diff --git a/README.md b/README.md index e7ec412..d761531 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ PostgreSQL is an open source object-relational database management system. It’s highly extensible, highly scalable, and has many features. PostgreSQL supports data replication across multiple data centers. -This reference architecture shows a typical three-node deployment of a PostgreSQL cluster on Oracle Cloud Infrastructure Compute instances. In this architecture, the servers are configured in master and standby configuration and use streaming replication. +This reference architecture shows a typical three-node deployment of a PostgreSQL cluster on Oracle Cloud Infrastructure Compute instances. In this architecture, the servers are configured in master and standby configuration and use streaming replication. It will also automatically install postgis34 and pgvector. For details of the architecture, see [_Deploy a PostgreSQL database_](https://docs.oracle.com/en/solutions/deploy-postgresql-db/index.html) @@ -18,7 +18,7 @@ If you don't have the required permissions and quota, contact your tenancy admin 1. Click [![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?region=home&zipUrl=https://github.com/oracle-devrel/terraform-oci-arch-postgresql/releases/latest/download/terraform-oci-arch-postgresql-stack-latest.zip) - If you aren't already signed in, when prompted, enter the tenancy and user credentials. + If you aren't already signed in, when prompted, enter the tenancy and user credentials. 2. Review and accept the terms and conditions. @@ -30,13 +30,14 @@ If you don't have the required permissions and quota, contact your tenancy admin 6. Wait for the job to be completed, and review the plan. - To make any changes, return to the Stack Details page, click **Edit Stack**, and make the required changes. Then, run the **Plan** action again. + To make any changes, return to the Stack Details page, click **Edit Stack**, and make the required changes. Then, run the **Plan** action again. -7. If no further changes are necessary, return to the Stack Details page, click **Terraform Actions**, and select **Apply**. +7. If no further changes are necessary, return to the Stack Details page, click **Terraform Actions**, and select **Apply**. ## Deploy Using the Terraform CLI ### Clone the Repository + Now, you'll want a local copy of this repo. You can make that with the commands: git clone https://github.com/oracle-devrel/terraform-oci-arch-postgresql @@ -44,7 +45,8 @@ Now, you'll want a local copy of this repo. You can make that with the commands: ls ### Prerequisites -First off, you'll need to do some pre-deploy setup. That's all detailed [here](https://github.com/cloud-partners/oci-prerequisites). + +First off, you'll need to do some pre-deploy setup. That's all detailed [here](https://github.com/cloud-partners/oci-prerequisites). Secondly, create a `terraform.tfvars` file and populate with the following information: @@ -58,31 +60,60 @@ private_key_path = "" # Region region = "" -# availability Domain -availability_domain_name = "" # for example GrCH:US-ASHBURN-AD-1 +# availability Domain +availability_domain_number = "1" # Example: 1, 2, 3 # Compartment compartment_ocid = "" # PostgreSQL Password +# The password must start with a letter, and it can contain letters (uppercase, lowercase), numbers, and the symbols _ $ # +# Minimum length 12 and max is 30 postgresql_password = "" -# PostgreSQL Version (supported versions 9.6, 10, 11, 12, 13) -postgresql_version = "" +# PostgreSQL Version (supported versions 9.6, 10, 11, 12, 13, 14) +postgresql_version = "14" + +# Cidr block that will be added in the firewall-cmd trusted