Add databases scenario

nephelaiio · Mar 6, 2024 · daf12eb · daf12eb
1 parent 9ca7af8
commit daf12eb
Show file tree

Hide file tree

Showing 8 changed files with 142 additions and 18 deletions.
diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml
@@ -18,7 +18,7 @@ jobs:
     strategy:
       matrix:
         scenario:
-          - name: install
+          - install
         image:
           - name: ubuntu2204
             command: /lib/systemd/systemd
@@ -30,6 +30,12 @@ jobs:
             command: /lib/systemd/systemd
           - name: rockylinux9
             command: /usr/lib/systemd/systemd
+        include:
+          - scenario: databases
+            image:
+              name: ubuntu2204
+              command: /lib/systemd/systemd
+
     steps:
       - name: Check out the codebase
         uses: actions/checkout@v4
@@ -60,4 +66,4 @@ jobs:
           ANSIBLE_FORCE_COLOR: '1'
           MOLECULE_DOCKER_IMAGE: ${{ matrix.image.name }}
           MOLECULE_DOCKER_COMMAND: ${{ matrix.image.command }}
-          MOLECULE_SCENARIO: ${{ matrix.scenario.name }}
+          MOLECULE_SCENARIO: ${{ matrix.scenario }}
diff --git a/.talismanrc b/.talismanrc
@@ -5,5 +5,7 @@ fileignoreconfig:
     ignore_detectors: [filecontent]
   - filename: templates/postgres.conf.j2
     ignore_detectors: [filecontent]
+  - filename: tasks/vars.yml
+    ignore_detectors: [filecontent]
   - filename: tasks/roles.yml
     ignore_detectors: [filecontent]
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -9,6 +9,7 @@ postgresql_user: postgres
 postgresql_group: postgres
 postgresql_datadir: "/var/lib/postgresql/data"
 postgresql_roles: []
+postgresql_auth_method: md5  # [ scram-sha-256 | md5 ]
 
 __postgresql_package_name:
   debian:

diff --git a/molecule/databases/molecule.yml b/molecule/databases/molecule.yml
@@ -0,0 +1,78 @@
+---
+dependency:
+  name: galaxy
+  options:
+    role-file: requirements.yml
+    requirements-file: requirements.yml
+driver:
+  name: docker
+platforms:
+  - name: postgresql-install-01
+    image: "geerlingguy/docker-${MOLECULE_DOCKER_IMAGE:-ubuntu2204}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    tmpfs:
+      - /tmp
+      - /opt
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../common/prepare.yml
+    converge: ../common/converge.yml
+    verify: ../common/verify.yml
+  config_options:
+    defaults:
+      callbacks_enabled: ansible.posix.profile_tasks
+  inventory:
+    hosts:
+      all:
+        vars:
+          postgresql_roles:
+            - name: admin
+              password: admin
+              groups:
+                - name: admins
+            - name: user
+              password: user
+              groups:
+                - name: read_only
+            - name: admins
+              role_attr_flags: "NOLOGIN"
+            - name: read_only
+              role_attr_flags: "NOLOGIN"
+          postgresql_databases:
+            - name: database
+              encoding: "UNICODE"
+              roles:
+                - name: admins
+                  privs: ALL
+                  type: database
+                  objs: database
+                - name: read_only
+                  privs: ALL
+                  type: database
+                  objs: database
+verifier:
+  name: ansible
+scenario:
+  prepare_sequence:
+    - prepare
+  create_sequence:
+    - create
+  converge_sequence:
+    - converge
+  destroy_sequence:
+    - destroy
+  cleanup_sequence:
+    - cleanup
+  test_sequence:
+    - dependency
+    - create
+    - prepare
+    - converge
+    - side_effect
+    - verify
diff --git a/tasks/databases.yml b/tasks/databases.yml
@@ -0,0 +1,44 @@
+---
+- name: Manage PostgreSQL databases
+  community.postgresql.postgresql_db:
+    name: "{{ item.name }}"
+    lc_collate: "{{ item.lc_collate | default('en_US.UTF-8') }}"
+    lc_ctype: "{{ item.lc_ctype | default('en_US.UTF-8') }}"
+    encoding: "{{ item.encoding | default('UTF-8') }}"
+    template: "{{ item.template | default('template0') }}"
+    login_host: "{{ item.login_host | default('localhost') }}"
+    port: "{{ item.port | default(omit) }}"
+    owner: "{{ item.owner | default(postgresql_user) }}"
+    state: "{{ item.state | default('present') }}"
+  loop_control:
+    label: "{{ item.name }}"
+  loop: "{{ postgresql_databases }}"
+  become: true
+  become_user: "{{ postgresql_user }}"
+  no_log: "{{ postgresql_nolog }}"
+
+- name: Manage PostgreSQL database privileges
+  community.postgresql.postgresql_privs:
+    db: "{{ _database.db_connect | default(postgresql_default_database) }}"
+    role: "{{ _role.name }}"
+    privs: "{{ _role.privs | default(omit) }}"
+    objs: "{{ _role.objs | default(omit) }}"
+    schema: "{{ _role.schema | default(omit) }}"
+    type: "{{ _role.type | default(omit) }}"
+    grant_option: "{{ _role.grant_option | default(omit) }}"
+    login_host: "{{ _database.login_host | default('localhost') }}"
+    port: "{{ _database.port | default(postgresql_port) }}"
+    session_role: "{{ _database.session_role | default(omit) }}"
+    ssl_mode: "{{ _database.ssl_mode | default(omit) }}"
+    state: "{{ _role.state | default('present') }}"
+  vars:
+    ansible_ssh_pipelining: true
+    _database: "{{ item.0 }}"
+    _role: "{{ item.1 }}"
+  loop_control:
+    label: "{{ _database.name }}"
+  loop: "{{ postgresql_databases | subelements('roles', skip_missing='yes') }}"
+  become: true
+  become_user: "{{ postgresql_user }}"
+  environment:
+    PGOPTIONS: "{{ _postgresql_pgoptions }}"
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -13,3 +13,6 @@
 
 - name: Manage PostgreSQL roles
   ansible.builtin.include_tasks: roles.yml
+
+- name: Manage PostgreSQL databases
+  ansible.builtin.include_tasks: databases.yml
diff --git a/tasks/roles.yml b/tasks/roles.yml
@@ -1,20 +1,9 @@
 ---
-- name: Set environment facts
-  ansible.builtin.set_fact:
-    _pgoptions: "{{ (_method == _scram_sha256) | ternary(_scram_option, '') }}"
-  vars:
-    _scram_sha256: "scram-sha-256"
-    _scram_option: '-c password_encryption={{ _scram_sha256 }}'
-    _method: "{{ postgresql_auth_method }}"
-
 - name: Manage PostgreSQL roles
   community.postgresql.postgresql_user:
     name: "{{ item.name }}"
     password: "{{ item.password | default(omit) }}"
     login_host: "{{ item.login_host | default('localhost') }}"
-    login_password: "{{ item.login_password | default(omit) }}"
-    login_user: "{{ item.login_user }}"
-    login_unix_socket: "{{ item.login_unix_socket | default(postgresql_unix_socket_directories | first) }}"
     no_password_changes: "{{ item.no_password_changes | default(omit) }}"
     expires: "{{ item.expires | default(omit) }}"
     port: "{{ item.port | default(postgresql_port) }}"
@@ -25,16 +14,13 @@
   become: true
   become_user: "{{ postgresql_user }}"
   environment:
-    PGOPTIONS: "{{ _pgoptions }}"
+    PGOPTIONS: "{{ _postgresql_pgoptions }}"
   no_log: "{{ postgresql_nolog }}"
 
 - name: Manage PostgreSQL role group memberships
   community.postgresql.postgresql_membership:
     db: "{{ _role.database | default(postgresql_default_database) }}"
     login_host: "{{ _role.login_host | default('localhost') }}"
-    login_password: "{{ _role.login_password | default(omit) }}"
-    login_user: "{{ _role.login_user }}"
-    login_unix_socket: "{{ _role.login_unix_socket | default(postgresql_unix_socket_directories | first) }}"
     port: "{{ _role.port | default(postgresql_port) }}"
     state: "{{ _group_state | default('present') }}"
     group: "{{ _group_name }}"
@@ -49,5 +35,5 @@
   become: true
   become_user: "{{ postgresql_user }}"
   environment:
-    PGOPTIONS: "{{ _pgoptions }}"
+    PGOPTIONS: "{{ _postgresql_pgoptions }}"
   no_log: "{{ postgresql_nolog }}"
diff --git a/tasks/vars.yml b/tasks/vars.yml
@@ -10,9 +10,13 @@
     _postgresql_datadir: "{{ postgresql_datadir }}"
     _postgresql_hba: "{{ postgresql_datadir }}/pg_hba.conf"
     _postgresql_ident: "{{ postgresql_datadir }}/pg_ident.conf"
+    _postgresql_pgoptions: "{{ (_auth_method == _auth_scram_sha256) | ternary(_auth_scram_option, '') }}"
   vars:
     _default_search: "{{ __postgresql_os_search }}"
     _default_package: "{{ __postgresql_package_name | nephelaiio.plugins.sorted_get(_default_search) }}"
     _default_service: "{{ __postgresql_service_name | nephelaiio.plugins.sorted_get(_default_search) }}"
     _default_configfile: "{{ __postgresql_configfile | nephelaiio.plugins.sorted_get(_default_search) }}"
     _includedir: "{{ postgresql_datadir }}/conf.d"
+    _auth_scram_sha256: "scram-sha-256"
+    _auth_scram_option: '-c password_encryption={{ _auth_scram_sha256 }}'
+    _auth_method: "{{ postgresql_auth_method }}"