feat: allow setting roles for users

jochem725 · jochem725 · commit a573336ec307 · 2025-10-01T17:27:14.000+02:00
diff --git a/src/main.tf b/src/main.tf
@@ -41,6 +41,7 @@ module "additional_users" {
   service_name    = each.key
   db_user         = each.value.db_user
   db_password     = each.value.db_password
+  roles           = each.value.roles
   grants          = each.value.grants
   ssm_path_prefix = local.ssm_path_prefix
   kms_key_id      = local.kms_key_arn
diff --git a/src/modules/postgresql-user/main.tf b/src/modules/postgresql-user/main.tf
@@ -1,9 +1,9 @@
 locals {
   enabled = module.this.enabled
 
-  db_user     = length(var.db_user) > 0 ? var.db_user : var.service_name
-  db_password = length(var.db_password) > 0 ? var.db_password : join("", random_password.db_password[*].result)
-
+  db_user              = length(var.db_user) > 0 ? var.db_user : var.service_name
+  db_password          = length(var.db_password) > 0 ? var.db_password : join("", random_password.db_password[*].result)
+  db_roles             = length(var.roles) > 0 ? var.roles : null
   save_password_in_ssm = local.enabled && var.save_password_in_ssm
 
   db_password_key = format("%s/%s/passwords/%s", var.ssm_path_prefix, var.service_name, local.db_user)
@@ -15,6 +15,7 @@ locals {
     overwrite   = true
   } : null
 
+
   parameter_write = local.save_password_in_ssm ? [local.db_password_ssm] : []
 
   # ALL grant always shows Terraform drift:
@@ -40,6 +41,7 @@ resource "postgresql_role" "default" {
   name     = local.db_user
   password = local.db_password
   login    = true
+  roles    = local.db_roles
 }
 
 # Apply the configured grants to the user
diff --git a/src/modules/postgresql-user/variables.tf b/src/modules/postgresql-user/variables.tf
@@ -15,6 +15,12 @@ variable "db_password" {
   default     = ""
 }
 
+variable "roles" {
+  type        = list(string)
+  description = "Roles that will be granted to the created user."
+  default     = null
+}
+
 variable "grants" {
   type = list(object({
     grant : list(string)
diff --git a/src/variables.tf b/src/variables.tf
@@ -64,6 +64,7 @@ variable "additional_users" {
   type = map(object({
     db_user : string
     db_password : string
+    roles : optional(list(string), [])
     grants : list(object({
       grant : list(string)
       db : string
