add validation for postgres, db name requirements and catch reserved 'admin' user

2025-07-15 16:13:14 +02:00 · 2025-07-15 16:13:14 +02:00 · 370b15a328
commit 370b15a328
parent 7345619f23
5 changed files with 115 additions and 71 deletions
--- a/example/main.tf
+++ b/example/main.tf
@ -57,22 +57,22 @@ module "net" {
  security_group_ids_by_name = local.security_group_ids_by_name
 }
-# module "postgres" {
+module "postgres" {
-#   source = "../postgres"
+  source = "../postgres"
-#   for_each = var.postgres_instances
+  for_each = var.postgres_instances
-#   project_id      = module.project.project_id
+  project_id      = module.project.project_id
-#   name            = each.value.name
+  name            = each.value.name
-#   ver             = each.value.version
+  ver             = each.value.version
-#   flavor          = each.value.flavor
+  flavor          = each.value.flavor
-#   storage         = each.value.storage
+  storage         = each.value.storage
-#   replicas        = each.value.replicas
+  replicas        = each.value.replicas
-#   acl             = each.value.acl
+  acl             = each.value.acl
-#   backup_schedule = each.value.backup_schedule
+  backup_schedule = each.value.backup_schedule
-#   users           = each.value.users
+  users           = each.value.users
-#   databases       = each.value.databases
+  databases       = each.value.databases
-# }
+}
 # module "ske" {
 #   source = "../ske"
@ -86,10 +86,24 @@ module "net" {
 # }
 # module "observability" {
-#   source = "../observability"
+#   source     = "../observability"   # path to the new module
 #   for_each   = var.observability_instances
 #   project_id = module.project.project_id
 #   # required
 #   name      = each.value.name
 #   plan_name = each.value.plan_name
 #   # optionals
 #   acl                                    = each.value.acl
 #   metrics_retention_days                 = each.value.metrics_retention_days
 #   metrics_retention_days_5m_downsampling = each.value.metrics_retention_days_5m_downsampling
 #   metrics_retention_days_1h_downsampling = each.value.metrics_retention_days_1h_downsampling
 #   alert_config                           = each.value.alert_config
 #   parameters                             = each.value.parameters
 #   # credentials
 #   create_credentials = each.value.create_credentials
 #   credentials_count  = each.value.credentials_count
 # }
--- a/example/terraform.tfvars
+++ b/example/terraform.tfvars
@ -56,39 +56,39 @@ security_groups = {
  # },
 }
-# postgres_instances = {
+postgres_instances = {
-#   dev = {
+  dev = {
-#     name    = "pg-test-instance"
+    name    = "pg-test-instance"
-#     version = 17
+    version = 17
-#     flavor = {
+    flavor = {
-#       cpu = 2,
+      cpu = 2,
-#       ram = 4
+      ram = 4
-#     }
+    }
-#     storage = {
+    storage = {
-#       class = "premium-perf6-stackit",
+      class = "premium-perf6-stackit",
-#       size  = 20
+      size  = 20
-#     }
+    }
-#     replicas        = 1
+    replicas        = 1
-#     acl             = ["0.0.0.0/0"]
+    acl             = ["0.0.0.0/0"]
-#     backup_schedule = "00 00 * * *"
+    backup_schedule = "00 00 * * *"
-#     users = [
+    users = [
-#       { username = "admin",
+      { username = "adminusr",
-#         roles    = ["login", "createdb"]
+        roles    = ["login", "createdb"]
-#       },
+      },
-#       { username = "testusr",
+      { username = "testusr",
-#         roles    = ["login"]
+        roles    = ["login"]
-#       }
+      }
-#     ]
+    ]
-#     databases = [
+    databases = [
-#       {
+      {
-#         name  = "test_db",
+        name  = "testdb",
-#         owner = "admin"
+        owner = "admin"
-#       }
+      }
-#     ]
+    ]
-#   }
+  }
-# }
+}
 networks = {
  wan_network = {
--- a/example/variables.tf
+++ b/example/variables.tf
@ -57,25 +57,25 @@ variable "security_groups" {
  }))
 }
-# variable "postgres_instances" {
+variable "postgres_instances" {
-#   type = map(object({
+  type = map(object({
-#     name            = string
+    name            = string
-#     version         = number
+    version         = number
-#     flavor          = object({ cpu = number, ram = number })
+    flavor          = object({ cpu = number, ram = number })
-#     storage         = object({ class = string, size = number })
+    storage         = object({ class = string, size = number })
-#     replicas        = number
+    replicas        = number
-#     acl             = list(string)
+    acl             = list(string)
-#     backup_schedule = string
+    backup_schedule = string
-#     users = list(object({
+    users = list(object({
-#       username = string
+      username = string
-#       roles    = set(string)
+      roles    = set(string)
-#     }))
+    }))
-#     databases = list(object({
+    databases = list(object({
-#       name  = string
+      name  = string
-#       owner = string
+      owner = string
-#     }))
+    }))
-#   }))
+  }))
-# }
+}
 # Network definition map
 variable "networks" {
--- a/postgres/providers.tf
+++ b/postgres/providers.tf
@ -3,7 +3,7 @@ terraform {
  required_providers {
    stackit = {
      source  = "stackitcloud/stackit"
-      version = "0.56.0"
+      version = "0.54.0"
    }
  }
 }
--- a/postgres/variables.tf
+++ b/postgres/variables.tf
@ -4,6 +4,21 @@ variable "project_id" {
 variable "name" {
  type = string
  validation {
    condition     = length(regexall("^[a-z]([-a-z0-9]*[a-z0-9])?$", var.name)) > 0
    error_message = <<EOT
      The name must be a valid DNS-1035 label:
      - only lower-case letters, digits or '-'
      - must start with a letter
      - must end with a letter or digit
      EOT
  }
 }
 variable "instance_id" {
  type    = string
  default = ""
 }
 variable "ver" {
@ -38,19 +53,34 @@ variable "backup_schedule" {
 }
 variable "users" {
  description = "List of users"
  type = list(object({
    username = string
    roles    = set(string)
  }))
  default = []
  validation {
    condition     = alltrue([
      for user in var.users : user.username != "admin"
    ])
    error_message = "The username 'admin' is reserved and cannot be used."
  }
 }
 variable "databases" {
  description = "List of databases"
  type = list(object({
    name  = string
    owner = string
  }))
  default = []
    validation {
    condition = alltrue([
      for db in var.databases : length(regexall("^[a-z]([-a-z0-9]*[a-z0-9])?$", db.name)) > 0
    ])
    error_message = <<EOT
      The name must be a valid DNS-1035 label:
      - only lower-case letters, digits or '-'
      - must start with a letter
      - must end with a letter or digit
      EOT
  }
 }