feature: deploy database and user for service ampere, gitea, nextcloud, keycloak and cfssl

.gitignore

@@ -0,0 +1,37 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+.idea/
+*.iml

.terraform.lock.hcl

@@ -0,0 +1,43 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/cyrilgdn/postgresql" {
+  version     = "1.21.0"
+  constraints = ">= 1.21.0"
+  hashes = [
+    "h1:6aDLfQNJxcpUdoQwa8k00VaNUCy8qQn1J8UsjuKY5Eo=",
+    "zh:17e3d204dabc116276c763bb0cd159aa315789d3b0bcd3b8aede935509960ab6",
+    "zh:1a7e5ac1921afdb3b12a49714c5f446a7604bfa1eb7bd9c123d607f8cbda45e4",
+    "zh:24a880623e30928ee866c84016b1db4e0458764c7a547b808e2d398e90456d42",
+    "zh:255c6162d35ace6a313a50c4ceb5452bd5582d7bb097a44e75ac4901e635ca13",
+    "zh:281ab48b69d0852b5138fe5ea2301ff7fdff30748f1f7878ac837c71622d3f7b",
+    "zh:3d4e0ae2809e743272e5d2640b64354c48140e225c2ba6f1a211700ea70e0754",
+    "zh:4f4df290e3ff626d8b274c624852d21d194a397a7f580ebe0cbf0ff64dd8fa31",
+    "zh:5997ce8f7cbcd7ff5a443d037b83857b17b64be928e9d9338dd494466733df60",
+    "zh:a05f0b65b0abf4488cdaf7b239206940940be77fd51f458f2a0986c6a17436aa",
+    "zh:aeb6c6da639abb6126f38be90a7bc428f925461bf599388ff092e059e0bb1a94",
+    "zh:d30bb053b6000c32cc8d03da231c30eaecddd926200adf2e9ad9c0186c2ad1ad",
+    "zh:d978827683b324c75141fa80ebc28dcaf181acd0be0a47b1e5f9579a72a08151",
+    "zh:f51fae9206361cbe865e30b06d106270d6acf7ece0550953b0d6b55afe6be9ba",
+    "zh:fa49a2702c529865c20f57185d6dd41072fdd9a13ac1a49e30eb88605c31af7a",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.5.1"
+  hashes = [
+    "h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
+  ]
+}

generic-database/configure.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    postgresql = {
+      source  = "cyrilgdn/postgresql"
+      version = ">= 1.21.0"
+    }
+  }
+}

generic-database/database.tf

@@ -0,0 +1,30 @@
+resource "random_password" "password" {
+  length           = 16
+  special          = true
+  override_special = "$*()=+[]{}<>?"
+}
+
+resource "postgresql_role" "user" {
+  name     = var.username
+  password = random_password.password.result
+  login    = true
+}
+
+resource "postgresql_database" "database" {
+  name             = var.database_name
+  template         = "template0"
+  encoding         = "UTF8"
+  lc_collate       = var.collate
+  lc_ctype         = var.ctype
+  connection_limit = -1
+
+  allow_connections = true
+}
+
+resource "postgresql_grant" "readonly_tables" {
+  database    = postgresql_database.database.name
+  role        = postgresql_role.user.name
+  schema      = var.schema
+  object_type = "database"
+  privileges  = var.privileges
+}

generic-database/input.tf

@@ -0,0 +1,27 @@
+variable "database_name" {
+  type        = string
+  description = "database name to create"
+}
+
+variable "schema" {
+  type        = string
+  default     = "public"
+  description = "database schema to create"
+}
+
+variable "username" {
+  type        = string
+  description = "user name owner of the new database"
+}
+
+variable "collate" {
+  default = "C"
+}
+
+variable "ctype" {
+  default = "fr_FR.utf8"
+}
+
+variable "privileges" {
+  default = ["CREATE", "CONNECT"]
+}

generic-database/output.tf

@@ -0,0 +1,8 @@
+output "account" {
+  value = {
+    database = var.database_name
+    username = var.username
+    password = random_password.password.result
+  }
+  sensitive = true
+}

main.tf

@@ -0,0 +1,94 @@
+terraform {
+  required_version = ">= 1.0.4, < 2.0.0"
+
+  required_providers {
+    postgresql = {
+      source  = "cyrilgdn/postgresql"
+      version = ">= 1.21.0"
+    }
+  }
+
+  backend "s3" {
+    endpoint                    = "http://s3.localdomain"
+    key                         = "postgres.tfstate"
+    bucket                      = "terraform"
+    region                      = "FR"
+    skip_credentials_validation = true
+    skip_region_validation      = true
+    skip_metadata_api_check     = true
+    shared_credentials_file     = "~/.aws/credentials"
+    profile                     = "minio"
+    force_path_style            = true
+  }
+}
+
+provider "postgresql" {
+  host            = "database.localdomain"
+  port            = 5432
+  database        = var.postgres.db
+  username        = var.postgres.user
+  password        = var.postgres.secret
+  sslmode         = "disable"
+  connect_timeout = 15
+}
+
+module "ampere" {
+  source        = "./generic-database"
+  database_name = "ampere"
+  username      = "ampere_user"
+}
+
+module "cfssl" {
+  source        = "./generic-database"
+  database_name = "cfssl"
+  username      = "cfssl"
+  collate       = "en_US.utf8"
+  ctype         = "en_US.utf8"
+}
+
+module "gitea" {
+  source        = "./generic-database"
+  database_name = "gitea_db"
+  username      = "gitea"
+  collate       = "fr_FR.UTF-8"
+  ctype         = "fr_FR.UTF-8"
+  privileges    = ["CREATE", "CONNECT", "TEMPORARY"]
+}
+
+module "keycloak" {
+  source        = "./generic-database"
+  database_name = "keycloak"
+  username      = "keycloak"
+  collate       = "fr_FR.utf8"
+  ctype         = "fr_FR.utf8"
+  privileges    = ["CREATE", "CONNECT", "TEMPORARY"]
+}
+
+module "nextcloud" {
+  source        = "./generic-database"
+  database_name = "nextcloud"
+  username      = "nextcloud"
+  collate       = "fr_FR.UTF-8"
+  ctype         = "fr_FR.UTF-8"
+}
+
+output "ampere_account" {
+  value     = jsonencode(module.ampere.account)
+  sensitive = true
+}
+output "cfssl_account" {
+  value     = jsonencode(module.cfssl.account)
+  sensitive = true
+}
+output "gitea_account" {
+  value     = jsonencode(module.gitea.account)
+  sensitive = true
+}
+output "keycloak_account" {
+  value     = jsonencode(module.keycloak.account)
+  sensitive = true
+}
+output "nextcloud_account" {
+  value     = jsonencode(module.nextcloud.account)
+  sensitive = true
+}

variables.tf

@@ -0,0 +1,9 @@
+variable "postgres" {
+  description = "postgres configuration"
+  sensitive   = true
+  type        = object({
+    user   = optional(string, "postgres")
+    secret = string
+    db     = optional(string, "postgres")
+  })
+}