initial server instance define

instance directories is now a hash, update example

Author: SimonHoenscheid

README.md

@@ -8,6 +8,7 @@
     * [Getting started with postgresql](#getting-started-with-postgresql)
 3. [Usage - Configuration options and additional functionality](#usage)
     * [Configure a server](#configure-a-server)
+    * [Configure an instance](#configure-an-instance)
     * [Create a database](#create-a-database)
     * [Manage users, roles, and permissions](#manage-users-roles-and-permissions)
     * [Manage ownership of DB objects](#manage-ownership-of-db-objects)
@@ -72,6 +73,184 @@ If you get an error message from these commands, your permission settings restri
 
 For more details about server configuration parameters, consult the [PostgreSQL Runtime Configuration documentation](http://www.postgresql.org/docs/current/static/runtime-config.html).
 
+### Configure an instance
+
+This module supports managing multiple instances (the default instance is referred to as 'main' and managed via including the server.pp class)
+
+**NOTE:** This feature is currently tested on Centos 8 Streams/RHEL8 with DNF Modules enabled. Different Linux plattforms and/or the Postgresql.org
+packages distribute different Systemd service files or use  wrapper scripts with Systemd to start Postgres. Additional adjustmentments are needed to get this working on these plattforms.
+
+#### Working Plattforms
+
+* Centos 8 Streams
+* RHEL 8
+
+#### Background and example
+
+creating a new instance has the following advantages:
+* files are owned by the postgres user
+* instance is running under a different user, if the instance is hacked, the hacker has no access to the file system
+* the instance user can be an LDAP user, higher security because of central login monitoring, password policies, password rotation policies
+* main instance can be disabled
+
+
+Here is a profile which can be used to create instaces
+
+```puppet
+class profiles::postgres (
+  Hash $instances = {},
+  String $postgresql_version = '13',
+) {
+  class { 'postgresql::globals':
+    encoding            => 'UTF-8',
+    locale              => 'en_US.UTF-8',
+    manage_package_repo => false,
+    manage_dnf_module   => true,
+    needs_initdb        => true,
+    version             => $postgresql_version,
+  }
+  include postgresql::server
+
+  $instances.each |String $instance, Hash $instance_settings| {
+    postgresql::server_instance { $instance:
+      *               => $instance_settings,
+    }
+  }
+}
+```
+
+And here is data to create an instance called test1:
+
+```yaml
+# stop default main instance
+postgresql::server::service_ensure: "stopped"
+postgresql::server::service_enable: false
+
+#define an instance
+profiles::postgres::instances:
+  test1:
+    instance_user: "ins_test1"
+    instance_group: "ins_test1"
+    instance_directories:
+      "/opt/pgsql":
+        ensure: directory
+      "/opt/pgsql/backup":
+        ensure: directory
+      "/opt/pgsql/data":
+        ensure: directory
+      "/opt/pgsql/data/13":
+        ensure: directory
+      "/opt/pgsql/data/home":
+        ensure: directory
+      "/opt/pgsql/wal":
+        ensure: directory
+      "/opt/pgsql/log":
+        ensure: directory
+      "/opt/pgsql/log/13":
+        ensure: directory
+      "/opt/pgsql/log/13/test1":
+        ensure: directory
+    config_settings:
+      pg_hba_conf_path: "/opt/pgsql/data/13/test1/pg_hba.conf"
+      postgresql_conf_path: "/opt/pgsql/data/13/test1/postgresql.conf"
+      pg_ident_conf_path: "/opt/pgsql/data/13/test1/pg_ident.conf"
+      datadir: "/opt/pgsql/data/13/test1"
+      service_name: "postgresql@13-test1"
+      port: 5433
+      pg_hba_conf_defaults: false
+    service_settings:
+      service_name: "postgresql@13-test1"
+      service_status: "systemctl status postgresql@13-test1.service"
+      service_ensure: "running"
+      service_enable: true
+    initdb_settings:
+      auth_local: "peer"
+      auth_host: "md5"
+      needs_initdb: true
+      datadir: "/opt/pgsql/data/13/test1"
+      encoding: "UTF-8"
+      lc_messages: "en_US.UTF8"
+      locale: "en_US.UTF8"
+      data_checksums: false
+      group: "postgres"
+      user: "postgres"
+      username: "ins_test1"
+    config_entries:
+      authentication_timeout:
+        value: "1min"
+        comment: "a test"
+      log_statement_stats:
+        value: "off"
+      autovacuum_vacuum_scale_factor:
+        value: 0.3
+    databases:
+      testdb1:
+        encoding: "UTF8"
+        locale: "en_US.UTF8"
+        owner: "dba_test1"
+      testdb2:
+        encoding: "UTF8"
+        locale: "en_US.UTF8"
+        owner: "dba_test1"
+    roles:
+      "ins_test1":
+        superuser: true
+        login: true
+      "dba_test1":
+        createdb: true
+        login: true
+      "app_test1":
+        login: true
+      "rep_test1":
+        replication: true
+        login: true
+      "rou_test1":
+        login: true
+    pg_hba_rules:
+      "local all INSTANCE user":
+        type: "local"
+        database: "all"
+        user: "ins_test1"
+        auth_method: "peer"
+        order: 1
+      "local all DB user":
+        type: "local"
+        database: "all"
+        user: "dba_test1"
+        auth_method: "peer"
+        order: 2
+      "local all APP user":
+        type: "local"
+        database: "all"
+        user: "app_test1"
+        auth_method: "peer"
+        order: 3
+      "local all READONLY user":
+        type: "local"
+        database: "all"
+        user: "rou_test1"
+        auth_method: "peer"
+        order: 4
+      "remote all INSTANCE user PGADMIN server":
+        type: "host"
+        database: "all"
+        user: "ins_test1"
+        address: "192.168.22.131/32"
+        auth_method: "md5"
+        order: 5
+      "local replication INSTANCE user":
+        type: "local"
+        database: "replication"
+        user: "ins_test1"
+        auth_method: "peer"
+        order: 6
+      "local replication REPLICATION user":
+        type: "local"
+        database: "replication"
+        user: "rep_test1"
+        auth_method: "peer"
+        order: 7
+```
 ### Create a database
 
