feat!: add dependencies to role creation process

README.md

@@ -163,7 +163,8 @@ module "postgres_automation" {
 | [postgresql_grant.schema_access](https://registry.terraform.io/providers/cyrilgdn/postgresql/latest/docs/resources/grant)                        | resource |
 | [postgresql_grant.sequence_access](https://registry.terraform.io/providers/cyrilgdn/postgresql/latest/docs/resources/grant)                      | resource |
 | [postgresql_grant.table_access](https://registry.terraform.io/providers/cyrilgdn/postgresql/latest/docs/resources/grant)                         | resource |
-| [postgresql_role.role](https://registry.terraform.io/providers/cyrilgdn/postgresql/latest/docs/resources/role)                                   | resource |
+| [postgresql_role.base_role](https://registry.terraform.io/providers/cyrilgdn/postgresql/latest/docs/resources/role)                              | resource |
+| [postgresql_role.dependent_role](https://registry.terraform.io/providers/cyrilgdn/postgresql/latest/docs/resources/role)                         | resource |
 | [random_password.user_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password)                         | resource |
 
 ## Inputs
@@ -193,14 +194,17 @@ module "postgres_automation" {
 
 ## Outputs
 
-| Name                                                                                      | Description |
-| ----------------------------------------------------------------------------------------- | ----------- |
-| <a name="output_database_access"></a> [database_access](#output_database_access)          | n/a         |
-| <a name="output_databases"></a> [databases](#output_databases)                            | n/a         |
-| <a name="output_default_privileges"></a> [default_privileges](#output_default_privileges) | n/a         |
-| <a name="output_schema_access"></a> [schema_access](#output_schema_access)                | n/a         |
-| <a name="output_sequence_access"></a> [sequence_access](#output_sequence_access)          | n/a         |
-| <a name="output_table_access"></a> [table_access](#output_table_access)                   | n/a         |
+| Name                                                                                      | Description                                                        |
+| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------------ |
+| <a name="output_base_roles"></a> [base_roles](#output_base_roles)                         | Base roles (group roles, no dependencies on other custom roles)    |
+| <a name="output_database_access"></a> [database_access](#output_database_access)          | n/a                                                                |
+| <a name="output_databases"></a> [databases](#output_databases)                            | n/a                                                                |
+| <a name="output_default_privileges"></a> [default_privileges](#output_default_privileges) | n/a                                                                |
+| <a name="output_dependent_roles"></a> [dependent_roles](#output_dependent_roles)          | Dependent roles (login roles that inherit from other custom roles) |
+| <a name="output_roles"></a> [roles](#output_roles)                                        | All created roles (both base and dependent)                        |
+| <a name="output_schema_access"></a> [schema_access](#output_schema_access)                | n/a                                                                |
+| <a name="output_sequence_access"></a> [sequence_access](#output_sequence_access)          | n/a                                                                |
+| <a name="output_table_access"></a> [table_access](#output_table_access)                   | n/a                                                                |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/llm_chat_app/1_apply_terraform.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+# Task 1: Apply Terraform Configuration
+
+set -e
+
+echo "=============================================="
+echo "Applying Terraform Configuration"
+echo "=============================================="
+echo ""
+
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
+tofu apply -auto-approve
+
+echo ""
+echo "=============================================="
+echo "Terraform Apply Completed Successfully!"
+echo "=============================================="

