Support connection limti configuration for roles

init.sls

@@ -134,6 +134,15 @@ createuser-{{ index }}:
     {% endif %}
     - user: postgres
 
+{% set connection_limit = config.get('connection_limit') %}
+{% if connection_limit %}
+set_user_{{ config['username'] }}_connection_limit:
+  cmd.run:
+    - name: psql -U postgres -c "ALTER ROLE {{ config['username'] }} CONNECTION LIMIT {{ connection_limit }};"
+    - unless: psql -U postgres -t -c "SELECT rolconnlimit FROM pg_roles WHERE rolname = '{{ config['username'] }}';" | grep -wq {{ connection_limit }}
+    - runas: postgres
+{% endif %}
+
 # The "replication" and "all" keywords are not real databases but special keywords used for permissions in pg_hba.conf
 {% if config['database'] != "replication" and config['database'] != 'all' %}
 

pillar.example

@@ -138,6 +138,7 @@ postgresql:
       address: 10.1.2.0/24
       method: trust
       login: false
+      connection_limit: 100
 
     - username: example_user_with_role
       type: host

tests/integration/postgresql/postgresql_spec.rb

@@ -138,6 +138,16 @@
     its('output') { should match /example_role/ }
   end
 
+  # Assert that connection limit is reflected correctly
+  describe sql.query("SELECT rolconnlimit FROM pg_roles WHERE rolname='example_role'") do
+    its('output') { should eq('100') }
+  end
+
+  # Assert that connection limit for other users is the default
+  describe sql.query("SELECT rolconnlimit FROM pg_roles WHERE rolname='deploy'") do
+    its('output') { should eq('-1') }
+  end
+
   # Assert extensions
   describe sql.query("SELECT extname FROM pg_extension;", ['db_with_extension']) do
     its('output') { should match /pgcrypto/ }