gitea-admin
/
hetzner-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

DEV-1007 FIX postgres update dataabse state

Browse Source
main
Michael Haehnel 2 years ago
parent 649eca156e
commit 7f2ff1c3bc
No known key found for this signature in database
GPG Key ID: D2FA233B52AEC75C
1 changed files with 84 additions and 44 deletions
Show Stats Download Patch File Download Diff File

128
roles/postgres/tasks/_update_database_state.yml
Unescape Escape View File

@ -5,19 +5,29 @@
### - password ### - password
### - trusted_cidr_entry [shared_service_network] ### - trusted_cidr_entry [shared_service_network]
- name: "Updating pg_hba.conf entries for users/nodes/schemas" - name: "Updating pg_hba.conf entries for postgres admin user"
blockinfile: lineinfile:
marker: "# {mark} managed by ansible (pg_hba.conf entries for users/nodes/schemas)"
path: "/etc/postgresql/{{ default_postgres_version }}/main/pg_hba.conf"
mode: "0640"
state: "{{ database_state }}" state: "{{ database_state }}"
create: true regex: "^hostssl[ ]+all[ ]+{{ postgres_admin_user }}"
block: |- line: |-
{% for item in postgres_acls %} hostssl all {{ postgres_admin_user }} {{ shared_service_network }} md5
path: /etc/postgresql/{{ default_postgres_version }}/main/pg_hba.conf
- name: "Updating pg_hba.conf entries for postgres readonly user"
lineinfile:
state: "{{ database_state }}"
regex: "^hostssl[ ]+all[ ]+{{ pgadmin4_oidc_dev_username }}"
line: |-
hostssl all {{ pgadmin4_oidc_dev_username }} {{ shared_service_network }} md5
path: /etc/postgresql/{{ default_postgres_version }}/main/pg_hba.conf
- name: "Updating dynamic pg_hba.conf entries for users/nodes/schemas"
lineinfile:
state: "{{ database_state }}"
regex: "^hostssl[ ]+{{ item.name }}[ ]+{{ item.name }}"
line: |-
hostssl {{ item.name }} {{ item.name }} {{ item.trusted_cidr_entry | default(shared_service_network) }} md5 hostssl {{ item.name }} {{ item.name }} {{ item.trusted_cidr_entry | default(shared_service_network) }} md5
{% endfor %} path: /etc/postgresql/{{ default_postgres_version }}/main/pg_hba.conf
hostssl all {{ postgres_admin_user }} {{ item.trusted_cidr_entry | default(shared_service_network) }} md5
hostssl all {{ pgadmin4_oidc_dev_username }} {{ item.trusted_cidr_entry | default(shared_service_network) }} md5
with_items: "{{ postgres_acls }}" with_items: "{{ postgres_acls }}"
- name: "Checking roles exist" # noqa command-instead-of-shell - name: "Checking roles exist" # noqa command-instead-of-shell
@ -25,7 +35,7 @@
with_items: "{{ postgres_acls }}" with_items: "{{ postgres_acls }}"
register: role_check register: role_check
changed_when: "role_check.stdout == '0'" changed_when: "role_check.stdout == '0'"
become_user: postgres become_user: "{{ postgres_admin_user }}"
become: true become: true
- name: "Checking roles exist" - name: "Checking roles exist"
@ -37,19 +47,35 @@
- name: "Creating roles if necessary" - name: "Creating roles if necessary"
shell: "/usr/bin/psql -c 'CREATE ROLE {{ item.item.name }} LOGIN;'" shell: "/usr/bin/psql -c 'CREATE ROLE {{ item.item.name }} LOGIN;'"
with_items: "{{ role_check.results }}" with_items: "{{ role_check.results }}"
become_user: postgres become_user: "{{ postgres_admin_user }}"
become: true become: true
when: when:
- database_state == 'present' - database_state == 'present'
- item.stdout == '0' - item.stdout == '0'
- server_type == 'master' - server_type == 'master'
- name: "Grant CREATE privilege on public schema for if necessary"
community.postgresql.postgresql_privs:
role: "{{ item.item.name }}"
type: schema
priv: ALL
objs: public
login_user: "{{ postgres_admin_user }}"
database: "{{ item.item.name }}"
state: present
loop: "{{ role_check.results }}"
become: true
become_user: "{{ postgres_admin_user }}"
when:
- database_state == 'present'
- server_type == 'master'
