mattupstate · July 21, 2020 17:39 · smiller171 · Jun 12, 2019 · markw-ao · Mar 9, 2020
diff --git a/resources.tf b/resources.tf
 resource "aws_db_instance" "core" {
    username = "postgres"
    password = "changeme"
    ...
 }

 resource "null_resource" "master_password" {
    triggers {
        db_host = "${aws_db_instance.address}"
    }
    provisioner "local-exec" {
        command = "ansible localhost -e @path/to/secrets.yml --vault-password-file path/to/vault.txt -a 'set-postgres-master-password --host ${aws_db_instance.address} --password changeme --new-password {{ my_new_master_password }}'"
    }
 }
diff --git a/set-postgres-master-password.py b/set-postgres-master-password.py
 #!/usr/bin/env python

 import argparse
 import psycopg2

 def main(host, port, user, password, newpassword):
    sql = "ALTER ROLE %s WITH PASSWORD '%s';" % (user, newpassword)
    conn_str = 'host=%s user=%s password=%s' % (host, user, password)
    connection = psycopg2.connect(conn_str)
    cursor = connection.cursor()
    cursor.execute(sql)
    connection.commit()
    cursor.close()
    connection.close()
    print('New password set successfully')

 if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        description='Sets a PostgreSQL database master password')
    parser.add_argument('--user', dest='user', default='postgres',
                        help='the master username')
    parser.add_argument('--password', dest='password', required=True,
                        help='the current master username')
    parser.add_argument('--new-password', dest='newpassword', required=True,
                        help='the new password')
    parser.add_argument('--host', dest='host', required=True,
                        help='the host to connect to')
    parser.add_argument('--port', dest='port', default=5432,
                        help='the port to connect to')
    args = parser.parse_args()
    main(args.host, args.port, args.user, args.password, args.newpassword)
	resource "aws_db_instance" "core" {
	username = "postgres"
	password = "changeme"
	...
	}

	resource "null_resource" "master_password" {
	triggers {
	db_host = "${aws_db_instance.address}"
	}
	provisioner "local-exec" {
	command = "ansible localhost -e @path/to/secrets.yml --vault-password-file path/to/vault.txt -a 'set-postgres-master-password --host ${aws_db_instance.address} --password changeme --new-password {{ my_new_master_password }}'"
	}
	}
	#!/usr/bin/env python

	import argparse
	import psycopg2

	def main(host, port, user, password, newpassword):
	sql = "ALTER ROLE %s WITH PASSWORD '%s';" % (user, newpassword)
	conn_str = 'host=%s user=%s password=%s' % (host, user, password)
	connection = psycopg2.connect(conn_str)
	cursor = connection.cursor()
	cursor.execute(sql)
	connection.commit()
	cursor.close()
	connection.close()
	print('New password set successfully')

	if __name__ == '__main__':
	parser = argparse.ArgumentParser(
	description='Sets a PostgreSQL database master password')
	parser.add_argument('--user', dest='user', default='postgres',
	help='the master username')
	parser.add_argument('--password', dest='password', required=True,
	help='the current master username')
	parser.add_argument('--new-password', dest='newpassword', required=True,
	help='the new password')
	parser.add_argument('--host', dest='host', required=True,
	help='the host to connect to')
	parser.add_argument('--port', dest='port', default=5432,
	help='the port to connect to')
	args = parser.parse_args()
	main(args.host, args.port, args.user, args.password, args.newpassword)