You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
188 lines
5.5 KiB
YAML
188 lines
5.5 KiB
YAML
---
|
|
### properties:
|
|
### postgres_acls:
|
|
### - name
|
|
### - password
|
|
### - trusted_cidr_entry [shared_service_network]
|
|
|
|
- name: "Updating pg_hba.conf entries for users/nodes/schemas"
|
|
blockinfile:
|
|
marker: "# {mark} managed by ansible (pg_hba.conf entries for users/nodes/schemas)"
|
|
path: "/etc/postgresql/{{ default_postgres_version }}/main/pg_hba.conf"
|
|
mode: "0640"
|
|
state: "{{ database_state }}"
|
|
create: true
|
|
block: |-
|
|
{% for item in postgres_acls %}
|
|
hostssl {{ item.name }} {{ item.name }} {{ item.trusted_cidr_entry | default(shared_service_network) }} md5
|
|
{% endfor %}
|
|
hostssl all {{ postgres_admin_user }} {{ item.trusted_cidr_entry | default(shared_service_network) }} md5
|
|
hostssl all {{ pgadmin4_oidc_dev_username }} {{ item.trusted_cidr_entry | default(shared_service_network) }} md5
|
|
with_items: "{{ postgres_acls }}"
|
|
|
|
- name: "Checking roles exist" # noqa command-instead-of-shell
|
|
shell: '/usr/bin/psql -Atc "SELECT count(rolname) FROM pg_roles where rolname=''{{ item.name }}''"'
|
|
with_items: "{{ postgres_acls }}"
|
|
register: role_check
|
|
changed_when: "role_check.stdout == '0'"
|
|
become_user: postgres
|
|
become: true
|
|
|
|
- name: "Checking roles exist"
|
|
debug:
|
|
msg: "{{ role_check }}"
|
|
when:
|
|
- debug
|
|
|
|
- name: "Creating roles if necessary"
|
|
shell: "/usr/bin/psql -c 'CREATE ROLE {{ item.item.name }} LOGIN;'"
|
|
with_items: "{{ role_check.results }}"
|
|
become_user: postgres
|
|
become: true
|
|
when:
|
|
- database_state == 'present'
|
|
- item.stdout == '0'
|
|
- server_type == 'master'
|
|
|
|
- name: "Checking database exist"
|
|
shell: '/usr/bin/psql -Atc "SELECT count(*) FROM pg_database WHERE datname = ''{{ item.name }}''"'
|
|
with_items: "{{ postgres_acls }}"
|
|
register: database_check
|
|
changed_when: "database_check.stdout == '0'"
|
|
become_user: postgres
|
|
become: true
|
|
|
|
- name: "Check databases exist result"
|
|
debug:
|
|
msg: "{{ database_check }}"
|
|
when:
|
|
- debug
|
|
|
|
- name: "Creating Databases if necessary"
|
|
shell: '/usr/bin/psql -c "CREATE DATABASE {{ item.item.name }};"'
|
|
with_items: "{{ database_check.results }}"
|
|
become_user: postgres
|
|
become: true
|
|
when:
|
|
- database_state == 'present'
|
|
- item.stdout == '0'
|
|
- server_type == 'master'
|
|
|
|
- name: "Deleting Databases if necessary"
|
|
shell: '/usr/bin/psql -c "DROP DATABASE {{ item.item.name }} WITH (FORCE);"'
|
|
with_items: "{{ database_check.results }}"
|
|
become_user: postgres
|
|
become: true
|
|
when:
|
|
- database_state == 'absent'
|
|
- item.stdout == '1'
|
|
- server_type == 'master'
|
|
|
|
- name: "Deleting roles if necessary"
|
|
shell: '/usr/bin/psql -c "DROP ROLE {{ item.item.name }};"'
|
|
with_items: "{{ role_check.results }}"
|
|
become_user: postgres
|
|
become: true
|
|
when:
|
|
- database_state == 'absent'
