This module offers default conventions when creating a new PostgreSQL database.
In particular:
-
It creates a database 👋
-
It creates a "owner" role, that owns the database (in PostgreSQL parlance) and have all the permissions there.
-
It creates a set of default roles that can be assumed when working on the database:
- A "read-only" role
${DBNAME}_ro
, that is only able to read objects; - A "read-write" role
${DBNAME}_rw
, that is only able to write into that database, but not create objects.
These roles can be assumed by developers or operators, when they have been granted the right to do so. These persons then have automatically the associated rights on that database.
- A "read-only" role
-
It creates a set of Vault policies (when
vault_backend_path
is provided).${vault_backend_path}/${DB_NAME}
, that obtain credentials for the owner;${vault_backend_path}/${DB_NAME}_ro
, that obtains credentials for the${DB_NAME}_ro
role;${vault_backend_path}/${DB_NAME}_rw
, that obtains credentials for the${DB_NAME}_rw
role.
-
When the intent is to use Vault, it's recommended to NOT provide the
owner_password
. In this case, it's not possible to log directly with the owner username, but only with the credentials generated by Vault.
module "foo" {
source = "git@github.com:edgelaboratories/terraform-postgresql-db?ref=v0.4.3"
database = "foo"
owner = "admin" # Optional, default to database name
owner_password = "admin" # Optional when using Vault
# Optional
vault_backend_path = "postgresql/elmer"
vault_db_connection_name = "elmer"
}