- name: "Checking database exist" - name: "Checking database exist"
shell: '/usr/bin/psql -Atc "SELECT count(*) FROM pg_database WHERE datname = ''{{ item.name }}''"' shell: '/usr/bin/psql -Atc "SELECT count(*) FROM pg_database WHERE datname = ''{{ item.name }}''"'
with_items: "{{ postgres_acls }}" with_items: "{{ postgres_acls }}"
register: database_check register: database_check
changed_when: "database_check.stdout == '0'" changed_when: "database_check.stdout == '0'"
become_user: postgres become_user: "{{ postgres_admin_user }}"
become: true become: true
- name: "Check databases exist result" - name: "Check databases exist result"
@ -61,7 +87,7 @@
- name: "Creating Databases if necessary" - name: "Creating Databases if necessary"
shell: '/usr/bin/psql -c "CREATE DATABASE {{ item.item.name }};"' shell: '/usr/bin/psql -c "CREATE DATABASE {{ item.item.name }};"'
with_items: "{{ database_check.results }}" with_items: "{{ database_check.results }}"
become_user: postgres become_user: "{{ postgres_admin_user }}"
become: true become: true
when: when:
- database_state == 'present' - database_state == 'present'
@ -71,7 +97,7 @@
- name: "Deleting Databases if necessary" - name: "Deleting Databases if necessary"
shell: '/usr/bin/psql -c "DROP DATABASE {{ item.item.name }} WITH (FORCE);"' shell: '/usr/bin/psql -c "DROP DATABASE {{ item.item.name }} WITH (FORCE);"'
with_items: "{{ database_check.results }}" with_items: "{{ database_check.results }}"
become_user: postgres become_user: "{{ postgres_admin_user }}"
become: true become: true
when: when:
- database_state == 'absent' - database_state == 'absent'
@ -81,7 +107,7 @@
- name: "Deleting roles if necessary" - name: "Deleting roles if necessary"
shell: '/usr/bin/psql -c "DROP ROLE {{ item.item.name }};"' shell: '/usr/bin/psql -c "DROP ROLE {{ item.item.name }};"'
with_items: "{{ role_check.results }}" with_items: "{{ role_check.results }}"
become_user: postgres become_user: "{{ postgres_admin_user }}"
become: true become: true
when: when:
- database_state == 'absent' - database_state == 'absent'
@ -91,7 +117,7 @@
- name: "Changing password with scram-sha-256! for users and set password" - name: "Changing password with scram-sha-256! for users and set password"
shell: '/usr/bin/psql -c "set password_encryption = ''scram-sha-256'';ALTER ROLE {{ item.name }} WITH PASSWORD ''{{ item.password }}'';"' shell: '/usr/bin/psql -c "set password_encryption = ''scram-sha-256'';ALTER ROLE {{ item.name }} WITH PASSWORD ''{{ item.password }}'';"'
with_items: "{{ postgres_acls }}" with_items: "{{ postgres_acls }}"
become_user: postgres become_user: "{{ postgres_admin_user }}"
become: true become: true
when: when:
- database_state == 'present' - database_state == 'present'
@ -100,72 +126,74 @@
- name: "Changing owners for databases" - name: "Changing owners for databases"
shell: '/usr/bin/psql -c "ALTER DATABASE {{ item.name }} OWNER TO {{ item.name }};"' shell: '/usr/bin/psql -c "ALTER DATABASE {{ item.name }} OWNER TO {{ item.name }};"'
with_items: "{{ postgres_acls }}" with_items: "{{ postgres_acls }}"
become_user: postgres become_user: "{{ postgres_admin_user }}"
become: true become: true
when: when:
- database_state == 'present' - database_state == 'present'
- server_type == 'master' - server_type == 'master'
- name: "Create PostgreSQL readaccess group" - name: "Create PostgreSQL readonly group"
community.postgresql.postgresql_user: community.postgresql.postgresql_user:
name: "{{ pgadmin4_oidc_dev_username }}" name: "postgres_readonly"
role_attr_flags: NOSUPERUSER,NOCREATEROLE,NOCREATEDB,NOLOGIN role_attr_flags: NOLOGIN,NOSUPERUSER,NOINHERIT,NOCREATEDB,NOCREATEROLE,NOREPLICATION
login_user: "postgres" login_user: "{{ postgres_admin_user }}"
state: present state: present
become: true become: true
become_user: postgres become_user: "{{ postgres_admin_user }}"
