role management for postgres synergy with vault dynamic credentials

.gitea/workflows/postgres.yaml

@@ -0,0 +1,59 @@
+---
+# template source: https://github.com/bretfisher/docker-build-workflow/blob/main/templates/call-docker-build.yaml
+name: Postgres
+
+on: #[push,pull_request]
+  push: &postgresTofuPaths
+    paths:
+      - 'postgres/**/*.tf'
+      - 'postgres/**/*.tfvars'
+  pull_request: *postgresTofuPaths
+
+# cancel any previously-started, yet still active runs of this workflow on the same branch
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+.vault_step: &vault_step
+  name: read vault secret
+  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
+  id: vault-secrets
+  with:
+    url: https://vault.arcodange.duckdns.org
+    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+    role: gitea_cicd
+    method: jwt
+    path: gitea_jwt
+    secrets: |
+        kvv1/google/credentials credentials | GOOGLE_BACKEND_CREDENTIALS ;
+        kvv1/postgres/credentials * | TF_VAR_postgres_
+
+jobs:
+  gitea_vault_auth:
+    name: Auth with gitea for vault
+    runs-on: ubuntu-latest
+    outputs:
+      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
+    steps:
+
+      - name: Auth with gitea for vault
+        id: gitea_vault_jwt
+        run: |
+          echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash
+
+  tofu:
+    name: Tofu - Postgres
+    needs:
+      - gitea_vault_auth
+    runs-on: ubuntu-latest
+    env:
+      OPENTOFU_VERSION: 1.8.2
+      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+    steps:
+      - *vault_step
+      - uses: actions/checkout@v4
+      - name: terraform apply
+        uses: dflook/terraform-apply@v1
+        with:
+          path: postgres/iac
+          auto_approve: true

ansible/arcodange/factory/inventory/group_vars/hard_disk/_hard_disk.yml

@@ -12,6 +12,8 @@ hard_disk__applications:
 
 hard_disk__postgres_databases:
     gitea: "{{ gitea_database }}"
+    webapp:
+      db_name: webapp
 
 hard_disk__nfs:
   server_ip: "{{ ansible_host }}"

ansible/arcodange/factory/playbooks/setup/postgres.yml

@@ -7,6 +7,7 @@
   vars:
     applications: "{{ hard_disk__applications }}"
     applications_databases: "{{ hard_disk__postgres_databases }}"
+    postgres_container_name: "{{ applications.postgres.dockercompose.services.postgres.container_name }}"
 
   tasks:
     - name: Deploy postgres Docker Compose configuration
@@ -30,14 +31,12 @@
       vars:
         app_name: postgres
         partition: "{{ applications.postgres.partition }}"
-        postgres_container_name: "{{ applications.postgres.dockercompose.services.postgres.container_name }}"
         # applications_databases: "{{ applications_databases }}" # kept for documentation purposes
     
     - name: Create auth_user for pgbouncer (connection pool component)
       ansible.builtin.shell: |
         docker exec -it {{ postgres_container_name }} psql -U postgres -d {{ database }} -tc "{{ pg_instruction.replace('$','\$') }}"
       vars:
-        postgres_container_name: "{{ applications.postgres.dockercompose.services.postgres.container_name }}"
         pg_instructions:
           - >-
             DO $$

ansible/arcodange/factory/playbooks/setup/roles/deploy_postgresql/tasks/create_db_and_user.yml

@@ -12,6 +12,7 @@
   changed_when: true
 
 - name: Check if user {{ db_config.db_user }} exists
+  when: db_config.db_user is defined
   shell: |
     docker exec -it {{ postgres_container_name }} psql -U postgres -tc "SELECT 1 FROM pg_roles WHERE rolname='{{ db_config.db_user }}';"
   register: user_check
@@ -20,9 +21,10 @@
 - name: Create user {{ db_config.db_user }} if it does not exist
   shell: |
     docker exec -it {{ postgres_container_name }} psql -U postgres -c "CREATE USER {{ db_config.db_user }} WITH PASSWORD '{{ db_config.db_password }}';"
-  when: user_check.stdout.find('1') == -1
+  when:  db_config.db_user is defined and user_check.stdout.find('1') == -1
   changed_when: true
 
