-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
75 lines (63 loc) · 2.02 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# Convert input data to proper format
locals {
# Choose appropriate template of executable SQL script
template_to_render = var.revoke_grants ? "destroy-script.sql.tpl" : "script.sql.tpl"
# Values to be used while rendering the template
template_variables = {
affected_database = var.database.name
group_role = var.group_role
db_owner = var.database.owner
admin_user = var.host.username
make_admin_own = local.make_admin_own
}
# Render existing template of SQL scirpt
sql_script = templatefile("${path.module}/${local.template_to_render}", local.template_variables)
# Check if admin user must be granted with db owner role
make_admin_own = (
var.host.username != var.database.owner && var.make_admin_own ?
"true" : "false"
)
}
# Save rendered script to a file
resource "local_file" "rendered_script" {
content = local.sql_script
filename = "${path.module}/script-${var.database.name}.sql"
file_permission = "0664"
}
# Execute rendered SQL script
resource "null_resource" "run_script" {
triggers = {
to_always_run_this = timestamp()
}
# Apply changes
provisioner "local-exec" {
command = "psql -f ${local_file.rendered_script.filename}"
environment = {
PGHOST = var.host.host
PGPORT = var.host.port
PGDATABASE = var.database.name
PGUSER = var.host.username
PGPASSWORD = var.host.password
}
}
}
# Drop group role if there are no dependencies
resource "null_resource" "drop_role" {
count = var.revoke_grants ? 1 : 0
triggers = {
to_always_run_this = timestamp()
}
provisioner "local-exec" {
command = "psql -c 'DROP ROLE ${var.group_role}'"
on_failure = continue
environment = {
PGHOST = var.host.host
PGPORT = var.host.port
PGDATABASE = var.database.name
PGUSER = var.host.username
PGPASSWORD = var.host.password
}
}
# To prevent role removal before revoking granted privileges
depends_on = [null_resource.run_script]
}