From 7f2ff1c3bc688695964817189a64061c113f5485 Mon Sep 17 00:00:00 2001
From: Michael Haehnel <michael.haehnel@netgo.de>
Date: Wed, 19 Jul 2023 09:48:34 +0200
Subject: [PATCH] DEV-1007 FIX postgres update dataabse state

---
 .../postgres/tasks/_update_database_state.yml | 128 ++++++++++++------
 1 file changed, 84 insertions(+), 44 deletions(-)

diff --git a/roles/postgres/tasks/_update_database_state.yml b/roles/postgres/tasks/_update_database_state.yml
index f0a5729..5948662 100644
--- a/roles/postgres/tasks/_update_database_state.yml
+++ b/roles/postgres/tasks/_update_database_state.yml
@@ -5,19 +5,29 @@
 ###     - password
 ###     - trusted_cidr_entry [shared_service_network]
 
-- name: "Updating pg_hba.conf entries for users/nodes/schemas"
-  blockinfile:
-    marker: "# {mark} managed by ansible (pg_hba.conf entries for users/nodes/schemas)"
-    path: "/etc/postgresql/{{ default_postgres_version }}/main/pg_hba.conf"
-    mode: "0640"
+- name: "Updating pg_hba.conf entries for postgres admin user"
+  lineinfile:
     state: "{{ database_state }}"
-    create: true
-    block: |-
-      {% for item in postgres_acls %}
+    regex: "^hostssl[ ]+all[ ]+{{ postgres_admin_user }}"
+    line: |-
+      hostssl    all    {{ postgres_admin_user }}    {{ shared_service_network }} md5
+    path: /etc/postgresql/{{ default_postgres_version }}/main/pg_hba.conf
+
+- name: "Updating pg_hba.conf entries for postgres readonly user"
+  lineinfile:
+    state: "{{ database_state }}"
+    regex: "^hostssl[ ]+all[ ]+{{ pgadmin4_oidc_dev_username }}"
+    line: |-
+      hostssl    all    {{ pgadmin4_oidc_dev_username }}    {{ shared_service_network }} md5
+    path: /etc/postgresql/{{ default_postgres_version }}/main/pg_hba.conf
+
+- name: "Updating dynamic pg_hba.conf entries for users/nodes/schemas"
+  lineinfile:
+    state: "{{ database_state }}"
+    regex: "^hostssl[ ]+{{ item.name }}[ ]+{{ item.name }}"
+    line: |-
       hostssl    {{ item.name }}    {{ item.name }}    {{ item.trusted_cidr_entry | default(shared_service_network) }} md5
-      {% endfor %}
-      hostssl    all    {{ postgres_admin_user }}    {{ item.trusted_cidr_entry | default(shared_service_network) }} md5
-      hostssl    all    {{ pgadmin4_oidc_dev_username }}    {{ item.trusted_cidr_entry | default(shared_service_network) }} md5
+    path: /etc/postgresql/{{ default_postgres_version }}/main/pg_hba.conf
   with_items: "{{ postgres_acls }}"
 
 - name: "Checking roles exist" # noqa command-instead-of-shell
@@ -25,7 +35,7 @@
   with_items: "{{ postgres_acls }}"
   register: role_check
   changed_when: "role_check.stdout == '0'"
-  become_user: postgres
+  become_user: "{{ postgres_admin_user }}"
   become: true
 
 - name: "Checking roles exist"
@@ -37,19 +47,35 @@
 - name: "Creating roles if necessary"
   shell: "/usr/bin/psql -c 'CREATE ROLE {{ item.item.name }} LOGIN;'"
   with_items: "{{ role_check.results }}"
-  become_user: postgres
+  become_user: "{{ postgres_admin_user }}"
   become: true
   when:
     - database_state == 'present'
     - item.stdout == '0'
     - server_type == 'master'
 
+- name: "Grant CREATE privilege on public schema for if necessary"
+  community.postgresql.postgresql_privs:
+    role: "{{ item.item.name }}"
+    type: schema
+    priv: ALL
+    objs: public
+    login_user: "{{ postgres_admin_user }}"
+    database: "{{ item.item.name }}"
+    state: present
+  loop: "{{ role_check.results }}"
+  become: true
+  become_user: "{{ postgres_admin_user }}"
+  when:
+    - database_state == 'present'
+    - server_type == 'master'
+
 - name: "Checking database exist"
   shell: '/usr/bin/psql -Atc "SELECT count(*) FROM pg_database WHERE datname = ''{{ item.name }}''"'
   with_items: "{{ postgres_acls }}"
   register: database_check
   changed_when: "database_check.stdout == '0'"
-  become_user: postgres
+  become_user: "{{ postgres_admin_user }}"
   become: true
 
