feat(INT-60): write up knowledge base example for standard DBs + Roles (#5)

## what

- providers an example that pairs with
https://www.notion.so/masterpoint/Databases-in-IaC-1c8859758a568015b3d6da59c1ce1685
- Example that creates admin, writer, and reader roles.

## why

## references
-
[INT-60](https://www.notion.so/masterpoint/Write-up-approach-in-Knowledge-Base-1d1859758a568067be11cbd552989384)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **Documentation**
- Corrected a Markdown syntax error in the main README to fix the banner
image link.
- Added a comprehensive README for the web app example, detailing
PostgreSQL setup using Terraform, role descriptions, and authentication
notes.
- **New Features**
- Introduced a complete example for a production-ready PostgreSQL setup
using Terraform, including configuration files for variables, providers,
outputs, and version constraints.
- Added sample Terraform configuration and variable files to define
database roles, privileges, and connection settings for a web
application environment.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: 3 people

README.md

@@ -1,4 +1,4 @@
-![Banner][banner-image]](https://masterpoint.io/)
+[![Banner][banner-image]](https://masterpoint.io/)
 
 # terraform-postgres-automation
 

examples/web_app/README.md

@@ -0,0 +1,99 @@
+# Example: Web (FastAPI) App setup
+
+This example shows how to create roles for a FastAPI web application with thoughtful permission boundaries intended for a production setup.
+
+## Prerequisites
+
+- Terraform installed on your local machine.
+- Access to a PostgreSQL instance where you can apply these configurations.
+
+## Usage
+
+1. Clone the repository and navigate to the `examples/web_app` directory.
+2. Review and update the `fixtures.tfvars` file with your specific configuration details.
+3. Run the following Terraform commands to apply the configuration:
+
+```bash
+terraform init
+
+# cat out the databases and roles
+cat fixtures.auto.vars
+
+terraform plan
+terraform apply
+```
+
+## Roles and Permissions
+
+There are 3 roles in this example,
+
+- **fastapi_app_owner**: owner of the `web_app` database.
+
+  - This DB role is only used and accessed in the CI/CD
+  - This role applies migrations (makes changes to the DB structure) prior to the application booting up
+
+- **fastapi_app_writer**: writer role for the `web_app` database
+
+  - This DB role is the primary role for the FastAPI application
+  - This role has full Create, Read, Update, Delete abilities
+
+- **fastapi_app_reader**: reader role for the `web_app` database.
+  - This DB role is a secondary role for the FastAPI application
+  - This role can only Read from the DB. For example, we'd use this role for `GET` http endpoints.
+  - For production setups, we'd have this role connect to a Postgres Read-Replica Server to minimize the amount of DB traffic on Postgres Write-DB instance.
+
+## NOTE about authentication on Mac with default settings
+
+Some default `pg_hba.conf` Postgres settings will allow you to log into the
+Postgres server without ensuring a valid password. We ran into this when
+we installed `postgresql@17` via [Homebrew](https://brew.sh/)
+
+Example `pg_hba.conf` settings that don't check for a valid password
+
+```bash
+$ PG_PASSWORD=doesNotMatter psql web_app -U fastapi_app_owner
+psql (17.4 (Homebrew), server 17.2 (Homebrew))
+Type "help" for help.
+web_app=>
+```
+
+```bash
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# "local" is for Unix domain socket connections only
+local   all             all                                     trust
+# IPv4 local connections:
+host    all             all             127.0.0.1/32            trust
+# IPv6 local connections:
+host    all             all             ::1/128                 trust
+# Allow replication connections from localhost, by a user with the
+# replication privilege.
+local   replication     all                                     trust
+host    replication     all             127.0.0.1/32            trust
+host    replication     all             ::1/128                 trust
+```
+
+If you want Postgres to check the password values, swap in these `pg_hba.conf` changes,
+
+Example `pg_hba.conf` settings that require valid password values,
+
+```bash
+# Allow only "my_user" to connect without a password (local + IPv4 localhost)
+local   all             my_user                                  trust
+host    all             my_user          127.0.0.1/32            trust
+# All other users must use a password (local + IPv4 localhost + IPv6 localhost + other hosts)
+local   all             all                                     md5
+host    all             all             127.0.0.1/32            md5
+host    all             all             ::1/128                 md5
+# Replication rules (if needed, otherwise you can remove them or secure similarly)
+local   replication     all                                     md5
+host    replication     all             127.0.0.1/32            md5
+host    replication     all             ::1/128                 md5
+```
+
+```bash
+$ PG_PASSWORD=insecure-pass-for-demo-fastapi-app-owner psql web_app -U fastapi_app_owner
+psql (17.4 (Homebrew), server 17.2 (Homebrew))
+Type "help" for help.
+web_app=>
+```

