/terraform-postgresql-db

Create a PostgreSQL database with basic roles

Primary LanguageHCLApache License 2.0Apache-2.0

terraform-postgresql-db

This module offers default conventions when creating a new PostgreSQL database.

In particular:

  • It creates a database 👋

  • It creates a "owner" role, that owns the database (in PostgreSQL parlance) and have all the permissions there.

  • It creates a set of default roles that can be assumed when working on the database:

    • A "read-only" role ${DBNAME}_ro, that is only able to read objects;
    • A "read-write" role ${DBNAME}_rw, that is only able to write into that database, but not create objects.

    These roles can be assumed by developers or operators, when they have been granted the right to do so. These persons then have automatically the associated rights on that database.

  • It creates a set of Vault policies (when vault_backend_path is provided).

    • ${vault_backend_path}/${DB_NAME}, that obtain credentials for the owner;
    • ${vault_backend_path}/${DB_NAME}_ro, that obtains credentials for the ${DB_NAME}_ro role;
    • ${vault_backend_path}/${DB_NAME}_rw, that obtains credentials for the ${DB_NAME}_rw role.

  • When the intent is to use Vault, it's recommended to NOT provide the owner_password. In this case, it's not possible to log directly with the owner username, but only with the credentials generated by Vault.

Usage

module "foo" {
  source = "git@github.com:edgelaboratories/terraform-postgresql-db?ref=v0.4.3"

  database       = "foo"
  owner          = "admin"  # Optional, default to database name
  owner_password = "admin"  # Optional when using Vault

  # Optional
  vault_backend_path       = "postgresql/elmer"
  vault_db_connection_name = "elmer"
}