diff options
| author |  Amrou Bellalouna <[email protected]> | 2024-06-01 01:23:56 +0200 |
|---|---|---|
| committer |  GitHub <[email protected]> | 2024-06-01 01:23:56 +0200 |
| commit | df9708f142f2a5664d2e257ab1f7498d6d0058b6 (patch) | |
| tree | 65b596dbedc4b373cc2ccfb3d1e7b75eef02e906 | |
| parent | whitelist ips of netcup and linode servers (#326) (diff) | |
Make issuing pg grants configurable (#327)
* add a task to issue pg grants for specific roles
* document the postgres role
| -rw-r--r-- | ansible/roles/postgres/README.md | 36 | ||||
| -rw-r--r-- | ansible/roles/postgres/tasks/main.yml | 17 |
2 files changed, 53 insertions, 0 deletions
diff --git a/ansible/roles/postgres/README.md b/ansible/roles/postgres/README.md new file mode 100644 index 0000000..584e48c --- /dev/null +++ b/ansible/roles/postgres/README.md @@ -0,0 +1,36 @@ +# Role "postgres" + +Installs and configures the postgres cluster. + + +## Variables + +- `postgres_version` The postgres version to be installed. +- `postgres_user` The user that owns root access to the postgres cluster +- `postgres_users` The list of postgres users that have restricted access to the postgres cluster. Each user needs to have + the following attributes defined: + - `name`: The user's login name + - `password`: The user's password + - `roles`: A list of roles that will be assigned to the user. You can read more about them here https://www.postgresql.org/docs/current/user-manag.html + +- `postgres_hba_rules` The postgres cluster's host based authentication configuration. + All the following attributes can be found in detail here https://www.postgresql.org/docs/current/auth-pg-hba-conf.html + - `conn_type`: The connection type allowed to connect to the cluster. + - `database`: The database that the user who's trying to connect is allowed to access. + - `user`: The user's login name + - `address`: The ip address or addresses to be allowed to connect from. + - `method`: The login method. + +- `postgres_databases` The list of databases that will be created in the cluster + - `name`: The database's name + `owner`: The owner of the database, this is equivalent to the `postgres_users.name` + + +`postgres_grants` The list of access privileges that will be granted to specific roles/users. You can read more about these + In the official docs https://www.postgresql.org/docs/current/sql-grant.html + The specific values these variables can take can be found here https://docs.ansible.com/ansible/latest/collections/community/postgresql/postgresql_privs_module.html + - `roles`: Comma separated list of role (user/group) names to set permissions for. + - `database`: Name of database to connect to. + - `state`: The state of the privilege, `present` to grant them and `absent` to revoke them. + - `privs`: Comma separated list of privileges to grant/revoke. + - `objs`: Comma separated list of database objects to set privileges on. diff --git a/ansible/roles/postgres/tasks/main.yml b/ansible/roles/postgres/tasks/main.yml index fb026c1..8a210be 100644 --- a/ansible/roles/postgres/tasks/main.yml +++ b/ansible/roles/postgres/tasks/main.yml @@ -72,6 +72,23 @@ tags: - role::postgres +- name: Grant specified grants to particular roles + community.postgresql.postgresql_privs: + database: "{{ grant.database }}" + state: "{{ grant.state }}" + privs: "{{ grant.privs }}" + objs: "{{ grant.objs }}" + roles: "{{ grant.roles }}" + when: postgres_grants is defined + loop: "{{ postgres_grants }}" + loop_control: + loop_var: grant + label: "{{ grant.privs }} --> {{ grant.roles }}" + become: true + become_user: "{{ postgres_user }}" + tags: + - role::postgres + - name: Import postgresql.conf copy: src: postgresql.conf |