feat(sdb): Add policies and API Keys to access the Serverless instance

scaleway-terraform-modules · Aug 13, 2024 · 15bc8ff · 15bc8ff
1 parent ff4ac0d
commit 15bc8ff
Show file tree

Hide file tree

Showing 5 changed files with 102 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -29,7 +29,17 @@ module "sdb" {
 
 | Name | Type |
 |------|------|
+| [scaleway_iam_api_key.admin](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_api_key) | resource |
+| [scaleway_iam_api_key.ro](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_api_key) | resource |
+| [scaleway_iam_api_key.rw](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_api_key) | resource |
+| [scaleway_iam_application.admin](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_application) | resource |
+| [scaleway_iam_application.ro](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_application) | resource |
+| [scaleway_iam_application.rw](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_application) | resource |
+| [scaleway_iam_policy.admin](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_policy) | resource |
+| [scaleway_iam_policy.ro](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_policy) | resource |
+| [scaleway_iam_policy.rw](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_policy) | resource |
 | [scaleway_sdb_sql_database.main](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/sdb_sql_database) | resource |
+| [scaleway_account_project.current](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/data-sources/account_project) | data source |
 
 ## Inputs
 
@@ -44,7 +54,10 @@ module "sdb" {
 
 | Name | Description |
 |------|-------------|
+| <a name="output_admin_connection_string"></a> [admin_connection_string](#output_admin_connection_string) | Connection string to connect with admin permissions. |
 | <a name="output_endpoint"></a> [endpoint](#output_endpoint) | Endpoint of the database. |
+| <a name="output_ro_connection_string"></a> [ro_connection_string](#output_ro_connection_string) | Connection string to connect with read only permissions. |
+| <a name="output_rw_connection_string"></a> [rw_connection_string](#output_rw_connection_string) | Connection string to connect with read/write permissions. |
 <!-- END_TF_DOCS -->
 
 ## Authors

diff --git a/access_admin.tf b/access_admin.tf
@@ -0,0 +1,21 @@
+data "scaleway_account_project" "current" {}
+
+resource "scaleway_iam_application" "admin" {
+  name        = format("SDB - %s - Admin", var.name)
+  description = format("Full access to Serverless SQL Database %s", var.name)
+}
+
+resource "scaleway_iam_policy" "admin" {
+  name           = format("SDB - %s - Admin", var.name)
+  description    = format("Full access to Serverless SQL Database %s", var.name)
+  application_id = scaleway_iam_application.admin.id
+
+  rule {
+    project_ids          = [data.scaleway_account_project.current.id]
+    permission_set_names = ["ServerlessSQLDatabaseFullAccess"]
+  }
+}
+
+resource "scaleway_iam_api_key" "admin" {
+  application_id = scaleway_iam_application.admin.id
+}
diff --git a/access_ro.tf b/access_ro.tf
@@ -0,0 +1,19 @@
+resource "scaleway_iam_application" "ro" {
+  name        = format("SDB - %s - RW", var.name)
+  description = format("Read access to Serverless SQL Database %s", var.name)
+}
+
+resource "scaleway_iam_policy" "ro" {
+  name           = format("SDB - %s - RO", var.name)
+  description    = format("Read access to Serverless SQL Database %s", var.name)
+  application_id = scaleway_iam_application.ro.id
+
+  rule {
+    project_ids          = [data.scaleway_account_project.current.id]
+    permission_set_names = ["ServerlessSQLDatabaseReadOnly"]
+  }
+}
+
+resource "scaleway_iam_api_key" "ro" {
+  application_id = scaleway_iam_application.ro.id
+}
diff --git a/access_rw.tf b/access_rw.tf
@@ -0,0 +1,19 @@
+resource "scaleway_iam_application" "rw" {
+  name        = format("SDB - %s - RW", var.name)
+  description = format("Read and write access to Serverless SQL Database %s", var.name)
+}
+
+resource "scaleway_iam_policy" "rw" {
+  name           = format("SDB - %s - RW", var.name)
+  description    = format("Read and write access to Serverless SQL Database %s", var.name)
+  application_id = scaleway_iam_application.rw.id
+
+  rule {
+    project_ids          = [data.scaleway_account_project.current.id]
+    permission_set_names = ["ServerlessSQLDatabaseReadWrite"]
+  }
+}
+
+resource "scaleway_iam_api_key" "rw" {
+  application_id = scaleway_iam_application.rw.id
+}
diff --git a/outputs.tf b/outputs.tf
@@ -2,3 +2,33 @@ output "endpoint" {
   description = "Endpoint of the database."
   value       = scaleway_sdb_sql_database.main.endpoint
 }
+
+output "admin_connection_string" {
+  description = "Connection string to connect with admin permissions."
+  value = format("postgres://%s:%s@%s",
+    scaleway_iam_application.admin.id,
+    scaleway_iam_api_key.admin.secret_key,
+    trimprefix(scaleway_sdb_sql_database.main.endpoint, "postgres://"),
+  )
+  sensitive = true
+}
+
+output "ro_connection_string" {
+  description = "Connection string to connect with read only permissions."
+  value = format("postgres://%s:%s@%s",
+    scaleway_iam_application.ro.id,
+    scaleway_iam_api_key.ro.secret_key,
+    trimprefix(scaleway_sdb_sql_database.main.endpoint, "postgres://"),
+  )
+  sensitive = true
+}
+
+output "rw_connection_string" {
+  description = "Connection string to connect with read/write permissions."
+  value = format("postgres://%s:%s@%s",
+    scaleway_iam_application.rw.id,
+    scaleway_iam_api_key.rw.secret_key,
+    trimprefix(scaleway_sdb_sql_database.main.endpoint, "postgres://"),
+  )
+  sensitive = true
+}