From d45b08b0fd0d7b7aa171558ae7710283bd0a0cbd Mon Sep 17 00:00:00 2001
From: RaviAnand Mohabir <moravrav@gmail.com>
Date: Fri, 27 Jan 2023 14:38:06 +0100
Subject: [PATCH] feat: :sparkles: add Terraform Postgres Kubernetes module
 Unfinished: Still needs outputs and to be tested.

---
 .gitignore   |  34 +++++++++
 main.tf      | 203 +++++++++++++++++++++++++++++++++++++++++++++++++++
 variables.tf | 101 +++++++++++++++++++++++++
 3 files changed, 338 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 main.tf
 create mode 100644 variables.tf

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..9b8a46e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,34 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..17dd7c4
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,203 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.13.1"
+    }
+  }
+}
+
+locals {
+  port = 5432
+  app  = "postgres"
+  match_labels = {
+    "app.kubernetes.io/name"     = "postgres"
+    "app.kubernetes.io/instance" = "postgres"
+  }
+  labels = merge(local.match_labels, var.labels)
+  env    = "postgres-env"
+}
+
+resource "kubernetes_stateful_set" "postgres" {
+  metadata {
+    name      = var.stateful_set_name
+    namespace = var.namespace
+    labels    = local.labels
+  }
+  spec {
+    selector {
+      match_labels = local.labels
+    }
+    service_name = local.app
+    replicas     = local.replicas
+    template {
+      metadata {
+        labels = local.labels
+      }
+      spec {
+        affinity {
+          pod_affinity {}
+          pod_anti_affinity {
+            preferred_during_scheduling_ignored_during_execution {
+              pod_affinity_term {
+                label_selector {
+                  match_labels = local.match_labels
+                }
+                namespaces   = [var.namespace]
+                topology_key = "kubernetes.io/hostname"
+              }
+              weight = 1
+            }
+          }
+          node_affinity {}
+        }
+        security_context {
+          fs_group = 1001
+        }
+        container {
+          image = var.image_registry == "" ? "${var.image_repository}:${var.image_tag}" : "${var.image_registry}/${var.image_repository}:${var.image_tag}"
+          name  = var.container_name
+          env_from {
+            config_map_ref {
+              name = kubernetes_config_map.postgres.metadata.0.name
+            }
+          }
+          env {
+            name = "POSTGRES_POSTGRES_PASSWORD"
+            value_from {
+              secret_key_ref {
+                name = kubernetes_secret.postgres.metadata.0.name
+                key  = "postgres-postgres-password"
+              }
+            }
+          }
+          env {
+            name = "POSTGRES_PASSWORD"
+            value_from {
+              secret_key_ref {
+                name = kubernetes_secret.postgres.metadata.0.name
+                key  = "postgres-password"
+              }
+            }
+          }
+          port {
+            name           = "tcp-postgres"
+            container_port = local.port
+          }
+          liveness_probe {
+            exec {
+              command = ["/bin/sh", "-c", "exec pg_isready -U ${var.postgres_user} -d \"dbname=${var.postgres_db}\" -h 127.0.0.1 -p ${local.port}"]
+            }
+            initial_delay_seconds = 30
+            period_seconds        = 10
+            timeout_seconds       = 5
+            success_threshold     = 1
+            failure_threshold     = 1
+          }
+          readiness_probe {
+            exec {
+              command = [
+                "/bin/sh",
+                "-c",
+                "-e",
+                <<EOT
+                |
+                exec pg_isready -U ${var.postgres_user} -d \"dbname=${var.postgres_db}\" -h 127.0.0.1 -p ${local.port}
+                [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
+                EOT
+              ]
+            }
+            initial_delay_seconds = 30
+            period_seconds        = 10
+            timeout_seconds       = 5
+            success_threshold     = 1
+            failure_threshold     = 1
+          }
+          volume_mount {
+            name       = "dshm"
+            mount_path = "/dev/shm"
+          }
+          volume_mount {
+            name       = "data"
+            mount_path = "/bitnami/postgresql"
+          }
+        }
+        volume {
+          name = "dshm"