 You can set up a variety of PostgreSQL databases with the `postgresql::server::db` defined type. For instance, to set up a database for PuppetDB:
@@ -359,7 +538,7 @@ For information on the classes and types, see the [REFERENCE.md](https://github.
 
 ## Limitations
 
-Works with versions of PostgreSQL on supported OSes.  
+Works with versions of PostgreSQL on supported OSes.
 
 For an extensive list of supported operating systems, see [metadata.json](https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/metadata.json)
 

REFERENCE.md

@@ -63,6 +63,7 @@
 * [`postgresql::server::schema`](#postgresql--server--schema): Create a new schema.
 * [`postgresql::server::table_grant`](#postgresql--server--table_grant): This resource wraps the grant resource to manage table grants specifically.
 * [`postgresql::server::tablespace`](#postgresql--server--tablespace): This module creates tablespace.
+* [`postgresql::server_instance`](#postgresql--server_instance): define to install and manage additional postgresql instances
 
 #### Private Defined types
 
@@ -4038,6 +4039,168 @@ May need to specify if '/tmp' is on volume mounted with noexec option.
 
 Default value: `$postgresql::server::module_workdir`
 
+### <a name="postgresql--server_instance"></a>`postgresql::server_instance`
+
+define to install and manage additional postgresql instances
+
+#### Parameters
+
+The following parameters are available in the `postgresql::server_instance` defined type:
+
+* [`instance_name`](#-postgresql--server_instance--instance_name)
+* [`instance_user`](#-postgresql--server_instance--instance_user)
+* [`instance_group`](#-postgresql--server_instance--instance_group)
+* [`instance_user_homedirectory`](#-postgresql--server_instance--instance_user_homedirectory)
+* [`manage_instance_user_and_group`](#-postgresql--server_instance--manage_instance_user_and_group)
+* [`instance_directories`](#-postgresql--server_instance--instance_directories)
+* [`initdb_settings`](#-postgresql--server_instance--initdb_settings)
+* [`config_settings`](#-postgresql--server_instance--config_settings)
+* [`service_settings`](#-postgresql--server_instance--service_settings)
+* [`passwd_settings`](#-postgresql--server_instance--passwd_settings)
+* [`roles`](#-postgresql--server_instance--roles)
+* [`config_entries`](#-postgresql--server_instance--config_entries)
+* [`pg_hba_rules`](#-postgresql--server_instance--pg_hba_rules)
+* [`databases`](#-postgresql--server_instance--databases)
+* [`databases_and_users`](#-postgresql--server_instance--databases_and_users)
+* [`database_grants`](#-postgresql--server_instance--database_grants)
+* [`table_grants`](#-postgresql--server_instance--table_grants)
+
+##### <a name="-postgresql--server_instance--instance_name"></a>`instance_name`
+
+Data type: `String[1]`
+
+The name of the instance.
+
+Default value: `$name`
+
+##### <a name="-postgresql--server_instance--instance_user"></a>`instance_user`
+
+Data type: `String[1]`
+
+The user to run the instance as.
+
+Default value: `$instance_name`
+
+##### <a name="-postgresql--server_instance--instance_group"></a>`instance_group`
+