zone on the instances running the postgresql server. +# Please add a cidr block from where you run postgresql client. +pg_whitelist_cidr = "" # Example "10.0.0.0/16" + + +### Using existing network +use_existing_vcn = true +postgresql_vcn = "" +postgresql_subnet = "" +create_in_private_subnet = true # In case of deploying in a private subnet, a Bastion Service will be created. + + +linux_os_version = "8" # (supported versions : 7.9, 8) + +# SSH KEY +# If you're using a PRIVATE subnet, the bastion service will be created. +# The code will upload on the instances both the ssh public key that you provide and the one that will be GENERATED. +# The bastion will automatically create sessions for instances using the private key GENERATED. +# If you want to connect using your ssh key, create new sessions with your public key. You can also use the GENERATED ssh key. +ssh_public_key = " Install PostgreSQL pg_utility (postgresql${pg_version_no_dot}-devel OL7) installed.' fi if [[ $(uname -r | sed 's/^.*\(el[0-9]\+\).*$/\1/') == "el8" ]] then - sudo yum-config-manager --enable ol8_developer - sudo yum-config-manager --enable ol8_developer_EPEL - sudo yum install -y llvm5.0-devel - sudo yum install -y postgresql${pg_version_no_dot}-devel - echo '-[100%]-> Install PostgreSQL pg_utility (postgresql${pg_version_no_dot}-devel OL8) installed.' + sudo dnf config-manager --enable ol8_developer + sudo dnf config-manager --enable ol8_developer_EPEL + sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm + sudo dnf -y install dnf-plugins-core + sudo dnf config-manager --enable ol8_codeready_builder + sudo yum install -y llvm-devel + sudo yum install -y postgresql${pg_version_no_dot}-devel + sudo yum install -y postgis34_${pg_version_no_dot} + sudo yum install -y pgvector_${pg_version_no_dot} + echo '-[100%]-> Install PostgreSQL pg_utility (postgresql${pg_version_no_dot}-devel OL8) installed.' fi # Setting firewall rules echo '--> Setting firewall rules...' export pg_whitelisted_ip='${pg_whitelisted_ip}' +export pg_whitelist_cidr='${pg_whitelist_cidr}' + +if [[ $pg_whitelist_cidr != "" ]]; then + sudo -u root bash -c "firewall-cmd --permanent --zone=trusted --add-source=${pg_whitelist_cidr}" + echo '-[50%]-> Whitelisted CIDR ${pg_whitelist_cidr} added to firewall rules.' +fi if [[ $pg_whitelisted_ip != "" ]]; then sudo -u root bash -c "firewall-cmd --permanent --zone=trusted --add-source=${pg_whitelisted_ip}/32" echo '-[50%]-> Whitelisted IP ${pg_whitelisted_ip} added to firewall rules.' diff --git a/scripts/postgresql_master_initdb.sh b/scripts/postgresql_master_initdb.sh index 3f11690..2b2f05c 100644 --- a/scripts/postgresql_master_initdb.sh +++ b/scripts/postgresql_master_initdb.sh @@ -16,13 +16,27 @@ else echo '-[100%]-> PostgreSQL Setup InitDB successfully finished.' fi -if [[ $add_iscsi_volume == "true" ]]; then + + +export pg_whitelist_cidr='${pg_whitelist_cidr}' +if [[ $add_iscsi_volume == "true" ]]; then echo '--> Adding iSCSI volume to PostgreSQL configuration...' sudo mkdir /data/pgsql sudo chown -R postgres:postgres /data/pgsql sudo -u postgres bash -c "/usr/pgsql-${pg_version_no_dot}/bin/initdb --pgdata=/data/pgsql" sudo sed -i 's/Environment=PGDATA=\/var\/lib\/pgsql\/${pg_version_no_dot}\/data\//Environment=PGDATA=\/data\/pgsql\//g' /usr/lib/systemd/system/postgresql-${pg_version_no_dot}.service echo '-[100%]-> iSCSI volume added to PostgreSQL configuration.' + sudo -u root bash -c "echo 'listen_addresses = '\''0.0.0.0'\'' ' | sudo tee -a /data/pgsql/postgresql.conf" + sudo sed -i 's/^max_connections = [0-9]\+/max_connections = 200/' /data/pgsql/postgresql.conf + if [[ $pg_whitelist_cidr != "" ]]; then + sudo -u root bash -c "echo 'host all all ${pg_whitelist_cidr} md5' | sudo tee -a /data/pgsql/pg_hba.conf" + fi +else + sudo sed -i 's/^max_connections = [0-9]\+/max_connections = 200/' /var/lib/pgsql/${pg_version}/data/postgresql.conf + sudo -u root bash -c "echo 'listen_addresses = '\''0.0.0.0'\'' ' | sudo tee -a /var/lib/pgsql/${pg_version}/data/postgresql.conf" + if [[ $pg_whitelist_cidr != "" ]]; then + sudo -u root bash -c "echo 'host all all ${pg_whitelist_cidr} md5' | sudo tee -a /var/lib/pgsql/${pg_version}/data/pg_hba.conf" + fi fi echo '--> Enabling and starting PostgreSQL systemctl service...' @@ -31,6 +45,20 @@ sudo systemctl start postgresql-${pg_version} sudo systemctl status postgresql-${pg_version} --no-pager echo '-[100%]-> PostgreSQL service started.' + + + +echo '--> Change password of postgres user...' +echo "postgres:${pg_password}" | chpasswd +echo '-[100%]-> postgres user password changed.' + + +echo '--> Change postgres db password...' +sudo -u postgres bash -c "psql -U postgres -d postgres -c \"alter user postgres with password '${pg_password}';\"" +echo '-[100%]-> Password for postgres updated.' + + + echo '--> Showing the logs of PostgreSQL with tail -5 command...' if [[ $pg_version == "9.6" ]]; then if [[ $add_iscsi_volume == "true" ]]; then @@ -47,6 +75,11 @@ else fi echo '-[100%]-> PostgreSQL logs printed out.' + + + + + echo '#####################################' echo 'PostgreSQL Master initdb finished.' echo '#####################################' \ No newline at end of file diff --git a/scripts/postgresql_master_setup.sh b/scripts/postgresql_master_setup.sh index 7f0631a..f6ef579 100644 --- a/scripts/postgresql_master_setup.sh +++ b/scripts/postgresql_master_setup.sh @@ -7,9 +7,7 @@ echo '#################################################' export pg_version='${pg_version}' export add_iscsi_volume='${add_iscsi_volume}' -echo '--> Change password of postgres user...' -echo "postgres:${pg_password}" | chpasswd -echo '-[100%]-> postgres user password changed.' + echo '--> Updating firewall rules with hotstandby1 IP (${pg_hotstandby_ip}) on master host...' sudo -u root bash -c "firewall-cmd --permanent --zone=trusted --add-source=${pg_hotstandby_ip}/32" @@ -21,7 +19,6 @@ echo '-[100%]-> Firewall updated with hotstandby1 IP (${pg_hotstandby_ip}) on ma echo '--> Create replication user...' chown postgres /tmp/postgresql_master_setup.sql sudo -u postgres bash -c "psql -d template1 -f /tmp/postgresql_master_setup.sql" -sudo -u postgres bash -c "psql -U postgres -d postgres -c \"alter user postgres with password '${pg_password}';\"" echo '-[100%]-> Replication user created.' if [[ $add_iscsi_volume == "true" ]]; then @@ -36,7 +33,6 @@ if [[ $add_iscsi_volume == "true" ]]; then sudo -u root bash -c "echo 'wal_keep_segments = 8' | sudo tee -a /data/pgsql/postgresql.conf" fi sudo -u root bash -c "echo 'hot_standby = on' | sudo tee -a /data/pgsql/postgresql.conf" - sudo -u root bash -c "echo 'listen_addresses = '\''0.0.0.0'\'' ' | sudo tee -a /data/pgsql/postgresql.conf" sudo -u root bash -c "chown postgres /data/pgsql/postgresql.conf" echo '-[100%]-> File postgresql.conf updated with WAL support.' @@ -64,7 +60,6 @@ else sudo -u root bash -c "echo 'wal_keep_segments = 8' | sudo tee -a /var/lib/pgsql/${pg_version}/data/postgresql.conf" fi sudo -u root bash -c "echo 'hot_standby = on' | sudo tee -a /var/lib/pgsql/${pg_version}/data/postgresql.conf" - sudo -u root bash -c "echo 'listen_addresses = '\''0.0.0.0'\'' ' | sudo tee -a /var/lib/pgsql/${pg_version}/data/postgresql.conf" sudo -u root bash -c "chown postgres /var/lib/pgsql/${pg_version}/data/postgresql.conf" echo '-[100%]-> File postgresql.conf updated with WAL support.' diff --git a/scripts/postgresql_standby_setup.sh b/scripts/postgresql_standby_setup.sh index 94dc2fd..44b3a1e 100644 --- a/scripts/postgresql_standby_setup.sh +++ b/scripts/postgresql_standby_setup.sh @@ -31,13 +31,7 @@ if [[ $add_iscsi_volume == "true" ]]; then echo '-[100%]-> Initial backup of database taken.' echo '--> Updating content of recovery.conf/postgresql.conf files...' - if [[ $pg_version == "13" ]]; then - touch /data/pgsql/standby.signal - touch /data/pgsql/recovery.signal - sudo -u root bash -c "echo 'primary_conninfo = '\''host=${pg_master_ip} port=5432 user=${pg_replicat_username} password=${pg_replicat_password}'\'' ' | sudo tee -a /data/pgsql/postgresql.conf" - sudo -u root bash -c "echo 'recovery_target_timeline = '\''latest'\'' ' | sudo tee -a /data/pgsql/postgresql.conf" - sudo -u root bash -c "chown postgres /data/pgsql/postgresql.conf" - elif [[ $pg_version == "12" ]]; then + if [[ $pg_version -ge "12" ]]; then touch /data/pgsql/standby.signal touch /data/pgsql/recovery.signal sudo -u root bash -c "echo 'primary_conninfo = '\''host=${pg_master_ip} port=5432 user=${pg_replicat_username} password=${pg_replicat_password}'\'' ' | sudo tee -a /data/pgsql/postgresql.conf" @@ -49,6 +43,7 @@ if [[ $add_iscsi_volume == "true" ]]; then sudo -u root bash -c "echo 'recovery_target_timeline = '\''latest'\'' ' | sudo tee -a /data/pgsql/recovery.conf" sudo -u root bash -c "chown postgres /data/pgsql/recovery.conf" fi + sed -i 's/^max_connections = [0-9]\+/max_connections = 200/' /data/pgsql/postgresql.conf echo '-[100%]-> Files recovery.conf/postgresql.conf updated.' else echo '--> Taking initial backup of database...' @@ -57,13 +52,7 @@ else echo '-[100%]-> Initial backup of database taken.' echo '--> Updating content of recovery.conf/postgresql.conf files...' - if [[ $pg_version == "13" ]]; then - touch /var/lib/pgsql/${pg_version}/data/standby.signal - touch /var/lib/pgsql/${pg_version}/data/recovery.signal - sudo -u root bash -c "echo 'primary_conninfo = '\''host=${pg_master_ip} port=5432 user=${pg_replicat_username} password=${pg_replicat_password}'\'' ' | sudo tee -a /var/lib/pgsql/${pg_version}/data/postgresql.conf" - sudo -u root bash -c "echo 'recovery_target_timeline = '\''latest'\'' ' | sudo tee -a /var/lib/pgsql/${pg_version}/data/postgresql.conf" - sudo -u root bash -c "chown postgres /var/lib/pgsql/${pg_version}/data/postgresql.conf" - elif [[ $pg_version == "12" ]]; then + if [[ $pg_version -ge "12" ]]; then touch /var/lib/pgsql/${pg_version}/data/standby.signal touch /var/lib/pgsql/${pg_version}/data/recovery.signal sudo -u root bash -c "echo 'primary_conninfo = '\''host=${pg_master_ip} port=5432 user=${pg_replicat_username} password=${pg_replicat_password}'\'' ' | sudo tee -a /var/lib/pgsql/${pg_version}/data/postgresql.conf" @@ -75,6 +64,7 @@ else sudo -u root bash -c "echo 'recovery_target_timeline = '\''latest'\'' ' | sudo tee -a /var/lib/pgsql/${pg_version}/data/recovery.conf" sudo -u root bash -c "chown postgres /var/lib/pgsql/${pg_version}/data/recovery.conf" fi + sed -i 's/^max_connections = [0-9]\+/max_connections = 200/' /var/lib/pgsql/${pg_version}/data/recovery.conf echo '-[100%]-> Files recovery.conf/postgresql.conf updated.' fi diff --git a/security-lists.tf b/security-lists.tf index 0333a56..e6d3b09 100644 --- a/security-lists.tf +++ b/security-lists.tf @@ -31,5 +31,5 @@ resource "oci_core_security_list" "postgresql_securitylist" { min = "5432" } } - defined_tags = { "${oci_identity_tag_namespace.ArchitectureCenterTagNamespace.name}.${oci_identity_tag.ArchitectureCenterTag.name}" = var.release } + #defined_tags = { "${oci_identity_tag_namespace.ArchitectureCenterTagNamespace.name}.