From 370b15a3286318d1f2399041fe78edc333ab0d50 Mon Sep 17 00:00:00 2001
From: Maximilian Schlenz <maximilian.schlenz@stackit.cloud>
Date: Tue, 15 Jul 2025 16:13:14 +0200
Subject: [PATCH] add validation for postgres, db name requirements and catch
 reserved 'admin' user

---
 example/main.tf          | 50 ++++++++++++++++++++------------
 example/terraform.tfvars | 62 ++++++++++++++++++++--------------------
 example/variables.tf     | 38 ++++++++++++------------
 postgres/providers.tf    |  2 +-
 postgres/variables.tf    | 34 ++++++++++++++++++++--
 5 files changed, 115 insertions(+), 71 deletions(-)

diff --git a/example/main.tf b/example/main.tf
index d185416..f5c620a 100644
--- a/example/main.tf
+++ b/example/main.tf
@@ -57,22 +57,22 @@ module "net" {
   security_group_ids_by_name = local.security_group_ids_by_name
 }
 
-# module "postgres" {
-#   source = "../postgres"
+module "postgres" {
+  source = "../postgres"
 
-#   for_each = var.postgres_instances
+  for_each = var.postgres_instances
 
-#   project_id      = module.project.project_id
-#   name            = each.value.name
-#   ver             = each.value.version
-#   flavor          = each.value.flavor
-#   storage         = each.value.storage
-#   replicas        = each.value.replicas
-#   acl             = each.value.acl
-#   backup_schedule = each.value.backup_schedule
-#   users           = each.value.users
-#   databases       = each.value.databases
-# }
+  project_id      = module.project.project_id
+  name            = each.value.name
+  ver             = each.value.version
+  flavor          = each.value.flavor
+  storage         = each.value.storage
+  replicas        = each.value.replicas
+  acl             = each.value.acl
+  backup_schedule = each.value.backup_schedule
+  users           = each.value.users
+  databases       = each.value.databases
+}
 
 # module "ske" {
 #   source = "../ske"
@@ -86,10 +86,24 @@ module "net" {
 # }
 
 # module "observability" {
-#   source = "../observability"
-
+#   source     = "../observability"   # path to the new module
 #   for_each   = var.observability_instances
+
 #   project_id = module.project.project_id
-#   name       = each.value.name
-#   plan_name  = each.value.plan_name
+
+#   # required
+#   name      = each.value.name
+#   plan_name = each.value.plan_name
+
+#   # optionals
+#   acl                                    = each.value.acl
+#   metrics_retention_days                 = each.value.metrics_retention_days
+#   metrics_retention_days_5m_downsampling = each.value.metrics_retention_days_5m_downsampling
+#   metrics_retention_days_1h_downsampling = each.value.metrics_retention_days_1h_downsampling
+#   alert_config                           = each.value.alert_config
+#   parameters                             = each.value.parameters
+
+#   # credentials
+#   create_credentials = each.value.create_credentials
+#   credentials_count  = each.value.credentials_count
 # }
diff --git a/example/terraform.tfvars b/example/terraform.tfvars
index d8c6bc8..d4e2d8f 100644
--- a/example/terraform.tfvars
+++ b/example/terraform.tfvars
@@ -56,39 +56,39 @@ security_groups = {
   # },
 }
 
-# postgres_instances = {
-#   dev = {
-#     name    = "pg-test-instance"
-#     version = 17
-#     flavor = {
-#       cpu = 2,
-#       ram = 4
-#     }
-#     storage = {
-#       class = "premium-perf6-stackit",
-#       size  = 20
-#     }
-#     replicas        = 1
-#     acl             = ["0.0.0.0/0"]
-#     backup_schedule = "00 00 * * *"
+postgres_instances = {
+  dev = {
+    name    = "pg-test-instance"
+    version = 17
+    flavor = {
+      cpu = 2,
+      ram = 4
+    }
+    storage = {
+      class = "premium-perf6-stackit",
+      size  = 20
+    }
+    replicas        = 1
+    acl             = ["0.0.0.0/0"]
+    backup_schedule = "00 00 * * *"
 
