Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- class roles::postgres_rds_basic (
- $rds_host = hiera('rds_host'),
- $rds_password = hiera('rds_password'),
- $rds_database = hiera('rds_database'),
- $rds_privilege = "ALL PRIVILEGES",
- $rds_role_admin = hiera('rds_role_admin'),
- $rds_role_public = hiera('rds_role_public'),
- $rds_role_admin_password = hiera('rds_role_admin_password'),
- $rds_role_public_password = hiera('rds_role_public_password'),
- $monitoring_user = "sensu",
- $monitoring_password = "sensu",
- ){
- class { 'postgresql::globals':
- manage_package_repo => false
- } ->
- class { 'roles::pgsql_client':
- postgres_client_version => '9.6'
- } ->
- class { 'postgresql::server':
- package_ensure => false
- }
- $connection_settings = {
- 'PGUSER' => 'postgres',
- 'PGPASSWORD' => $rds_password,
- 'PGHOST' => $rds_host,
- 'PGPORT' => '5432',
- 'PGDATABASE' => 'postgres',
- }
- #create db and shema
- postgresql::server::database { $rds_database:
- connect_settings => $connection_settings,
- }
- postgresql::server::schema { $rds_database:
- connect_settings => $connection_settings,
- }
- #admin user
- postgresql::server::role { $rds_role_admin:
- password_hash => postgresql_password($rds_role_admin, $rds_role_admin_password),
- update_password => false,
- connect_settings => $connection_settings,
- }
- postgresql::server::database_grant { $rds_role_admin:
- connect_settings => $connection_settings,
- privilege => $rds_privilege,
- db => $rds_database,
- role => $rds_role_admin,
- }
- #public user
- postgresql::server::role { $rds_role_public:
- password_hash => postgresql_password($rds_role_public, $rds_role_public_password),
- update_password => false,
- connect_settings => $connection_settings,
- }
- postgresql::server::database_grant { $rds_role_public:
- connect_settings => $connection_settings,
- privilege => $rds_privilege,
- db => $rds_database,
- role => $rds_role_public,
- } ->
- exec { "Set default privileges fot TABLES":
- path => ["/usr/bin","/bin"],
- environment => ["PGPASSWORD=$rds_role_admin_password"],
- command => "psql -h $rds_host -U $rds_role_admin -d $rds_database -c 'ALTER DEFAULT PRIVILEGES FOR ROLE $rds_role_admin IN SCHEMA public GRANT ALL PRIVILEGES ON TABLES to $rds_role_public;'",
- unless => "psql -h $rds_host -U $rds_role_admin -d $rds_database -c '\ddp' | grep $rds_role_public",
- } ->
- exec { "Set default privileges fot SEQUENCES":
- path => ["/usr/bin","/bin"],
- environment => ["PGPASSWORD=$rds_role_admin_password"],
- command => "psql -h $rds_host -U $rds_role_admin -d $rds_database -c 'ALTER DEFAULT PRIVILEGES FOR ROLE $rds_role_admin IN SCHEMA public GRANT ALL PRIVILEGES ON SEQUENCES to $rds_role_public;'",
- unless => "psql -h $rds_host -U $rds_role_admin -d $rds_database -c '\ddp' | grep $rds_role_public",
- }
- #monitoring
- file { "/etc/sensu/plugins/hmpo/sensu_postgres_wrapper.sh":
- owner => "sensu",
- group => "sensu",
- mode => "0700",
- content => template('roles/postgres_rds/sensu_postgres_wrapper.sh.erb'),
- }
- $dbs_to_monitor = hiera_hash('roles::postgres_rds::dbs_to_monitor',{})
- $dbs_to_monitor.each |$db_name,$table_list| {
- create_resources('roles::postgres_rds::monitor_grant', $postgres_app_users, {
- db_name => $db_name,
- table_list => $table_list,
- monitoring_user => $monitoring_user,
- rds_host => $rds_host })
- }
- define roles::postgres_rds::monitor_grant($postgres_password, $postgres_dbs, $db_name,$table_list, $monitoring_user, $rds_host) {
- if $postgres_dbs == $db_name {
- $connection_settings_usr = {
- 'PGUSER' => $name,
- 'PGPASSWORD' => $postgres_password,
- 'PGHOST' => $rds_host,
- 'PGPORT' => '5432',
- 'PGDATABASE' => $postgres_dbs,
- }
- postgresql::server::database_grant { "${monitoring_user}_${db_name}":
- privilege => 'CONNECT',
- db => $db_name,
- role => $monitoring_user,
- connect_settings => $connection_settings_usr,
- }
- $table_list.each |$table| {
- postgresql::server::table_grant { "${monitoring_user}_${db_name}_${table}":
- privilege => 'SELECT',
- db => $db_name,
- table => $table,
- role => $monitoring_user,
- connect_settings => $connection_settings_usr,
- }
- }
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement