senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/ansible/roles/postgres/tasks/users.yml
okinrev 327ac36a30 BASE: completing the initial repo state
2025-12-03 22:56:50 +01:00

56 lines
2.7 KiB
YAML
Raw Blame History

---
# file: roles/postgres/tasks/users.yml
# We replace '-' by '_' only in the ansible var postgres_user_{{ user.name }}_password, not in hashicorp vault
- name: "handle secret {{ ansible_hostname }}/postgres_user_{{ user.name | replace('-', '_') }}_password"
block:
- name: "get {{ ansible_hostname }}/postgres_user_{{ user.name | replace('-', '_') | replace('.', '_') }}_password from hashicorp vault"
set_fact:
"postgres_user_{{ user.name | replace('-', '_') | replace('.', '_') }}_password": "{{ lookup('hashi_vault', 'secret=talas-kv/data/' + host_vars_location + '/' + ansible_hostname)['postgres_user_' ~ user.name ~ '_password'] }}"
rescue:
- name: "generate a random password for {{ ansible_hostname }}/postgres_user_{{ user.name | replace('-', '_') | replace('.', '_') }}_password"
set_fact:
password: "{{ lookup('password','/dev/null chars=ascii_letters,digits length=50') }}"
- name: "patching hashicorp vault with generated postgres_user_{{ user.name | replace('-', '_') | replace('.', '_') }}_password"
delegate_to: localhost
become: False
command: "vault kv patch talas-kv/{{ host_vars_location }}/{{ ansible_hostname }} postgres_user_{{ user.name }}_password={{ password }}"
register: result
ignore_errors: True
- name: "patch failed because the entry doesn't exist, creating it instead"
delegate_to: localhost
become: False
command: "vault kv put talas-kv/{{ host_vars_location }}/{{ ansible_hostname }} postgres_user_{{ user.name }}_password={{ password }}"
when:
- result.failed
- '"No value found" in result.stderr'
- name: "assign password value to postgres_user_{{ user.name | replace('-', '_') | replace('.', '_') }}_password"
set_fact:
"postgres_user_{{ user.name | replace('-', '_') | replace('.', '_') }}_password": "{{ password }}"
when:
- user.password is defined
- user.password == "auto"
tags: postgres
- name: "role {{ user.name }}"
become: True
become_user: postgres
become_method: sudo
postgresql_user:
user: "{{ user.name }}"
password: "{% if user.password is defined and user.password == 'auto' %}{{ vars['postgres_user_' + user.name | replace('-', '_') | replace('.', '_') + '_password'] }}{% else %}{{ user.password | default(omit) }}{% endif %}"
role_attr_flags: "{{ user.attrib | default(omit) }}"
conn_limit: "{{ user.conn_limit | default(omit) }}"
environment:
PGOPTIONS: "{{ pg_role_options | default(None) }}"
tags: postgres
- name: "role {{ user.name }} groups : {{ user.groups }}"
become: true
become_user: postgres
become_method: sudo
postgresql_membership:
user: "{{ user.name }}"
groups: "{{ user.groups }}"
when: user.groups is defined
tags: postgres
Reference in a new issue View git blame Copy permalink