X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fpostgres%2Fmanifests%2Fcluster%2Fhba_entry.pp;h=843a4a780fa02dc9e73b10786fd99c15bf708fa5;hb=6f0519ea008323e67f933fd1168c6c906f2c289d;hp=2b6ff62580b56004dc2584248a9ad428bd6c0a27;hpb=b11fd7d33b063d3710773b485563f66860fb081f;p=mirror%2Fdsa-puppet.git

diff --git a/modules/postgres/manifests/cluster/hba_entry.pp b/modules/postgres/manifests/cluster/hba_entry.pp
index 2b6ff6258..843a4a780 100644
--- a/modules/postgres/manifests/cluster/hba_entry.pp
+++ b/modules/postgres/manifests/cluster/hba_entry.pp
@@ -15,6 +15,7 @@
 # @param address          hosts that match
 # @param method           auth method
 # @param order            ordering of this entry in pg_hba.conf
+# @param firewall         also add a firewall rule
 define postgres::cluster::hba_entry (
   Optional[Integer] $pg_port = undef,
   Optional[String] $pg_cluster = undef,
@@ -25,8 +26,9 @@ define postgres::cluster::hba_entry (
   Optional[Variant[Stdlib::IP::Address, Array[Stdlib::IP::Address]]] $address = undef,
   Enum['md5', 'trust'] $method = 'md5',
   String $order = '50',
+  Boolean $firewall = true,
 ) {
-  $address_methods = ['md5']
+  $address_methods = ['md5', 'trust']
   if $method in $address_methods {
     if !$address {
       fail("Authentication method ${method} needs an address")
@@ -37,31 +39,36 @@ define postgres::cluster::hba_entry (
     }
   }
 
+  # get remaining cluster info and verify consistency
+  ###
   $clusters = $facts['postgresql_clusters']
   if $pg_port {
     $filtered = $clusters.filter |$cluster| { $cluster['port'] == $pg_port }
     if $filtered.length != 1 {
       fail("Did not find exactly one cluster with port ${pg_port}")
     }
+    $cluster = $filtered[0]
   } elsif $pg_cluster and $pg_version {
     $filtered = $clusters.filter |$cluster| { $cluster['version'] == $pg_version and $cluster['cluster'] == $pg_cluster}
     if $filtered.length != 1 {
       fail("Did not find exactly one cluster ${pg_version}/${pg_cluster}")
     }
+    $cluster = $filtered[0]
   } else {
     fail('postgres::cluster::hba_entry needs either the port of both a pg version and cluster name')
   }
-  $real_port    = $filtered['port']
-  $real_version = $filtered['version']
-  $real_cluster = $filtered['cluster']
+  $real_port    = $cluster['port']
+  $real_version = $cluster['version']
+  $real_cluster = $cluster['cluster']
   if $pg_version and $pg_version != $real_version {
     fail("Inconsisten cluster version information: ${pg_version} != ${real_version}")
   }
   if $pg_cluster and $pg_cluster != $real_cluster {
     fail("Inconsisten cluster name information: ${pg_cluster} != ${real_cluster}")
   }
+  ###
 
-  if ($address) {
+  if ($address and $firewall) {
     ferm::rule::simple { "postgres::cluster::hba_entry::${name}":
       description => "allow access to pg${real_version}/${real_cluster}: ${name}",
       saddr       => $address,