puppet-openvoxdb/manifests/database/postgresql.pp at 642423a7a8fe22efc9c85ff44a2ff673980cb5a9 · d1nuc0m/puppet-openvoxdb · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
# @summary create the PuppetDB postgresql database
#
# @param listen_addresses
#   The `listen_address` is a comma-separated list of hostnames or IP addresses on
#   which the postgres server should listen for incoming connections. This defaults
#   to `localhost`. This parameter maps directly to PostgreSQL's `listen_addresses`
#   config option. Use a `*` to allow connections on any accessible address.
#
# @param puppetdb_server
#   Hostname or IP address to configure for SSL rules.
#
# @param database_name
#   Sets the name of the database. Defaults to `puppetdb`.
#
# @param database_locale
#   Sets the locale of the database. Defaults to `C.UTF-8`.
#
# @param database_username
#   Creates a user for access the database. Defaults to `puppetdb`.
#
# @param database_password
#   Sets the password for the database user above. Defaults to `puppetdb`.
#
# @param database_port
#   The port that the database server listens on. Defaults to `5432`.
#
# @param manage_database
#   If true, the PostgreSQL database will be managed by this module. Defaults to `true`.
#
# @param manage_server
#   Conditionally manages the PostgreSQL server via `postgresql::server`. Defaults
#   to `true`. If set to `false`, this class will create the database and user via
#   `postgresql::server::db` but not attempt to install or manage the server itself.
#
# @param manage_package_repo
#   If `true`, the official postgresql.org repo will be added and postgres won't
#   be installed from the regular repository. Defaults to `true`.
#
# @param postgres_version
#   If the postgresql.org repo is installed, you can install several versions of
#   postgres. Defaults to `11` with PuppetDB version 7.0.0 or newer, and `9.6` in older versions.
#
# @param postgresql_ssl_on
#   If `true`, it configures SSL connections between PuppetDB and the PostgreSQL database.
#   Defaults to `false`.
#
# @param postgresql_ssl_cert_path
#   Path to the Postgresql SSL certificate.
#
# @param postgresql_ssl_key_path
#   Path to the Postgresql SSL key.
#
# @param postgresql_ssl_ca_cert_path
#   Path to the Postgresql SSL CA.
#
# @param read_database_username
#   The name of the read database user to connect as. Defaults to `puppetdb-read`. This
#   option is supported in PuppetDB >= 1.6.
#
# @param read_database_password
#   The password for the read database user. Defaults to `puppetdb-read`. This option is
#   supported in PuppetDB >= 1.6.
#
# @param read_database_host
#   *This parameter must be set to use another PuppetDB instance for queries.*
#
#   The hostname or IP address of the read database server. If set to `undef`, and
#   `manage_database` is set to `true`, it will use the value of the `database_host`
#   parameter. This option is supported in PuppetDB >= 1.6.
#
# @param password_sensitive
#   Whether password should be of Datatype Sensitive[String]
# @param password_encryption
#   PostgreSQL password authentication method, either `md5` or `scram-sha-256`
#
class openvoxdb::database::postgresql (
  $listen_addresses            = $openvoxdb::params::database_host,
  $puppetdb_server             = $openvoxdb::params::puppetdb_server,
  $database_name               = $openvoxdb::params::database_name,
  $database_locale = $openvoxdb::params::database_locale,
  $database_username           = $openvoxdb::params::database_username,
  Variant[String[1], Sensitive[String[1]]] $database_password = $openvoxdb::params::database_password,
  $database_port               = $openvoxdb::params::database_port,
  $manage_database             = $openvoxdb::params::manage_database,
  $manage_server               = $openvoxdb::params::manage_dbserver,
  $manage_package_repo         = $openvoxdb::params::manage_pg_repo,
  $postgres_version            = $openvoxdb::params::postgres_version,
  $postgresql_ssl_on           = $openvoxdb::params::postgresql_ssl_on,
  $postgresql_ssl_key_path     = $openvoxdb::params::postgresql_ssl_key_path,
  $postgresql_ssl_cert_path    = $openvoxdb::params::postgresql_ssl_cert_path,
  $postgresql_ssl_ca_cert_path = $openvoxdb::params::postgresql_ssl_ca_cert_path,
  $read_database_username      = $openvoxdb::params::read_database_username,
  Variant[String[1], Sensitive[String[1]]] $read_database_password = $openvoxdb::params::read_database_password,
  $read_database_host          = $openvoxdb::params::read_database_host,
  Boolean $password_sensitive  = false,
  Postgresql::Pg_password_encryption $password_encryption = $openvoxdb::params::password_encryption,
) inherits openvoxdb::params {
  if $manage_server {
    class { 'postgresql::globals':
      manage_dnf_module   => false, # disable DNF module on EL8, EL9 and EL10
      manage_package_repo => $manage_package_repo,
      version             => $postgres_version,
    }