 - name: "Check databases exist result"
@@ -61,7 +87,7 @@
 - name: "Creating Databases if necessary"
   shell: '/usr/bin/psql -c "CREATE DATABASE {{ item.item.name }};"'
   with_items: "{{ database_check.results }}"
-  become_user: postgres
+  become_user: "{{ postgres_admin_user }}"
   become: true
   when:
     - database_state == 'present'
@@ -71,7 +97,7 @@
 - name: "Deleting Databases if necessary"
   shell: '/usr/bin/psql -c "DROP DATABASE {{ item.item.name }} WITH (FORCE);"'
   with_items: "{{ database_check.results }}"
-  become_user: postgres
+  become_user: "{{ postgres_admin_user }}"
   become: true
   when:
     - database_state == 'absent'
@@ -81,7 +107,7 @@
 - name: "Deleting roles if necessary"
   shell: '/usr/bin/psql -c "DROP ROLE {{ item.item.name }};"'
   with_items: "{{ role_check.results }}"
-  become_user: postgres
+  become_user: "{{ postgres_admin_user }}"
   become: true
   when:
     - database_state == 'absent'
@@ -91,7 +117,7 @@
 - name: "Changing password with scram-sha-256! for users and set password"
   shell: '/usr/bin/psql -c "set password_encryption = ''scram-sha-256'';ALTER ROLE {{ item.name }} WITH PASSWORD ''{{ item.password }}'';"'
   with_items: "{{ postgres_acls }}"
-  become_user: postgres
+  become_user: "{{ postgres_admin_user }}"
   become: true
   when:
     - database_state == 'present'
@@ -100,72 +126,74 @@
 - name: "Changing owners for databases"
   shell: '/usr/bin/psql -c "ALTER DATABASE {{ item.name }} OWNER TO {{ item.name }};"'
   with_items: "{{ postgres_acls }}"
-  become_user: postgres
+  become_user: "{{ postgres_admin_user }}"
   become: true
   when:
     - database_state == 'present'
     - server_type == 'master'
 
-- name: "Create PostgreSQL readaccess group"
+- name: "Create PostgreSQL readonly group"
   community.postgresql.postgresql_user:
-    name: "{{ pgadmin4_oidc_dev_username }}"
-    role_attr_flags: NOSUPERUSER,NOCREATEROLE,NOCREATEDB,NOLOGIN
-    login_user: "postgres"
+    name: "postgres_readonly"
+    role_attr_flags: NOLOGIN,NOSUPERUSER,NOINHERIT,NOCREATEDB,NOCREATEROLE,NOREPLICATION
+    login_user: "{{ postgres_admin_user }}"
     state: present
   become: true
-  become_user: postgres
+  become_user: "{{ postgres_admin_user }}"
   when:
     - server_type == 'master'
 
 - name: "Get list of all databases"
   community.postgresql.postgresql_query:
     query: "SELECT datname FROM pg_database WHERE datistemplate = false"
-    login_user: "postgres"
-    db: "postgres"
+    login_user: "{{ postgres_admin_user }}"
+    db: "{{ postgres_admin_user }}"
   register: database_list
   become: true
-  become_user: postgres
+  become_user: "{{ postgres_admin_user }}"
 
-- name: "Revoke CREATE privilege from public role"
+- name: Revoke CREATE privilege on public schema from postgres_readonly group
   community.postgresql.postgresql_privs:
     role: "public"
     type: schema
-    privs: CREATE
+    priv: CREATE
     objs: public
-    login_user: "postgres"
-    state: absent
+    login_user: "{{ postgres_admin_user }}"
     database: "{{ item.datname }}"
+    state: absent
   loop: "{{ database_list.query_result }}"
   become: true
-  become_user: postgres
+  become_user: "{{ postgres_admin_user }}"
   when:
     - server_type == 'master'
 
-- name: "Grant USAGE privilege to readaccess group"
+- name: "Grant USAGE privilege to postgres readonly group"
   community.postgresql.postgresql_privs:
-    role: "{{ pgadmin4_oidc_dev_username }}"
+    role: "postgres_readonly"
     type: schema
     priv: USAGE
     objs: public
-    login_user: "postgres"
-    database: ""
+    login_user: "{{ postgres_admin_user }}"
+    database: "{{ item.datname }}"
+  loop: "{{ database_list.query_result }}"
   become: true
-  become_user: postgres
+  become_user: "{{ postgres_admin_user }}"
   when:
     - server_type == 'master'
 
-- name: "Grant SELECT on all tables in all databases to readaccess group"
+- name: "Grant SELECT on all tables in all databases to postgres readonly group"
   community.postgresql.postgresql_privs:
-    role: "{{ pgadmin4_oidc_dev_username }}"
+    role: "postgres_readonly"
     type: table
     priv: SELECT
     schema: public
     objs: ALL_IN_SCHEMA
-    login_user: "postgres"
+    login_user: "{{ postgres_admin_user }}"
     database: "{{ item.datname }}"
+    state: present
   loop: "{{ database_list.query_result }}"
   become: true
-  become_user: postgres
+  become_user: "{{ postgres_admin_user }}"
   when:
     - server_type == 'master'
 
@@ -173,11 +201,23 @@
   community.postgresql.postgresql_user:
     name: "{{ pgadmin4_oidc_dev_username }}"
     password: "{{ pgadmin4_oidc_dev_password }}"
-    role_attr_flags: LOGIN
-    login_user: "postgres"
+    role_attr_flags: LOGIN,NOSUPERUSER,NOINHERIT,NOCREATEDB,NOCREATEROLE,NOREPLICATION
+    login_user: "{{ postgres_admin_user }}"
     state: present
   become: true
-  become_user: postgres
+  become_user: "{{ postgres_admin_user }}"
+  when:
+    - server_type == 'master'
+
+- name: "Add {{ pgadmin4_oidc_dev_username }} to group 'postgres_readonly'"
+  community.postgresql.postgresql_user:
+    name: "{{ pgadmin4_oidc_dev_username }}"
+    role_attr_flags: "NOSUPERUSER,NOINHERIT,NOCREATEDB,NOCREATEROLE,NOREPLICATION"
+    groups: "postgres_readonly"
+    login_user: "{{ postgres_admin_user }}"
+    state: present
+  become: true
+  become_user: "{{ postgres_admin_user }}"
   when:
     - server_type == 'master'