From 95922a8d7a28da009e13373ec51af31bdb7671ea Mon Sep 17 00:00:00 2001
From: Andrew Moore <mooreandrew@gmail.com>
Date: Wed, 18 Dec 2024 15:53:22 +0000
Subject: [PATCH 1/2] Role Valid Until Date

This allows for the valid until attribute to be set on roles.
---
 manifests/server/role.pp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/manifests/server/role.pp b/manifests/server/role.pp
index 1b37ce282c..6103c19ac2 100644
--- a/manifests/server/role.pp
+++ b/manifests/server/role.pp
@@ -35,6 +35,7 @@
   Boolean                                     $inherit          = true,
   Boolean                                     $superuser        = false,
   Boolean                                     $replication      = false,
+  Optional[String[1]]                         $valid_until      = undef,
   String[1]                                   $connection_limit = '-1',
   String[1]                                   $username         = $title,
   Hash                                        $connect_settings = $postgresql::server::default_connect_settings,
@@ -126,6 +127,12 @@
       unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolinherit = ${inherit}",
     }
 
+    if $valid_until {
+      postgresql_psql { "ALTER ROLE \"${username}\" VALID UNTIL '${valid_until}'":
+        unless => "SELECT 1 FROM pg_roles WHERE rolname = '${username}' AND rolvaliduntil = '${valid_until}'",
+      }
+    }
+
     if(versioncmp($version, '9.1') >= 0) {
       if $replication_sql == '' {
         postgresql_psql { "ALTER ROLE \"${username}\" NOREPLICATION":

From c16d85059fea735fce8769ee4f1059a5785c7f29 Mon Sep 17 00:00:00 2001
From: Andrew Moore <mooreandrew@gmail.com>
Date: Tue, 7 Jan 2025 09:45:18 +0000
Subject: [PATCH 2/2] Role valid_until documentation and tests

---
 manifests/server/role.pp             |  1 +
 spec/defines/server_instance_spec.rb | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/manifests/server/role.pp b/manifests/server/role.pp
index 6103c19ac2..f71ecf599c 100644
--- a/manifests/server/role.pp
+++ b/manifests/server/role.pp
@@ -11,6 +11,7 @@
 # @param inherit Specifies whether to grant inherit capability for the new role.
 # @param superuser Specifies whether to grant super user capability for the new role.
 # @param replication Provides provides replication capabilities for this role if set to true.
+# @param valid_until Specifies whether to set a valid until date for the role.
 # @param connection_limit Specifies how many concurrent connections the role can make. Default value: '-1', meaning no limit.
 # @param username Defines the username of the role to create.
 # @param connect_settings Specifies a hash of environment variables used when connecting to a remote server.
diff --git a/spec/defines/server_instance_spec.rb b/spec/defines/server_instance_spec.rb
index 89eadb06c8..ea63146fe4 100644
--- a/spec/defines/server_instance_spec.rb
+++ b/spec/defines/server_instance_spec.rb
@@ -73,7 +73,9 @@ class { 'postgresql::server':
                  'app_test1': { 'login' => true },
                  'rep_test1': { 'replication' => true,
                                 'login' => true },
-                 'rou_test1': { 'login' => true }, },
+                 'rou_test1': { 'login' => true },
+                 'val_test1': { 'login' => true,
+                                'valid_until' => '2030-01-01 00:00:00+00' }, },
       'pg_hba_rules': { 'local all INSTANCE user': { 'type' => 'local',
                                                      'database' => 'all',
                                                      'user' => 'ins_test1',
@@ -214,10 +216,19 @@ class { 'postgresql::server':
     it { is_expected.to contain_postgresql_psql('ALTER ROLE "rou_test1" NOCREATEROLE') }
     it { is_expected.to contain_postgresql_psql('ALTER ROLE "rou_test1" NOREPLICATION') }
     it { is_expected.to contain_postgresql_psql('ALTER ROLE "rou_test1" NOSUPERUSER') }
+    it { is_expected.to contain_postgresql_psql('ALTER ROLE "val_test1" CONNECTION LIMIT -1') }
+    it { is_expected.to contain_postgresql_psql('ALTER ROLE "val_test1" INHERIT') }
+    it { is_expected.to contain_postgresql_psql('ALTER ROLE "val_test1" LOGIN') }
+    it { is_expected.to contain_postgresql_psql('ALTER ROLE "val_test1" NOCREATEDB') }
+    it { is_expected.to contain_postgresql_psql('ALTER ROLE "val_test1" NOCREATEROLE') }
+    it { is_expected.to contain_postgresql_psql('ALTER ROLE "val_test1" NOREPLICATION') }
+    it { is_expected.to contain_postgresql_psql('ALTER ROLE "val_test1" NOSUPERUSER') }
+    it { is_expected.to contain_postgresql_psql('ALTER ROLE "val_test1" VALID UNTIL \'2030-01-01 00:00:00+00\'') }
     it { is_expected.to contain_postgresql_psql('CREATE ROLE app_test1 ENCRYPTED PASSWORD ****') }
     it { is_expected.to contain_postgresql_psql('CREATE ROLE dba_test1 ENCRYPTED PASSWORD ****') }
     it { is_expected.to contain_postgresql_psql('CREATE ROLE ins_test1 ENCRYPTED PASSWORD ****') }
     it { is_expected.to contain_postgresql_psql('CREATE ROLE rep_test1 ENCRYPTED PASSWORD ****') }
     it { is_expected.to contain_postgresql_psql('CREATE ROLE rou_test1 ENCRYPTED PASSWORD ****') }
+    it { is_expected.to contain_postgresql_psql('CREATE ROLE val_test1 ENCRYPTED PASSWORD ****') }
   end
 end