examples/llm_chat_app/2_create_test_objects.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+# Create test objects for verification
+
+set -e
+
+export PGHOST=localhost
+export PGPORT=5432
+export PGDATABASE=llm_service
+
+echo "=============================================="
+echo "Creating Test Objects"
+echo "=============================================="
+echo ""
+
+PGUSER=service_migrator PGPASSWORD=demo-password-migrator psql <<'EOF'
+-- Switch to group role so objects are owned by role_service_migration
+-- This ensures default privileges apply correctly
+SET ROLE role_service_migration;
+
+-- Create test table in app schema
+CREATE TABLE IF NOT EXISTS app.test_users (
+    id SERIAL PRIMARY KEY,
+    name TEXT NOT NULL
+);
+INSERT INTO app.test_users (name) VALUES ('test') ON CONFLICT DO NOTHING;
+
+-- Create test view in app schema
+CREATE OR REPLACE VIEW app.test_users_view AS SELECT * FROM app.test_users;
+
+-- Create test function in app schema
+CREATE OR REPLACE FUNCTION app.test_func() RETURNS integer
+LANGUAGE sql SECURITY INVOKER
+AS $$ SELECT 1; $$;
+
+-- Create test table in ref_data schemas
+CREATE TABLE IF NOT EXISTS ref_data_pipeline_abc.test_ref (
+    id SERIAL PRIMARY KEY,
+    value TEXT
+);
+INSERT INTO ref_data_pipeline_abc.test_ref (value) VALUES ('abc') ON CONFLICT DO NOTHING;
+
+CREATE TABLE IF NOT EXISTS ref_data_pipeline_xyz.test_ref (
+    id SERIAL PRIMARY KEY,
+    value TEXT
+);
+INSERT INTO ref_data_pipeline_xyz.test_ref (value) VALUES ('xyz') ON CONFLICT DO NOTHING;
+
+-- Create views in ref_data schemas
+CREATE OR REPLACE VIEW ref_data_pipeline_abc.test_ref_view AS SELECT * FROM ref_data_pipeline_abc.test_ref;
+CREATE OR REPLACE VIEW ref_data_pipeline_xyz.test_ref_view AS SELECT * FROM ref_data_pipeline_xyz.test_ref;
+
+SELECT 'Test objects created successfully!' AS result;
+EOF
+
+echo ""
+echo "=============================================="
+echo "Test Objects Created Successfully!"
+echo "=============================================="

examples/llm_chat_app/3_run_verification_tests.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+# Run all verification tests
+
+set -e
+
+export PGHOST=localhost
+export PGPORT=5432
+export PGDATABASE=llm_service
+
+echo "=============================================="
+echo "Running Verification Tests"
+echo "=============================================="
+echo ""
+
+# Test 2: Migration Role DDL Access
+echo "--- Test 2: Migration Role DDL Access ---"
+PGUSER=service_migrator PGPASSWORD=demo-password-migrator psql -c "
+SET ROLE role_service_migration;
+CREATE TABLE app.migration_test (id int);
+ALTER TABLE app.migration_test ADD COLUMN name text;
+INSERT INTO app.migration_test (id) VALUES (1);
+TRUNCATE app.migration_test;
+DROP TABLE app.migration_test;
+SELECT 'TEST 2 PASSED: Migration role has DDL access (including TRUNCATE)' AS result;
+"
+echo ""
+
+# Test 3: FastAPI RW Role
+echo "--- Test 3: FastAPI RW Role - DML on app schema ---"
+PGUSER=service_fastapi_rw PGPASSWORD=demo-password-fastapi-rw psql -c "
+SELECT * FROM app.test_users;
+INSERT INTO app.test_users (name) VALUES ('fastapi_test');
+DELETE FROM app.test_users WHERE name = 'fastapi_test';
+SELECT 'TEST 3 PASSED: FastAPI RW has app DML' AS result;
+"
+echo ""
+
+# Test 3b: FastAPI RW Role - Verify TRUNCATE is denied
+echo "--- Test 3b: FastAPI RW Role - Verify TRUNCATE denied ---"
+if PGUSER=service_fastapi_rw PGPASSWORD=demo-password-fastapi-rw psql -c "TRUNCATE app.test_users;" 2>&1 | grep -q "permission denied"; then
+  echo "TEST 3b PASSED: FastAPI RW correctly denied TRUNCATE"
+else
+  echo "TEST 3b FAILED: FastAPI RW should not have TRUNCATE permission"
+  exit 1
+fi
+echo ""
+
+# Test 4: FastAPI RO Role
+echo "--- Test 4: FastAPI RO Role - SELECT only ---"
+PGUSER=service_fastapi_ro PGPASSWORD=demo-password-fastapi-ro psql -c "
+SELECT * FROM app.test_users;
+SELECT 'TEST 4 PASSED: FastAPI RO has SELECT' AS result;
+"
+echo ""
+
+# Test 5: Pipeline RW Role
+echo "--- Test 5: Pipeline RW Role - All schemas access ---"
+PGUSER=service_pipeline_rw PGPASSWORD=demo-password-pipeline-rw psql -c "
+SELECT * FROM app.test_users;
+SELECT * FROM ref_data_pipeline_abc.test_ref;
+SELECT * FROM ref_data_pipeline_xyz.test_ref;
+SELECT 'TEST 5 PASSED: Pipeline RW has all schemas access' AS result;
+"
+echo ""
+
+# Test 6: Pipeline RO Role
+echo "--- Test 6: Pipeline RO Role - Read access to all schemas ---"
+PGUSER=service_pipeline_ro PGPASSWORD=demo-password-pipeline-ro psql -c "
+SELECT * FROM app.test_users;
+SELECT * FROM ref_data_pipeline_abc.test_ref;
+SELECT * FROM ref_data_pipeline_xyz.test_ref;
+SELECT 'TEST 6 PASSED: Pipeline RO has SELECT on all schemas' AS result;
+"
+echo ""
+
+# Test 7: Connection Limits
+echo "--- Test 7: Connection Limits ---"
+PGUSER=service_migrator PGPASSWORD=demo-password-migrator psql -c "
+SELECT rolname, rolconnlimit
+FROM pg_roles
+WHERE rolname LIKE 'role_service_%'
+ORDER BY rolname;
+"
+echo ""
+
+# Test 8: Role Inheritance
+echo "--- Test 8: Role Inheritance ---"
+PGUSER=service_migrator PGPASSWORD=demo-password-migrator psql -c "
+SELECT
+    r.rolname AS role,
+    ARRAY_AGG(m.rolname) AS member_of
+FROM pg_roles r
+LEFT JOIN pg_auth_members am ON r.oid = am.member
+LEFT JOIN pg_roles m ON am.roleid = m.oid
+WHERE r.rolname LIKE 'role_service_%'
+GROUP BY r.rolname
+ORDER BY r.rolname;
+"
+echo ""
+
+echo "=============================================="
+echo "All Tests Completed!"
+echo "=============================================="