when: when:
- server_type == 'master' - server_type == 'master'
- name: "Get list of all databases" - name: "Get list of all databases"
community.postgresql.postgresql_query: community.postgresql.postgresql_query:
query: "SELECT datname FROM pg_database WHERE datistemplate = false" query: "SELECT datname FROM pg_database WHERE datistemplate = false"
login_user: "postgres" login_user: "{{ postgres_admin_user }}"
db: "postgres" db: "{{ postgres_admin_user }}"
register: database_list register: database_list
become: true become: true
become_user: postgres become_user: "{{ postgres_admin_user }}"
- name: "Revoke CREATE privilege from public role" - name: Revoke CREATE privilege on public schema from postgres_readonly group
community.postgresql.postgresql_privs: community.postgresql.postgresql_privs:
role: "public" role: "public"
type: schema type: schema
privs: CREATE priv: CREATE
objs: public objs: public
login_user: "postgres" login_user: "{{ postgres_admin_user }}"
state: absent
database: "{{ item.datname }}" database: "{{ item.datname }}"
state: absent
loop: "{{ database_list.query_result }}" loop: "{{ database_list.query_result }}"
become: true become: true
become_user: postgres become_user: "{{ postgres_admin_user }}"
when: when:
- server_type == 'master' - server_type == 'master'
- name: "Grant USAGE privilege to readaccess group" - name: "Grant USAGE privilege to postgres readonly group"
community.postgresql.postgresql_privs: community.postgresql.postgresql_privs:
role: "{{ pgadmin4_oidc_dev_username }}" role: "postgres_readonly"
type: schema type: schema
priv: USAGE priv: USAGE
objs: public objs: public
login_user: "postgres" login_user: "{{ postgres_admin_user }}"
database: "" database: "{{ item.datname }}"
loop: "{{ database_list.query_result }}"
become: true become: true
become_user: postgres become_user: "{{ postgres_admin_user }}"
when: when:
- server_type == 'master' - server_type == 'master'
- name: "Grant SELECT on all tables in all databases to readaccess group" - name: "Grant SELECT on all tables in all databases to postgres readonly group"
community.postgresql.postgresql_privs: community.postgresql.postgresql_privs:
role: "{{ pgadmin4_oidc_dev_username }}" role: "postgres_readonly"
type: table type: table
priv: SELECT priv: SELECT
schema: public schema: public
objs: ALL_IN_SCHEMA objs: ALL_IN_SCHEMA
login_user: "postgres" login_user: "{{ postgres_admin_user }}"
database: "{{ item.datname }}" database: "{{ item.datname }}"
state: present
loop: "{{ database_list.query_result }}" loop: "{{ database_list.query_result }}"
become: true become: true
become_user: postgres become_user: "{{ postgres_admin_user }}"
when: when:
- server_type == 'master' - server_type == 'master'
@ -173,11 +201,23 @@
community.postgresql.postgresql_user: community.postgresql.postgresql_user:
name: "{{ pgadmin4_oidc_dev_username }}" name: "{{ pgadmin4_oidc_dev_username }}"
password: "{{ pgadmin4_oidc_dev_password }}" password: "{{ pgadmin4_oidc_dev_password }}"
role_attr_flags: LOGIN role_attr_flags: LOGIN,NOSUPERUSER,NOINHERIT,NOCREATEDB,NOCREATEROLE,NOREPLICATION
login_user: "postgres" login_user: "{{ postgres_admin_user }}"
state: present state: present
become: true become: true
become_user: postgres become_user: "{{ postgres_admin_user }}"
when:
- server_type == 'master'
- name: "Add {{ pgadmin4_oidc_dev_username }} to group 'postgres_readonly'"
community.postgresql.postgresql_user:
name: "{{ pgadmin4_oidc_dev_username }}"
role_attr_flags: "NOSUPERUSER,NOINHERIT,NOCREATEDB,NOCREATEROLE,NOREPLICATION"
groups: "postgres_readonly"
login_user: "{{ postgres_admin_user }}"
state: present
become: true
become_user: "{{ postgres_admin_user }}"
when: when:
- server_type == 'master' - server_type == 'master'

Write Preview
Loading…
Cancel
Save