-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.tf
83 lines (72 loc) · 3.23 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
resource "random_password" "password" {
for_each = { for k, v in var.users : k => v if lookup(v, "password", "") == "" && lookup(v, "type", "BUILT_IN") != "CLOUD_IAM_USER" && lookup(v, "dont_create_user", false) != true }
length = 16
special = lookup(each.value, "special", false)
override_special = lookup(each.value, "override_special", null)
}
resource "google_sql_user" "user" {
for_each = { for k, v in var.users : k => v if lookup(v, "dont_create_user", false) != true }
name = each.key
instance = var.postgres_instance_name
password = lookup(each.value, "password", try(random_password.password[each.key].result, ""))
type = lookup(each.value, "type", "BUILT_IN")
}
resource "postgresql_grant" "permissions" {
for_each = var.users
database = var.database
role = lookup(each.value, "role", each.key)
schema = "public"
objects = lookup(each.value, "objects", [])
object_type = "table"
privileges = lookup(each.value, "permissions", ["SELECT"])
depends_on = [google_sql_user.user]
}
resource "postgresql_grant" "seq_permissions" {
for_each = { for k, v in var.users : k => v if lookup(v, "seq_permissions", []) != [] }
database = var.database
role = lookup(each.value, "role", each.key)
schema = "public"
objects = lookup(each.value, "seq_objects", [])
object_type = "sequence"
privileges = lookup(each.value, "seq_permissions", ["SELECT"])
}
resource "postgresql_default_privileges" "permissions" {
for_each = { for k, v in var.users : k => v if lookup(v, "permissions", []) != [] && var.owner != "" }
database = var.database
role = lookup(each.value, "role", each.key)
schema = "public"
owner = var.owner
object_type = "table"
privileges = lookup(each.value, "permissions", ["SELECT"])
depends_on = [google_sql_user.user]
}
resource "postgresql_default_privileges" "seq_permissions" {
for_each = { for k, v in var.users : k => v if lookup(v, "seq_permissions", []) != [] && var.owner != "" }
database = var.database
role = lookup(each.value, "role", each.key)
schema = "public"
owner = var.owner
object_type = "sequence"
privileges = lookup(each.value, "seq_permissions", ["SELECT"])
}
resource "google_secret_manager_secret" "database_credentials" {
for_each = { for k, v in var.users : k => v if var.save_credentials && lookup(v, "type", "") != "CLOUD_IAM_USER" }
secret_id = "${var.database}_user_${replace(each.key, ".", "_")}"
labels = {
terraform = "created"
}
replication {
auto {}
}
}
resource "google_secret_manager_secret_version" "database_credentials" {
for_each = { for k, v in var.users : k => v if var.save_credentials && lookup(v, "type", "") != "CLOUD_IAM_USER" && lookup(v, "dont_create_user", false) != true }
secret = google_secret_manager_secret.database_credentials[each.key].id
secret_data = jsonencode(
{
"database_user" = each.key
"database_password" = lookup(each.value, "password", try(random_password.password[each.key].result, ""))
"credentials.json" = lookup({ for k, v in var.users : k => google_service_account_key.sa_key[k].private_key if lookup(v, "create_sa", false) }, each.key, "")
}
)
}