${oci_identity_tag.ArchitectureCenterTag.name}" = var.release } } diff --git a/tags.tf b/tags.tf index 3f109cd..b857dcf 100644 --- a/tags.tf +++ b/tags.tf @@ -1,34 +1,34 @@ -## Copyright (c) 2022 Oracle and/or its affiliates. -## All rights reserved. The Universal Permissive License (UPL), Version 1.0 as shown at http://oss.oracle.com/licenses/upl +# ## Copyright (c) 2022 Oracle and/or its affiliates. +# ## All rights reserved. The Universal Permissive License (UPL), Version 1.0 as shown at http://oss.oracle.com/licenses/upl resource "random_id" "tag" { byte_length = 2 } -resource "oci_identity_tag_namespace" "ArchitectureCenterTagNamespace" { - provider = oci.homeregion - compartment_id = var.compartment_ocid - description = "ArchitectureCenterTagNamespace" - name = "ArchitectureCenter\\deploy-postgresql-db-${random_id.tag.hex}" +# resource "oci_identity_tag_namespace" "ArchitectureCenterTagNamespace" { +# provider = oci.homeregion +# compartment_id = var.compartment_ocid +# description = "ArchitectureCenterTagNamespace" +# name = "ArchitectureCenter\\deploy-postgresql-db-${random_id.tag.hex}" - provisioner "local-exec" { - command = "sleep 10" - } +# provisioner "local-exec" { +# command = "sleep 10" +# } -} +# } -resource "oci_identity_tag" "ArchitectureCenterTag" { - provider = oci.homeregion - description = "ArchitectureCenterTag" - name = "release" - tag_namespace_id = oci_identity_tag_namespace.ArchitectureCenterTagNamespace.id +# resource "oci_identity_tag" "ArchitectureCenterTag" { +# provider = oci.homeregion +# description = "ArchitectureCenterTag" +# name = "release" +# tag_namespace_id = oci_identity_tag_namespace.ArchitectureCenterTagNamespace.id - validator { - validator_type = "ENUM" - values = ["release", "${var.release}"] - } +# validator { +# validator_type = "ENUM" +# values = ["release", "${var.release}"] +# } - provisioner "local-exec" { - command = "sleep 120" - } -} +# provisioner "local-exec" { +# command = "sleep 120" +# } +# } diff --git a/variables.tf b/variables.tf index a89c74d..bbbdf9a 100644 --- a/variables.tf +++ b/variables.tf @@ -2,12 +2,18 @@ ## All rights reserved. The Universal Permissive License (UPL), Version 1.0 as shown at http://oss.oracle.com/licenses/upl variable "tenancy_ocid" {} -variable "user_ocid" {} -variable "fingerprint" {} -variable "private_key_path" {} +variable "user_ocid" { + default = "dummy" +} +variable "fingerprint" { + default = "dummy" +} +variable "private_key_path" { + default = "/dummy" +} variable "region" {} variable "compartment_ocid" {} -variable "availability_domain_name" {} +variable "availability_domain_number" {} variable "release" { description = "Reference Architecture Release (OCI Architecture Center)" @@ -22,6 +28,10 @@ variable "pg_whitelisted_ip" { description = "Should be Public host IP Address like 89.64.91.8" default = "" } +variable "pg_whitelist_cidr" { + description = "Cidr block to be added in the firewall-cmd in trusted zone" + default = "" +} variable "postgresql_vcn" { default = "" @@ -74,11 +84,11 @@ variable "instance_os" { variable "linux_os_version" { description = "Operating system version for all Linux instances" - default = "9" + default = "8" } variable "postgresql_master_fd" { - default = "FAULT-DOMAIN-1" + default = "1" } variable "postgresql_replicat_username" { @@ -130,7 +140,7 @@ variable "postgresql_deploy_hotstandby1" { } variable "postgresql_hotstandby1_fd" { - default = "FAULT-DOMAIN-2" + default = "2" } variable "postgresql_hotstandby1_ad" { @@ -154,7 +164,7 @@ variable "postgresql_deploy_hotstandby2" { } variable "postgresql_hotstandby2_fd" { - default = "FAULT-DOMAIN-3" + default = "3" } variable "postgresql_hotstandby2_ad" {