58 lines
2.0 KiB
HCL
58 lines
2.0 KiB
HCL
locals {
|
|
roles = concat(var.roles, var.extentions.postgrest.enable?[{
|
|
"name" = "anonymous"
|
|
}]:[])
|
|
sorted-roles-name = reverse(distinct(sort([for r in local.roles: r.name])))
|
|
sorted-roles = flatten([
|
|
for name in local.sorted-roles-name: [
|
|
for r in local.roles:
|
|
r if r.name == name
|
|
]
|
|
])
|
|
}
|
|
|
|
resource "kubectl_manifest" "db_secret_role" {
|
|
depends_on = [ data.kubernetes_secret_v1.postgresql_password ]
|
|
ignore_fields = ["metadata.annotations"]
|
|
count = length(local.sorted-roles)
|
|
yaml_body = <<-EOF
|
|
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
|
|
kind: "StringSecret"
|
|
metadata:
|
|
name: "${var.instance}-${var.component}-role-${local.sorted-roles[count.index].name}"
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(merge(local.common_labels, {"app.kubernetes.io/component" = local.sorted-roles[count.index].name}))}
|
|
spec:
|
|
forceRegenerate: false
|
|
data:
|
|
POSGRESQL_USERNAME: "${local.sorted-roles[count.index].name}"
|
|
fields:
|
|
- fieldName: "POSGRESQL_PASSWORD"
|
|
length: "32"
|
|
EOF
|
|
}
|
|
|
|
data "kubernetes_secret_v1" "password_role_get" {
|
|
depends_on = [ kubectl_manifest.db_secret_role ]
|
|
count = length(local.sorted-roles)
|
|
metadata {
|
|
name = "${var.instance}-${var.component}-role-${local.sorted-roles[count.index].name}"
|
|
namespace = "${var.namespace}"
|
|
}
|
|
}
|
|
|
|
resource "postgresql_role" "role" {
|
|
depends_on = [ time_sleep.wait_pg_ready, kubectl_manifest.prj_pg, data.kubernetes_secret_v1.postgresql_password ]
|
|
count = length(local.sorted-roles)
|
|
name = "${local.sorted-roles[count.index].name}"
|
|
login = true
|
|
password = data.kubernetes_secret_v1.password_role_get[count.index].data["POSGRESQL_PASSWORD"]
|
|
}
|
|
|
|
resource "postgresql_grant_role" "anomynous" {
|
|
depends_on = [ postgresql_role.role ]
|
|
count = var.extentions.postgrest.enable?1:0
|
|
role = "${var.instance}"
|
|
grant_role = "anonymous"
|
|
}
|