    # get the pg server up and running
    class { 'postgresql::server':
      ip_mask_allow_all_users => '0.0.0.0/0',
      listen_addresses        => $listen_addresses,
      port                    => $database_port,
      password_encryption     => $password_encryption,
    }

    # We need to create the ssl connection for the read user, when
    # manage_database is set to true, or when read_database_host is defined.
    # Otherwise we don't create it.
    if $manage_database or $read_database_host != undef {
      $create_read_user_rule = true
    } else {
      $create_read_user_rule = false
    }

    # configure PostgreSQL communication with Puppet Agent SSL certificates if
    # postgresql_ssl_on is set to true
    if $postgresql_ssl_on {
      class { 'openvoxdb::database::ssl_configuration':
        database_name               => $database_name,
        database_username           => $database_username,
        read_database_username      => $read_database_username,
        puppetdb_server             => $puppetdb_server,
        postgresql_ssl_key_path     => $postgresql_ssl_key_path,
        postgresql_ssl_cert_path    => $postgresql_ssl_cert_path,
        postgresql_ssl_ca_cert_path => $postgresql_ssl_ca_cert_path,
        postgres_version            => $postgres_version,
        create_read_user_rule       => $create_read_user_rule,
      }
    }

    # Only install pg_trgm extension, if database it is actually managed by the module
    if $manage_database {
      # get the pg contrib to use pg_trgm extension
      class { 'postgresql::server::contrib': }

      postgresql::server::extension { 'pg_trgm':
        database => $database_name,
        require  => Postgresql::Server::Db[$database_name],
        port     => $database_port,
      }
    }
  }

  if $manage_database {
    # create the puppetdb database
    postgresql::server::db { $database_name:
      user     => $database_username,
      password => $database_password,
      encoding => 'UTF8',
      locale   => $database_locale,
      grant    => 'all',
      port     => $database_port,
    }

    -> postgresql_psql { 'revoke all access on public schema':
      db      => $database_name,
      port    => $database_port,
      command => 'REVOKE CREATE ON SCHEMA public FROM public',
      unless  => "SELECT * FROM
                  (SELECT has_schema_privilege('public', 'public', 'create') can_create) privs
                WHERE privs.can_create=false",
    }

    -> postgresql_psql { "grant all permissions to ${database_username}":
      db      => $database_name,
      port    => $database_port,
      command => "GRANT CREATE ON SCHEMA public TO \"${database_username}\"",
      unless  => "SELECT * FROM
                  (SELECT has_schema_privilege('${database_username}', 'public', 'create') can_create) privs
                WHERE privs.can_create=true",
    }

    -> openvoxdb::database::read_only_user { $read_database_username:
      read_database_username => $read_database_username,
      database_name          => $database_name,
      password_hash          => postgresql::postgresql_password(
      $read_database_username, $read_database_password, $password_sensitive, $password_encryption),
      database_owner         => $database_username,
      database_port          => $database_port,
      password_encryption    => $password_encryption,
    }

    -> postgresql_psql { "grant ${read_database_username} role to ${database_username}":
      db      => $database_name,
      port    => $database_port,
      command => "GRANT \"${read_database_username}\" TO \"${database_username}\"",
      unless  => "SELECT oid, rolname FROM pg_roles WHERE
                   pg_has_role( '${database_username}', oid, 'member') and rolname = '${read_database_username}'";
    }
  }
}