role management for postgres synergy with vault dynamic credentials

ansible/arcodange/factory/inventory/group_vars/hard_disk/_hard_disk.yml

@@ -12,6 +12,8 @@ hard_disk__applications:
 
 hard_disk__postgres_databases:
     gitea: "{{ gitea_database }}"
+    webapp:
+      db_name: webapp
 
 hard_disk__nfs:
   server_ip: "{{ ansible_host }}"

ansible/arcodange/factory/playbooks/setup/postgres.yml

@@ -7,6 +7,7 @@
   vars:
     applications: "{{ hard_disk__applications }}"
     applications_databases: "{{ hard_disk__postgres_databases }}"
+    postgres_container_name: "{{ applications.postgres.dockercompose.services.postgres.container_name }}"
 
   tasks:
     - name: Deploy postgres Docker Compose configuration
@@ -30,14 +31,12 @@
       vars:
         app_name: postgres
         partition: "{{ applications.postgres.partition }}"
-        postgres_container_name: "{{ applications.postgres.dockercompose.services.postgres.container_name }}"
         # applications_databases: "{{ applications_databases }}" # kept for documentation purposes
     
     - name: Create auth_user for pgbouncer (connection pool component)
       ansible.builtin.shell: |
         docker exec -it {{ postgres_container_name }} psql -U postgres -d {{ database }} -tc "{{ pg_instruction.replace('$','\$') }}"
       vars:
-        postgres_container_name: "{{ applications.postgres.dockercompose.services.postgres.container_name }}"
         pg_instructions:
           - >-
             DO $$

ansible/arcodange/factory/playbooks/setup/roles/deploy_postgresql/tasks/create_db_and_user.yml

@@ -12,6 +12,7 @@
   changed_when: true
 
 - name: Check if user {{ db_config.db_user }} exists
+  when: db_config.db_user is defined
   shell: |
     docker exec -it {{ postgres_container_name }} psql -U postgres -tc "SELECT 1 FROM pg_roles WHERE rolname='{{ db_config.db_user }}';"
   register: user_check
@@ -20,9 +21,10 @@
 - name: Create user {{ db_config.db_user }} if it does not exist
   shell: |
     docker exec -it {{ postgres_container_name }} psql -U postgres -c "CREATE USER {{ db_config.db_user }} WITH PASSWORD '{{ db_config.db_password }}';"
-  when: user_check.stdout.find('1') == -1
+  when:  db_config.db_user is defined and user_check.stdout.find('1') == -1
   changed_when: true
 
 - name: Grant ownership of database {{ db_config.db_name }} to user {{ db_config.db_user }}
+  when: db_config.db_user is defined
   shell: |
     docker exec -i {{ postgres_container_name }} psql -U postgres -c "ALTER DATABASE {{ db_config.db_name }} OWNER TO {{ db_config.db_user }};"

ansible/arcodange/factory/playbooks/tools/hashicorp_vault.yml

@@ -17,6 +17,12 @@
   - name: Setup Hashicorp Vault
     include_role:
       name: hashicorp_vault
+    vars:
+      pg_conf: >-
+        {{ hostvars[groups.hard_disk[0]].postgres.dockercompose.services.postgres.environment }}
+      postgres_admin_credentials:
+        username: '{{ pg_conf.POSTGRES_USER }}'
+        password: '{{ pg_conf.POSTGRES_PASSWORD }}'
   
   - name: share VAULT CA
     block:

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/defaults/main.yml

@@ -7,4 +7,10 @@ vault_address: https://vault.arcodange.duckdns.org
 vault_oidc_gitea_setupGiteaAppJS: '{{ role_path }}/files/playwright_setupGiteaApp.js'
 
 gitea_admin_user: arcodange@gmail.com
-gitea_admin_password: "{{ undef(hint='You must specify the gitea user admin password') }}"
+gitea_admin_password: "{{ undef(hint='You must specify the gitea user admin password') }}"
+
+# kvv1 secrets for later admin operations
+
+postgres_admin_credentials:
+  username: postgres
+  password: postgres

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf

@@ -11,6 +11,7 @@ variable "vault_address" {
 }
 variable "vault_token" {
   type = string
+  sensitive = true
 }
 variable "admin_email" {
   type = string
@@ -23,6 +24,14 @@ variable "gitea_app" {
     secret = string
     description = optional(string, "Arcodange Gitea Auth")
   })
+  sensitive = true
+}
+variable "postgres_admin_credentials" {
+  type = object({
+    username = optional(string, "postgres")
+    password = string
+  })
+  sensitive = true
 }
 
 # kubectl -n kube-system exec $(kubectl -n kube-system get pod -l app.kubernetes.io/name=traefik -o jsonpath="{.items[0]['.metadata.name']}") -- cat /data/acme.json | jq '(.letsencrypt.Certificates | map(select(.domain.main=="arcodange.duckdns.org")))[0]' | jq '.certificate' -r | base64 -d | openssl x509
@@ -148,11 +157,36 @@ resource "vault_mount" "kvv1" {
   description = "KV Version 1 secret engine mount"
 }
 
-resource "vault_kv_secret" "google_credential" {
+resource "vault_kv_secret" "google_credentials" {
   path = "${vault_mount.kvv1.path}/google/credentials"
   data_json = jsonencode(
   {
     credentials = file("~/.config/gcloud/application_default_credentials.json")
   }
   )
+}
+
+resource "vault_kv_secret" "gitea_app_id" {
+  path = "${vault_mount.kvv1.path}/gitea/app"
+  data_json = jsonencode(
+  {
+    id = var.gitea_app.id
+  }
+  )
+}
+
+resource "vault_kv_secret" "postgres_admin_credentials" {
+  path = "${vault_mount.kvv1.path}/postgres/credentials"
+  data_json = jsonencode(var.postgres_admin_credentials)
+}
+
+resource "vault_audit" "stdout" {
+  type  = "file"
+  local = true
+
+  options = {
+    file_path = "stdout"
+    hmac_accessor = false
+    log_raw = true
+  }
 }

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml

@@ -37,16 +37,12 @@
     register: last_tofu_command
     loop:
       - tofu init -no-color
-      # - >-
-      #   tofu destroy -auto-approve -no-color
-      #   -var='gitea_app={{ gitea_app | to_json }}'
-      #   -var='vault_address={{ vault_address }}'
-      #   -var='vault_token={{ vault_root_token }}'
       - >-
         tofu apply -auto-approve -no-color
         -var='gitea_app={{ gitea_app | to_json }}'
         -var='vault_address={{ vault_address }}'
         -var='vault_token={{ vault_root_token }}'
+        -var='postgres_admin_credentials={{ postgres_admin_credentials | to_json }}'
     loop_control:
       loop_var: command
       extended: true