|
|
- item.stdout == '1'
|
|
- server_type == 'master'
|
|
|
|
- name: "Changing password with scram-sha-256! for users and set password"
|
|
shell: '/usr/bin/psql -c "set password_encryption = ''scram-sha-256'';ALTER ROLE {{ item.name }} WITH PASSWORD ''{{ item.password }}'';"'
|
|
with_items: "{{ postgres_acls }}"
|
|
become_user: postgres
|
|
become: true
|
|
when:
|
|
- database_state == 'present'
|
|
- server_type == 'master'
|
|
|
|
- name: "Changing owners for databases"
|
|
shell: '/usr/bin/psql -c "ALTER DATABASE {{ item.name }} OWNER TO {{ item.name }};"'
|
|
with_items: "{{ postgres_acls }}"
|
|
become_user: postgres
|
|
become: true
|
|
when:
|
|
- database_state == 'present'
|
|
- server_type == 'master'
|
|
|
|
- name: "Create PostgreSQL readaccess group"
|
|
community.postgresql.postgresql_user:
|
|
name: "{{ pgadmin4_oidc_dev_username }}"
|
|
role_attr_flags: NOSUPERUSER,NOCREATEROLE,NOCREATEDB,NOLOGIN
|
|
login_user: "postgres"
|
|
state: present
|
|
become: true
|
|
become_user: postgres
|
|
when:
|
|
- server_type == 'master'
|
|
|
|
- name: "Get list of all databases"
|
|
community.postgresql.postgresql_query:
|
|
query: "SELECT datname FROM pg_database WHERE datistemplate = false"
|
|
login_user: "postgres"
|
|
db: "postgres"
|
|
register: database_list
|
|
become: true
|
|
become_user: postgres
|
|
|
|
- name: "Revoke CREATE privilege from public role"
|
|
community.postgresql.postgresql_privs:
|
|
role: "public"
|
|
type: schema
|
|
privs: CREATE
|
|
objs: public
|
|
login_user: "postgres"
|
|
state: absent
|
|
database: "{{ item.datname }}"
|
|
loop: "{{ database_list.query_result }}"
|
|
become: true
|
|
become_user: postgres
|
|
when:
|
|
- server_type == 'master'
|
|
|
|
- name: "Grant USAGE privilege to readaccess group"
|
|
community.postgresql.postgresql_privs:
|
|
role: "{{ pgadmin4_oidc_dev_username }}"
|
|
type: schema
|
|
priv: USAGE
|
|
objs: public
|
|
login_user: "postgres"
|
|
database: ""
|
|
become: true
|
|
become_user: postgres
|
|
when:
|
|
- server_type == 'master'
|
|
|
|
- name: "Grant SELECT on all tables in all databases to readaccess group"
|
|
community.postgresql.postgresql_privs:
|
|
role: "{{ pgadmin4_oidc_dev_username }}"
|
|
type: table
|
|
priv: SELECT
|
|
schema: public
|
|
objs: ALL_IN_SCHEMA
|
|
login_user: "postgres"
|
|
database: "{{ item.datname }}"
|
|
loop: "{{ database_list.query_result }}"
|
|
become: true
|
|
become_user: postgres
|
|
when:
|
|
- server_type == 'master'
|
|
|
|
- name: "Create PostgreSQL user with password"
|
|
community.postgresql.postgresql_user:
|
|
name: "{{ pgadmin4_oidc_dev_username }}"
|
|
password: "{{ pgadmin4_oidc_dev_password }}"
|
|
role_attr_flags: LOGIN
|
|
login_user: "postgres"
|
|
state: present
|
|
become: true
|
|
become_user: postgres
|
|
when:
|
|
- server_type == 'master'
|
|
|
|
- name: "Reload Postgresql configuration" # noqa no-changed-when
|
|
become: true
|
|
become_user: postgres
|
|
shell: '/usr/bin/psql -c "SELECT pg_reload_conf();"'
|