+Data type: `String[1]`
+
+The group to run the instance as.
+
+Default value: `$instance_name`
+
+##### <a name="-postgresql--server_instance--instance_user_homedirectory"></a>`instance_user_homedirectory`
+
+Data type: `Stdlib::Absolutepath`
+
+The home directory of the instance user.
+
+Default value: `"/opt/pgsql/data/home/${instance_user}"`
+
+##### <a name="-postgresql--server_instance--manage_instance_user_and_group"></a>`manage_instance_user_and_group`
+
+Data type: `Boolean`
+
+Should Puppet manage the instance user and it's primary group?.
+
+Default value: `true`
+
+##### <a name="-postgresql--server_instance--instance_directories"></a>`instance_directories`
+
+Data type: `Hash`
+
+directories needed for the instance. Option to manage the directory properties for each directory.
+
+Default value: `{}`
+
+##### <a name="-postgresql--server_instance--initdb_settings"></a>`initdb_settings`
+
+Data type: `Hash`
+
+Specifies a hash witn parameters for postgresql::server::instance::initdb
+
+Default value: `{}`
+
+##### <a name="-postgresql--server_instance--config_settings"></a>`config_settings`
+
+Data type: `Hash`
+
+Specifies a hash with parameters for postgresql::server::instance::config
+
+Default value: `{}`
+
+##### <a name="-postgresql--server_instance--service_settings"></a>`service_settings`
+
+Data type: `Hash`
+
+Specifies a hash with parameters for postgresql::server:::instance::service
+
+Default value: `{}`
+
+##### <a name="-postgresql--server_instance--passwd_settings"></a>`passwd_settings`
+
+Data type: `Hash`
+
+Specifies a hash with parameters for postgresql::server::instance::passwd
+
+Default value: `{}`
+
+##### <a name="-postgresql--server_instance--roles"></a>`roles`
+
+Data type: `Hash`
+
+Specifies a hash from which to generate postgresql::server::role resources.
+
+Default value: `{}`
+
+##### <a name="-postgresql--server_instance--config_entries"></a>`config_entries`
+
+Data type: `Hash`
+
+Specifies a hash from which to generate postgresql::server::config_entry resources.
+
+Default value: `{}`
+
+##### <a name="-postgresql--server_instance--pg_hba_rules"></a>`pg_hba_rules`
+
+Data type: `Hash`
+
+Specifies a hash from which to generate postgresql::server::pg_hba_rule resources.
+
+Default value: `{}`
+
+##### <a name="-postgresql--server_instance--databases"></a>`databases`
+
+Data type: `Hash`
+
+Specifies a hash from which to generate postgresql::server::database resources.
+
+Default value: `{}`
+
+##### <a name="-postgresql--server_instance--databases_and_users"></a>`databases_and_users`
+
+Data type: `Hash`
+
+Specifies a hash from which to generate postgresql::server::db resources.
+
+Default value: `{}`
+
+##### <a name="-postgresql--server_instance--database_grants"></a>`database_grants`
+
+Data type: `Hash`
+
+Specifies a hash from which to generate postgresql::server::database_grant resources.
+
+Default value: `{}`
+
+##### <a name="-postgresql--server_instance--table_grants"></a>`table_grants`
+
+Data type: `Hash`
+
+Specifies a hash from which to generate postgresql::server::table_grant resources.
+
+Default value: `{}`
+
 ## Resource types
 