+          empty_dir {
+            medium     = "Memory"
+            size_limit = "1Gi"
+          }
+        }
+      }
+    }
+    volume_claim_template {
+      metadata {
+        name = "data"
+      }
+      spec {
+        access_modes = ["ReadWriteOnce"]
+        resources {
+          requests = {
+            storage = var.storage_size
+          }
+        }
+        storage_class_name = var.storage_class_name
+      }
+    }
+  }
+}
+
+resource "kubernetes_service" "postgres" {
+  metadata {
+    name      = var.service_name
+    namespace = var.namespace
+    labels = merge({
+      "service.alpha.kubernetes.io/tolerate-unready-endpoints" = "true"
+    }, local.labels)
+  }
+  spec {
+    type                        = var.service_type
+    publish_not_ready_addresses = true
+    selector                    = local.match_labels
+    port {
+      port = local.port
+    }
+  }
+  count = var.enable_service ? 1 : 0
+}
+
+resource "kubernetes_secret" "postgres" {
+  metadata {
+    name      = "postgres"
+    namespace = local.namespace
+    labels    = local.match_labels
+  }
+  type = "Opaque"
+  data = {
+    "postgres-postgres-password" = var.postgres_postgres_password
+    "postgres-password"          = var.postgres_password
+  }
+}
+
+resource "kubernetes_config_map" "postgres" {
+  metadata {
+    name      = local.env
+    namespace = var.namespace
+  }
+
+  data = {
+    BITNAMI_DEBUG                       = "false"
+    POSTGRESQL_PORT_NUMBER              = local.port
+    POSTGRESQL_VOLUME_DIR               = "/bitnami/postgresql"
+    PGDATA                              = "/bitnami/postgresql/data"
+    POSTGRES_USER                       = var.postgres_user
+    POSTGRES_DB                         = var.postgres_db
+    POSTGRESQL_ENABLE_LDAP              = "no"
+    POSTGRESQL_LOG_HOSTNAME             = "false"
+    POSTGRESQL_LOG_DISCONNECTIONS       = "false"
+    POSTGRESQL_PGAUDIT_LOG_CATALOG      = "off"
+    POSTGRESQL_CLIENT_MIN_MESSAGES      = "error"
+    POSTGRESQL_SHARED_PRELOAD_LIBRARIES = "pgaudit"
+  }
+}
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..2c147db
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,101 @@
+variable "postgres_postgres_password" {
+  description = "Password for the `postgres` user"
+  type        = string
+  sensitive   = true
+}
+
+variable "postgres_user" {
+  description = "Username for the user"
+  default     = "user"
+  type        = string
+}
+
+variable "postgres_password" {
+  description = "Password for the user"
+  type        = string
+  sensitive   = true
+}
+
+variable "postgres_db" {
+  description = "Name of the default database"
+  type        = string
+  sensitive   = true
+}
+
+variable "stateful_set_name" {
+  description = "Name of StatefulSet"
+  type        = string
+  default     = "postgres"
+}
+
+variable "labels" {
+  description = "Labels to add to the Postgres deployment"
+  type        = map(any)
+  default     = {}
+}
+
+variable "volum_claim_template_name" {
+  description = "Name to use for the volume claim template"
+  type        = string
+  default     = "postgres-pvc"
+}
+
+variable "replicas" {
+  description = "Replicas to deploy in the Postgres StatefulSet"
+  type        = number
+  default     = 1
+}
+
+variable "storage_size" {
+  description = "Storage size for the StatefulSet PVC"
+  type        = string
+  default     = "10Gi"
+}
+
+variable "storage_class_name" {
+  description = "Storage class to use for Postgres PVCs"
+  type        = string
+  default     = ""
+}
+
+variable "image_registry" {
+  description = "Image registry, e.g. gcr.io, docker.io"
+  type        = string
+  default     = ""
+}
+
+variable "image_repository" {
+  description = "Image to start for this pod"
+  type        = string
+  default     = "bitnami/postgresql"
+}
+
+variable "image_tag" {
+  description = "Image tag to use"
+  type        = string
+  default     = "13.9.0"
+}
+
+variable "container_name" {
+  description = "Name of the Postgres container"
+  type        = string
+  default     = "postgres"
+}
+
+variable "enable_service" {
+  description = "Enable service for Postgres"
+  type        = bool
+  default     = true
+}
+
+variable "service_name" {
+  description = "Name of service to deploy"
+  type        = string
+  default     = "postgres"
+}
+
+variable "service_type" {
+  description = "Type of service to deploy"
+  type        = string
+  default     = "ClusterIP"
+}