 - name: Grant ownership of database {{ db_config.db_name }} to user {{ db_config.db_user }}
+  when: db_config.db_user is defined
   shell: |
     docker exec -i {{ postgres_container_name }} psql -U postgres -c "ALTER DATABASE {{ db_config.db_name }} OWNER TO {{ db_config.db_user }};"

ansible/arcodange/factory/playbooks/tools/hashicorp_vault.yml

@@ -17,6 +17,12 @@
   - name: Setup Hashicorp Vault
     include_role:
       name: hashicorp_vault
+    vars:
+      pg_conf: >-
+        {{ hostvars[groups.hard_disk[0]].postgres.dockercompose.services.postgres.environment }}
+      postgres_admin_credentials:
+        username: '{{ pg_conf.POSTGRES_USER }}'
+        password: '{{ pg_conf.POSTGRES_PASSWORD }}'
   
   - name: share VAULT CA
     block:

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/defaults/main.yml

@@ -7,4 +7,10 @@ vault_address: https://vault.arcodange.duckdns.org
 vault_oidc_gitea_setupGiteaAppJS: '{{ role_path }}/files/playwright_setupGiteaApp.js'
 
 gitea_admin_user: arcodange@gmail.com
-gitea_admin_password: "{{ undef(hint='You must specify the gitea user admin password') }}"
+gitea_admin_password: "{{ undef(hint='You must specify the gitea user admin password') }}"
+
+# kvv1 secrets for later admin operations
+
+postgres_admin_credentials:
+  username: postgres
+  password: postgres

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf

@@ -11,6 +11,7 @@ variable "vault_address" {
 }
 variable "vault_token" {
   type = string
+  sensitive = true
 }
 variable "admin_email" {
   type = string
@@ -23,6 +24,14 @@ variable "gitea_app" {
     secret = string
     description = optional(string, "Arcodange Gitea Auth")
   })
+  sensitive = true
+}
+variable "postgres_admin_credentials" {
+  type = object({
+    username = optional(string, "postgres")
+    password = string
+  })
+  sensitive = true
 }
 
 # kubectl -n kube-system exec $(kubectl -n kube-system get pod -l app.kubernetes.io/name=traefik -o jsonpath="{.items[0]['.metadata.name']}") -- cat /data/acme.json | jq '(.letsencrypt.Certificates | map(select(.domain.main=="arcodange.duckdns.org")))[0]' | jq '.certificate' -r | base64 -d | openssl x509
@@ -148,11 +157,36 @@ resource "vault_mount" "kvv1" {
   description = "KV Version 1 secret engine mount"
 }
 
-resource "vault_kv_secret" "google_credential" {
+resource "vault_kv_secret" "google_credentials" {
   path = "${vault_mount.kvv1.path}/google/credentials"
   data_json = jsonencode(
   {
     credentials = file("~/.config/gcloud/application_default_credentials.json")
   }
   )
+}
+
+resource "vault_kv_secret" "gitea_app_id" {
+  path = "${vault_mount.kvv1.path}/gitea/app"
+  data_json = jsonencode(
+  {
+    id = var.gitea_app.id
+  }
+  )
+}
+
+resource "vault_kv_secret" "postgres_admin_credentials" {
+  path = "${vault_mount.kvv1.path}/postgres/credentials"
+  data_json = jsonencode(var.postgres_admin_credentials)
+}
+
+resource "vault_audit" "stdout" {
+  type  = "file"
+  local = true
+
+  options = {
+    file_path = "stdout"
+    hmac_accessor = false
+    log_raw = true
+  }
 }

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml

@@ -37,16 +37,12 @@
     register: last_tofu_command
     loop:
       - tofu init -no-color
-      # - >-
-      #   tofu destroy -auto-approve -no-color
-      #   -var='gitea_app={{ gitea_app | to_json }}'
-      #   -var='vault_address={{ vault_address }}'
-      #   -var='vault_token={{ vault_root_token }}'
       - >-
         tofu apply -auto-approve -no-color
         -var='gitea_app={{ gitea_app | to_json }}'
         -var='vault_address={{ vault_address }}'
         -var='vault_token={{ vault_root_token }}'
+        -var='postgres_admin_credentials={{ postgres_admin_credentials | to_json }}'
     loop_control:
       loop_var: command
       extended: true

postgres/iac/backend.tf

@@ -0,0 +1,6 @@
+terraform {
+  backend "gcs" {
+    bucket  = "arcodange-tf"
+    prefix  = "factory/postgres"
+  }
+}

