Postgres DB and Users
This program provisions:
- Postgres DB (
pg:database
)
- Read-Write non-login role for the DB (default name:
${DBNAME}-rw
)
- Login Users which can assume the above role (
pg:users
)
- Random Login Password for each user
- Expose credentials via Secret Manager (
pg:exportAsSecret
needs to be true)
How to deploy?
- Complete pre-requisites
- Sample stack config is provided in Pulumi.dev.yaml, update the DB Host in it.
- Superuser password needs to be set as secret:
pulumi config -s dev set --secret provider:superuserPassword <value>
- To Deploy, run:
pulumi up -s dev
- If
pg:exportAsSecret
is true, creds will be exposed as AWS Secret. Refer to IDs from the output of the program.
- If above var is false, then creds are exposed as regular Pulumi output. To print them (along with secret password):
pulumi stack output -s dev -j --show-secrets
Rotate Passwords without downtime
The idea is to not update existing user's password, since it'll cause a downtime. So first create a new login user and update the secrets in application, before deleting the current one.
Simple steps to achieve this:
- Assume currently you've one user named
tom
in your stack config:
pg:users:
- username: tom
login: true
App is referencing secret ID for tom user in its env variables.
- And you want to create a new user
jerry
, then append it in the list:
pg:users:
- username: tom
login: true
- username: jerry
login: true
Now there will be 2 login users, and consequently 2 AWS Secret IDs in the output.
- Update the app env to point to the new secret.
- Delete the
tom
user from the config - this will remove the user from postgres DB and delete the secret.