examples/web_app/fixtures.auto.tfvars

@@ -0,0 +1,157 @@
+# complete/fixtures.tfvars
+
+# postgres shell command to create this user:
+# CREATE ROLE admin_user LOGIN CREATEDB PASSWORD 'insecure-pass-for-demo-admin-user';
+db_username = "admin_user"
+
+db_password  = "insecure-pass-for-demo-admin-user"
+db_scheme    = "postgres"
+db_hostname  = "localhost"
+db_port      = 5432
+db_superuser = false
+db_sslmode   = "disable"
+
+databases = [
+  {
+    name             = "web_app"
+    connection_limit = 10
+  }
+]
+
+roles = [
+  {
+    role = {
+      name      = "fastapi_app_admin"
+      login     = true
+      superuser = false
+      password  = "insecure-pass-for-demo-fastapi-app-admin"
+    }
+    table_grants = {
+      role        = "fastapi_app_admin"
+      database    = "web_app"
+      schema      = "public"
+      object_type = "table"
+      objects     = [] # empty list to grant all tables
+      privileges  = ["ALL"]
+    }
+
+    schema_grants = {
+      role        = "fastapi_app_admin"
+      database    = "web_app"
+      schema      = "public"
+      object_type = "schema"
+      privileges  = ["USAGE", "CREATE"]
+    }
+
+    sequence_grants = {
+      role        = "fastapi_app_admin"
+      database    = "web_app"
+      schema      = "public"
+      object_type = "sequence"
+      objects     = [] # empty list to grant all sequences
+      privileges  = ["ALL"]
+    }
+  },
+  {
+    role = {
+      name      = "fastapi_app_writer"
+      login     = true
+      superuser = false
+      password  = "insecure-pass-for-demo-fastapi-app-writer"
+    }
+
+    table_grants = {
+      role        = "fastapi_app_writer"
+      database    = "web_app"
+      schema      = "public"
+      object_type = "table"
+      objects     = []      # empty list to grant all tables
+      privileges  = ["ALL"] # grant all privileges on tables to the writer role
+    }
+
+    schema_grants = {
+      role        = "fastapi_app_writer"
+      database    = "web_app"
+      schema      = "public"
+      object_type = "schema"
+      privileges  = ["USAGE"] # write does not have create privileges
+    }
+
+    sequence_grants = {
+      role        = "fastapi_app_writer"
+      database    = "web_app"
+      schema      = "public"
+      object_type = "sequence"
+      objects     = [] # empty list to grant all sequences
+      privileges  = ["ALL"]
+    }
+
+    default_privileges = [
+      {
+        role        = "fastapi_app_writer"
+        database    = "web_app"
+        schema      = "public"
+        owner       = "fastapi_app_admin"
+        object_type = "table"
+        objects     = [] # empty list to grant all tables
+        privileges  = ["ALL"]
+      },
+      {
+        role        = "fastapi_app_writer"
+        database    = "web_app"
+        schema      = "public"
+        owner       = "fastapi_app_admin"
+        object_type = "sequence"
+        objects     = [] # empty list to grant all sequences
+        privileges  = ["ALL"]
+      },
+    ]
+  },
+  {
+    role = {
+      name      = "fastapi_app_reader"
+      login     = true
+      password  = "insecure-pass-for-demo-fastapi-app-reader"
+      superuser = false
+    }
+
+    table_grants = {
+      role        = "fastapi_app_reader"
+      database    = "web_app"
+      schema      = "public"
+      object_type = "table"
+      objects     = [] # empty list to grant all tables
+      privileges  = ["SELECT"]
+    }
+
+    sequence_grants = {
+      role        = "fastapi_app_reader"
+      database    = "web_app"
+      schema      = "public"
+      object_type = "sequence"
+      objects     = [] # empty list to grant all sequences
+      privileges  = ["USAGE", "SELECT"]
+    }
+
+    default_privileges = [
+      {
+        role        = "fastapi_app_reader"
+        database    = "web_app"
+        schema      = "public"
+        owner       = "fastapi_app_admin"
+        object_type = "table"
+        objects     = [] # empty list to grant all tables
+        privileges  = ["SELECT"]
+      },
+      {
+        role        = "fastapi_app_reader"
+        database    = "web_app"
+        schema      = "public"
+        owner       = "fastapi_app_admin"
+        object_type = "sequence"
+        objects     = [] # empty list to grant all sequences
+        privileges  = ["USAGE", "SELECT"]
+      },
+    ]
+  }
+]

examples/web_app/main.tf

@@ -0,0 +1,8 @@
+# complete/main.tf
+
+module "postgres_automation" {
+  source = "../../"
+
+  databases = var.databases
+  roles     = var.roles
+}

examples/web_app/outputs.tf

@@ -0,0 +1,19 @@
+output "databases" {
+  value = module.postgres_automation.databases
+}
+
+output "database_access" {
+  value = module.postgres_automation.database_access
+}
+
+output "default_privileges" {
+  value = module.postgres_automation.default_privileges
+}
+
+output "schema_access" {
+  value = module.postgres_automation.schema_access
+}
+
+output "table_access" {
+  value = module.postgres_automation.table_access
+}

examples/web_app/providers.tf

@@ -0,0 +1,11 @@
+# complete/providers.tf
+
+provider "postgresql" {
+  scheme    = var.db_scheme
+  host      = var.db_hostname
+  username  = var.db_username
+  port      = var.db_port
+  password  = var.db_password
+  superuser = var.db_superuser
+  sslmode   = var.db_sslmode
+}