.value.role.login
+  replication               = each.value.role.replication
+  bypass_row_level_security = each.value.role.bypass_row_level_security
+  connection_limit          = each.value.role.connection_limit
+  encrypted_password        = each.value.role.encrypted_password
+  password                  = each.value.role.password
+  roles                     = each.value.role.roles
+  search_path               = each.value.role.search_path
+  valid_until               = each.value.role.valid_until
+  skip_drop_role            = each.value.role.skip_drop_role
+  skip_reassign_owned       = each.value.role.skip_reassign_owned
+  statement_timeout         = each.value.role.statement_timeout
+  assume_role               = each.value.role.assume_role
+}
+
+resource "postgresql_grant" "database_access" {
+
+  for_each = { for grant in local._database_grants : format("%s-%s", grant.role, grant.database) => grant }
+
+  role        = each.value.role
+  database    = each.value.database
+  object_type = each.value.object_type
+  privileges  = each.value.privileges
+}
+
+resource "postgresql_grant" "schema_access" {
+
+  for_each = { for grant in local._schema_grants : format("%s-%s-%s", grant.role, grant.schema, grant.database) => grant }
+
+  role        = each.value.role
+  database    = each.value.database
+  schema      = each.value.schema
+  object_type = each.value.object_type
+  privileges  = each.value.privileges
+}
+
+resource "postgresql_grant" "table_access" {
+
+  for_each = { for grant in local._table_grants : format("%s-%s-%s", grant.role, grant.schema, grant.database) => grant }
+
+  role        = each.value.role
+  database    = each.value.database
+  schema      = each.value.schema
+  object_type = each.value.object_type
+  privileges  = each.value.privileges
+  objects     = each.value.objects
+}
+
+resource "postgresql_grant" "sequence_access" {
+
+  for_each = { for grant in local._sequence_grants : format("%s-%s-%s", grant.role, grant.schema, grant.database) => grant }
+
+  role        = each.value.role
+  database    = each.value.database
+  schema      = each.value.schema
+  object_type = each.value.object_type
+  privileges  = each.value.privileges
+}
+
+resource "postgresql_default_privileges" "privileges" {
+
+  for_each = { for grant in local._default_privileges : format("%s-%s-%s-%s", grant.role, grant.database, grant.schema, grant.object_type) => grant }
+
+  role        = each.value.role
+  database    = each.value.database
+  schema      = each.value.schema
+  owner       = each.value.owner
+  object_type = each.value.object_type
+  privileges  = each.value.privileges
+}

outputs.tf

@@ -0,0 +1,19 @@
+output "database_access" {
+  value = postgresql_grant.database_access
+}
+
+output "schema_access" {
+  value = postgresql_grant.schema_access
+}
+
+output "table_access" {
+  value = postgresql_grant.table_access
+}
+
+output "sequence_access" {
+  value = postgresql_grant.sequence_access
+}
+
+output "default_privileges" {
+  value = postgresql_default_privileges.privileges
+}