postgres/iac/main.tf

@@ -0,0 +1,97 @@
+resource "random_password" "credentials_editor" {
+  length           = 24
+  override_special = "-:!+<>$"
+}
+
+resource "postgresql_role" "credentials_editor" {
+  name     = "credentials_editor"
+  login    = true
+  password = random_password.credentials_editor.result
+  create_role = true
+  lifecycle {
+    ignore_changes = [
+      roles,
+    ]
+  }
+}
+
+resource "vault_kv_secret" "postgres_admin_credentials" {
+  path = "kvv1/postgres/credentials_editor/credentials"
+  data_json = jsonencode({
+    username = postgresql_role.credentials_editor.name
+    password = postgresql_role.credentials_editor.password
+  })
+}
+
+resource "postgresql_role" "app_role" {
+  for_each = var.applications
+  name     = "${each.value}_role"
+  login    = false
+}
+resource "postgresql_grant_role" "credentials_editor_app_role" {
+  for_each = var.applications
+  role       = postgresql_role.credentials_editor.name
+  grant_role = postgresql_role.app_role[each.value].name
+  with_admin_option = true
+}
+resource "postgresql_database" "app_db" {
+  for_each = var.applications
+  name                   = each.value
+  owner                  = postgresql_role.app_role[each.value].name
+  template               = "template0"
+  alter_object_ownership = true
+}
+resource "postgresql_function" "pgbouncer_user_lookup" {
+    for_each = var.applications
+    name = "user_lookup"
+    database = postgresql_database.app_db[each.value].name
+    arg {
+        mode = "IN"
+        name = "i_username"
+        type = "text"
+    }
+    arg {
+        mode = "OUT"
+        name = "uname"
+        type = "text"
+    }
+    arg {
+        mode = "OUT"
+        name = "phash"
+        type = "text"
+    }
+    returns = "record"
+    language = "plpgsql"
+    body = <<-EOF
+        BEGIN
+            SELECT usename, passwd FROM pg_catalog.pg_shadow
+            WHERE usename = i_username INTO uname, phash;
+            RETURN;
+        END;
+    EOF
+    parallel = "SAFE"
+    security_definer = true
+}
+resource "postgresql_grant" "pgbouncer_user_lookup_public_revoke" {
+  for_each = var.applications
+  database    = postgresql_function.pgbouncer_user_lookup[each.value].database
+  role        = "public"
+  schema      = "public"
+  object_type = "function"
+  objects     = [
+    postgresql_function.pgbouncer_user_lookup[each.value].name,
+  ]
+  privileges  = []
+}
+resource "postgresql_grant" "pgbouncer_user_lookup" {
+  depends_on = [ postgresql_grant.pgbouncer_user_lookup_public_revoke ] # can't do both in parallel
+  for_each = var.applications
+  database    = postgresql_function.pgbouncer_user_lookup[each.value].database
+  role        = "pgbouncer_auth"
+  schema      = "public"
+  object_type = "function"
+  objects     = [
+    postgresql_function.pgbouncer_user_lookup[each.value].name,
+  ]
+  privileges  = ["EXECUTE"]
+}

postgres/iac/providers.tf

@@ -0,0 +1,37 @@
+terraform {
+  required_providers {
+    postgresql = {
+      source = "cyrilgdn/postgresql"
+      version = "1.24.0"
+    }
+    vault = {
+      source = "vault"
+      version = "4.4.0"
+    }
+  }
+}
+
+variable "POSTGRES_USERNAME" {
+  type = string
+  sensitive = true
+}
+variable "POSTGRES_PASSWORD" {
+  type = string
+  sensitive = true
+}
+
+provider "postgresql" {
+  host     = "192.168.1.202"
+  username = var.POSTGRES_USERNAME
+  password = var.POSTGRES_PASSWORD
+  sslmode  = "disable"
+  superuser = true
+}
+
+provider vault {
+  address = "https://vault.arcodange.duckdns.org"
+  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
+    mount = "gitea_jwt"
+    role = "gitea_cicd"
+  }
+}

postgres/iac/terraform.tfvars

@@ -0,0 +1,3 @@
+applications = [
+    "webapp",
+]

postgres/iac/variables.tf

@@ -0,0 +1,3 @@
+variable "applications" {
+  type = set(string)
+}