-#     users = [
-#       { username = "admin",
-#         roles    = ["login", "createdb"]
-#       },
-#       { username = "testusr",
-#         roles    = ["login"]
-#       }
-#     ]
+    users = [
+      { username = "adminusr",
+        roles    = ["login", "createdb"]
+      },
+      { username = "testusr",
+        roles    = ["login"]
+      }
+    ]
 
-#     databases = [
-#       {
-#         name  = "test_db",
-#         owner = "admin"
-#       }
-#     ]
-#   }
-# }
+    databases = [
+      {
+        name  = "testdb",
+        owner = "admin"
+      }
+    ]
+  }
+}
 
 networks = {
   wan_network = {
diff --git a/example/variables.tf b/example/variables.tf
index 496493e..d17e836 100644
--- a/example/variables.tf
+++ b/example/variables.tf
@@ -57,25 +57,25 @@ variable "security_groups" {
   }))
 }
 
-# variable "postgres_instances" {
-#   type = map(object({
-#     name            = string
-#     version         = number
-#     flavor          = object({ cpu = number, ram = number })
-#     storage         = object({ class = string, size = number })
-#     replicas        = number
-#     acl             = list(string)
-#     backup_schedule = string
-#     users = list(object({
-#       username = string
-#       roles    = set(string)
-#     }))
-#     databases = list(object({
-#       name  = string
-#       owner = string
-#     }))
-#   }))
-# }
+variable "postgres_instances" {
+  type = map(object({
+    name            = string
+    version         = number
+    flavor          = object({ cpu = number, ram = number })
+    storage         = object({ class = string, size = number })
+    replicas        = number
+    acl             = list(string)
+    backup_schedule = string
+    users = list(object({
+      username = string
+      roles    = set(string)
+    }))
+    databases = list(object({
+      name  = string
+      owner = string
+    }))
+  }))
+}
 
 # Network definition map
 variable "networks" {
diff --git a/postgres/providers.tf b/postgres/providers.tf
index 6e038c3..532c77d 100644
--- a/postgres/providers.tf
+++ b/postgres/providers.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     stackit = {
       source  = "stackitcloud/stackit"
-      version = "0.56.0"
+      version = "0.54.0"
     }
   }
 }
diff --git a/postgres/variables.tf b/postgres/variables.tf
index dbe1920..061dd3f 100644
--- a/postgres/variables.tf
+++ b/postgres/variables.tf
@@ -4,6 +4,21 @@ variable "project_id" {
 
 variable "name" {
   type = string
+
+  validation {
+    condition     = length(regexall("^[a-z]([-a-z0-9]*[a-z0-9])?$", var.name)) > 0
+    error_message = <<EOT
+      The name must be a valid DNS-1035 label:
+      - only lower-case letters, digits or '-'
+      - must start with a letter
+      - must end with a letter or digit
+      EOT
+  }
+}
+
+variable "instance_id" {
+  type    = string
+  default = ""
 }
 
 variable "ver" {
@@ -38,19 +53,34 @@ variable "backup_schedule" {
 }
 
 variable "users" {
-  description = "List of users"
   type = list(object({
     username = string
     roles    = set(string)
   }))
   default = []
+  validation {
+    condition     = alltrue([
+      for user in var.users : user.username != "admin"
+    ])
+    error_message = "The username 'admin' is reserved and cannot be used."
+  }
 }
 
 variable "databases" {
-  description = "List of databases"
   type = list(object({
     name  = string
     owner = string
   }))
   default = []
+    validation {
+    condition = alltrue([
+      for db in var.databases : length(regexall("^[a-z]([-a-z0-9]*[a-z0-9])?$", db.name)) > 0
+    ])
+    error_message = <<EOT
+      The name must be a valid DNS-1035 label:
+      - only lower-case letters, digits or '-'
+      - must start with a letter
+      - must end with a letter or digit
+      EOT
+  }
 }