mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-06-22 10:18:09 +02:00
Move telegraf role provisioning to external script with env vars
This commit is contained in:
Mike Reeves
@@ -94,6 +94,14 @@ postgres_app_secret:
|
|||||||
- require:
|
- require:
|
||||||
- file: postgressecretsdir
|
- file: postgressecretsdir
|
||||||
|
|
||||||
|
postgrestelegrafrole:
|
||||||
|
file.managed:
|
||||||
|
- name: /usr/local/bin/telegraf_role.sh
|
||||||
|
- source: salt://postgres/files/telegraf_role.sh
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- mode: 755
|
||||||
|
|
||||||
postgres_sbin:
|
postgres_sbin:
|
||||||
file.recurse:
|
file.recurse:
|
||||||
- name: /usr/sbin
|
- name: /usr/sbin
|
||||||
|
|||||||
@@ -0,0 +1,23 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Provision or update a Telegraf postgres role.
|
||||||
|
# Expects ROLE_USER and ROLE_PASS environment variables.
|
||||||
|
|
||||||
|
docker exec -i so-postgres psql \
|
||||||
|
-v ON_ERROR_STOP=1 \
|
||||||
|
-v role_user="$ROLE_USER" \
|
||||||
|
-v role_pass="$ROLE_PASS" \
|
||||||
|
-U postgres -d so_telegraf <<'EOSQL'
|
||||||
|
DO $$
|
||||||
|
BEGIN
|
||||||
|
IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = :role_user) THEN
|
||||||
|
EXECUTE format('CREATE ROLE %I WITH LOGIN PASSWORD %L', :role_user, :role_pass);
|
||||||
|
ELSE
|
||||||
|
EXECUTE format('ALTER ROLE %I WITH LOGIN PASSWORD %L', :role_user, :role_pass);
|
||||||
|
END IF;
|
||||||
|
END
|
||||||
|
$$;
|
||||||
|
GRANT CONNECT ON DATABASE so_telegraf TO :"role_user";
|
||||||
|
GRANT so_telegraf TO :"role_user";
|
||||||
|
EOSQL
|
||||||
@@ -100,26 +100,17 @@ postgres_telegraf_group_role:
|
|||||||
{% for mid, entry in creds.items() %}
|
{% for mid, entry in creds.items() %}
|
||||||
{% if entry.get('user') and entry.get('pass') %}
|
{% if entry.get('user') and entry.get('pass') %}
|
||||||
{% set u = entry.user %}
|
{% set u = entry.user %}
|
||||||
{% set p = entry.pass | replace("'", "''") %}
|
{% set p = entry.pass %}
|
||||||
|
|
||||||
postgres_telegraf_role_{{ u }}:
|
postgres_telegraf_role_{{ u }}:
|
||||||
cmd.run:
|
cmd.run:
|
||||||
- name: |
|
- name: /usr/local/bin/telegraf_role.sh
|
||||||
docker exec -i so-postgres psql -v ON_ERROR_STOP=1 -U postgres -d so_telegraf <<'EOSQL'
|
- env:
|
||||||
DO $$
|
- ROLE_USER: {{ u }}
|
||||||
BEGIN
|
- ROLE_PASS: {{ p }}
|
||||||
IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ u }}') THEN
|
|
||||||
EXECUTE format('CREATE ROLE %I WITH LOGIN PASSWORD %L', '{{ u }}', '{{ p }}');
|
|
||||||
ELSE
|
|
||||||
EXECUTE format('ALTER ROLE %I WITH PASSWORD %L', '{{ u }}', '{{ p }}');
|
|
||||||
END IF;
|
|
||||||
END
|
|
||||||
$$;
|
|
||||||
GRANT CONNECT ON DATABASE so_telegraf TO "{{ u }}";
|
|
||||||
GRANT so_telegraf TO "{{ u }}";
|
|
||||||
EOSQL
|
|
||||||
- hide_output: True
|
- hide_output: True
|
||||||
- require:
|
- require:
|
||||||
|
- file: postgrestelegrafrole
|
||||||
- cmd: postgres_telegraf_group_role
|
- cmd: postgres_telegraf_group_role
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|||||||
Reference in New Issue
Block a user