 ### <a name="postgresql_conf"></a>`postgresql_conf`

manifests/server_instance.pp

@@ -0,0 +1,132 @@
+# @summary define to install and manage additional postgresql instances
+# @param instance_name The name of the instance.
+# @param instance_user The user to run the instance as.
+# @param instance_group The group to run the instance as.
+# @param instance_user_homedirectory The home directory of the instance user.
+# @param manage_instance_user_and_group Should Puppet manage the instance user and it's primary group?.
+# @param instance_directories directories needed for the instance. Option to manage the directory properties for each directory.
+# @param initdb_settings Specifies a hash witn parameters for postgresql::server::instance::initdb
+# @param config_settings Specifies a hash with parameters for postgresql::server::instance::config
+# @param service_settings Specifies a hash with parameters for postgresql::server:::instance::service
+# @param passwd_settings Specifies a hash with parameters for postgresql::server::instance::passwd
+# @param roles Specifies a hash from which to generate postgresql::server::role resources.
+# @param config_entries Specifies a hash from which to generate postgresql::server::config_entry resources.
+# @param pg_hba_rules Specifies a hash from which to generate postgresql::server::pg_hba_rule resources.
+# @param databases Specifies a hash from which to generate postgresql::server::database resources.
+# @param databases_and_users Specifies a hash from which to generate postgresql::server::db resources.
+# @param database_grants Specifies a hash from which to generate postgresql::server::database_grant resources.
+# @param table_grants Specifies a hash from which to generate postgresql::server::table_grant resources.
+define postgresql::server_instance (
+  String[1] $instance_name                          = $name,
+  Boolean $manage_instance_user_and_group           = true,
+  Hash $instance_directories                        = {},
+  String[1] $instance_user                          = $instance_name,
+  String[1] $instance_group                         = $instance_name,
+  Stdlib::Absolutepath $instance_user_homedirectory = "/opt/pgsql/data/home/${instance_user}",
+  Hash $initdb_settings                             = {},
+  Hash $config_settings                             = {},
+  Hash $service_settings                            = {},
+  Hash $passwd_settings                             = {},
+  Hash $roles                                       = {},
+  Hash $config_entries                              = {},
+  Hash $pg_hba_rules                                = {},
+  Hash $databases_and_users                         = {},
+  Hash $databases                                   = {},
+  Hash $database_grants                             = {},
+  Hash $table_grants                                = {},
+) {
+  unless($facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '8') {
+    warning('This define postgresql::server_instance is only tested on RHEL8')
+  }
+  $instance_directories.each |Stdlib::Absolutepath $directory, Hash $directory_settings| {
+    file { $directory:
+      * => $directory_settings,
+    }
+  }
+
+  if $manage_instance_user_and_group {
+    user { $instance_user:
+      managehome => true,
+      system     => true,
+      home       => $instance_user_homedirectory,
+      gid        => $instance_group,
+    }
+    group { $instance_group:
+      system => true,
+    }
+  }
+  postgresql::server::instance::initdb { $instance_name:
+    * => $initdb_settings,
+  }
+  postgresql::server::instance::config { $instance_name:
+    * => $config_settings,
+  }
+  postgresql::server::instance::service { $instance_name:
+    *    => $service_settings,
+    port => $config_settings['port'],
+    user => $instance_user,
+  }
+  postgresql::server::instance::passwd { $instance_name:
+    * => $passwd_settings,
+  }
+
+  $roles.each |$rolename, $role| {
+    postgresql::server::role { $rolename:
+      *          => $role,
+      psql_user  => $instance_user,
+      psql_group => $instance_group,
+      port       => $config_settings['port'],
+      instance   => $instance_name,
+    }
+  }
+
+  $config_entries.each |$entry, $settings| {
+    $value   = $settings['value']
+    $comment = $settings['comment']
+    postgresql::server::config_entry { "${entry}_${$instance_name}":
+      ensure  => bool2str($value =~ Undef, 'absent', 'present'),
+      key     => $entry,
+      value   => $value,
+      comment => $comment,
+      path    => $config_settings['postgresql_conf_path'],
+    }
+  }
+  $pg_hba_rules.each |String[1] $rule_name, Postgresql::Pg_hba_rule $rule| {
+    $rule_title = "${rule_name} for instance ${name}"
+    postgresql::server::pg_hba_rule { $rule_title:
+      *      => $rule,
+      target => $config_settings['pg_hba_conf_path'], # TODO: breaks if removed
+    }
+  }
+  $databases_and_users.each |$database, $database_details| {
+    postgresql::server::db { $database:
+      *          => $database_details,
+      psql_user  => $instance_user,
+      psql_group => $instance_group,
+      port       => $config_settings['port'],
+    }
+  }
+  $databases.each |$database, $database_details| {
+    postgresql::server::database { $database:
+      *     => $database_details,
+      user  => $instance_user,
+      group => $instance_group,
+      port  => $config_settings['port'],
+    }
+  }
+  $database_grants.each |$db_grant_title, $dbgrants| {
+    postgresql::server::database_grant { $db_grant_title:
+      *          => $dbgrants,
+      psql_user  => $instance_user,
+      psql_group => $instance_group,
+      port       => $config_settings['port'],
+    }
+  }
+  $table_grants.each |$table_grant_title, $tgrants| {
+    postgresql::server::table_grant { $table_grant_title:
+      *         => $tgrants,
+      psql_user => $instance_user,
+      port      => $config_settings['port'],
+    }
+  }
+}