chore(postgresql): improve automation

2026-02-09 05:44:23 +00:00 · 2024-07-05 22:30:33 +02:00
parent 52320b5ab5
commit 20a8ea7f48
2 changed files with 54 additions and 0 deletions
--- a/base/postgresql.md
+++ b/base/postgresql.md
@@ -15,11 +15,23 @@ postgres.lan:5643:postgres:postgres:BananaORama
 *:*:sales:elaine:modestPassword
 ```

+The credential file's permissions must be `0600`, or it will be ignored.
+
 ```sh
 # Installation.
 brew install 'postgresql@14'
 sudo dnf install 'postgresql' 'postgresql-server'
 sudo zypper install 'postgresql15' 'postgresql15-server'
+
+# Set the password in environment variables.
+export PGPASSWORD='securePassword'
+
+# Set up the credentials file.
+cat <<EOF > ~/'.pgpass'
+postgres.lan:5643:postgres:postgres:BananaORama
+*:*:sales:elaine:modestPassword
+EOF
+chmod '600' ~/'.pgpass'
 ```

 ```sh
--- a/snippets/ansible/tasks.yml
+++ b/snippets/ansible/tasks.yml
@@ -103,6 +103,30 @@
      set_fact:
        vpc_security_group_ids: >-
          {{ instance_information.vpc_security_groups | map(attribute='vpc_security_group_id') }}
+    - name: Remove lines about RDS protected users and permissions from a dump file
+      # remove empty lines
+      # remove comments
+      # remove creation of the master user
+      # remove anything involving 'rdsadmin'
+      # remove changes to protected RDS users
+      # remove protected 'superuser' and 'replication' assignments
+      # add 'IF NOT EXISTS' to creation statements
+      vars:
+        # **Hack notice**: Ansible has issues with splitting on new lines if this template is quoted differently
+        permissions_dump_content_as_lines: "{{ dump_file.content | ansible.builtin.b64decode | split('\n') }}"
+        master_username: postgresql
+      ansible.builtin.set_fact:
+        permissions_commands: >-
+          {{
+            permissions_dump_content_as_lines
+            | reject('match', '^$')
+            | reject('match', '^--')
+            | reject('match', '^CREATE ROLE ' + master_username)
+            | reject('match', '.*rdsadmin.*')
+            | reject('match', '^(CREATE|ALTER) ROLE rds_')
+            | map('regex_replace', '(NO)(SUPERUSER|REPLICATION)\s?', '')
+            | map('regex_replace', '(CREATE \w+ \w+)(.*)', '\1 IF NOT EXISTS\2')
+          }}

 - name: Manipulate dictionaries
  block:
@@ -221,3 +245,21 @@
    - name: This always executes
      ansible.builtin.debug:
        msg: I always execute
+
+- name: Commands
+  block:
+    - name: Dump permissions from an RDS instance to file
+      environment:
+        PGPASSWORD: "someRandomString"
+      ansible.builtin.command: >-
+        pg_dumpall -h 'instance-id.c4v563ptr321.eu-west-1.rds.amazonaws.com' -p '5432' -U 'postgres' -l 'postgres'
+        -rf '/tmp/instance-id_roles.sql' --no-role-passwords
+      changed_when: false
+    - name: Dump permissions from an RDS instance and register the output for later use through 'execution.stdout_lines'
+      environment:
+        PGPASSWORD: "someRandomString"
+      ansible.builtin.command: >-
+        pg_dumpall -h 'instance-id.c4v563ptr321.eu-west-1.rds.amazonaws.com' -p '5432' -U 'postgres' -l 'postgres'
+        -r --no-role-passwords
+      changed_when: false
+      register: execution