examples/llm_chat_app/4_cleanup.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+# Cleanup: Delete all resources created by the example (but not admin_user)
+
+set -e
+
+export PGHOST=localhost
+export PGPORT=5432
+export PGDATABASE=postgres  # Connect to postgres db for cleanup
+
+echo "=============================================="
+echo "Cleaning Up Example Resources"
+echo "=============================================="
+echo ""
+
+# Use admin_user to perform cleanup
+export PGUSER=admin_user
+export PGPASSWORD=insecure-pass-for-demo-admin-user
+
+echo "Step 1: Terminating connections to llm_service database..."
+psql -c "
+SELECT pg_terminate_backend(pid)
+FROM pg_stat_activity
+WHERE datname = 'llm_service' AND pid <> pg_backend_pid();
+" 2>/dev/null || true
+
+echo ""
+echo "Step 2: Dropping database llm_service..."
+psql -c "DROP DATABASE IF EXISTS llm_service;"
+
+echo ""
+echo "Step 3: Dropping login roles..."
+# Drop login roles first (they depend on group roles)
+psql <<'EOF'
+DROP ROLE IF EXISTS role_service_migrator;
+DROP ROLE IF EXISTS role_service_fastapi_rw;
+DROP ROLE IF EXISTS role_service_fastapi_ro;
+DROP ROLE IF EXISTS role_service_pipeline_rw;
+DROP ROLE IF EXISTS role_service_pipeline_ro;
+EOF
+
+echo ""
+echo "Step 4: Dropping group roles..."
+# Drop group roles (no dependencies)
+psql <<'EOF'
+DROP ROLE IF EXISTS role_service_migration;
+DROP ROLE IF EXISTS role_service_rw;
+DROP ROLE IF EXISTS role_service_ro;
+EOF
+
+echo ""
+echo "Step 5: Dropping cluster-wide roles..."
+psql <<'EOF'
+DROP ROLE IF EXISTS role_pg_cluster_admin;
+DROP ROLE IF EXISTS role_pg_monitoring;
+EOF
+
+echo ""
+echo "Step 6: Verifying cleanup..."
+psql -c "
+SELECT rolname FROM pg_roles
+WHERE rolname LIKE 'role_service_%' OR rolname LIKE 'role_pg_%'
+ORDER BY rolname;
+"
+
+echo ""
+echo "=============================================="
+echo "Cleanup Completed Successfully!"
+echo "=============================================="
+echo ""
+echo "Note: admin_user was preserved."
+echo "To re-run the example, start with: ./1_apply_terraform.sh"