add optional cwd to the postgres_psql command

When the psql command runs from a directory it does not have permission to
access, it outputs an error. This error trips up the unless SQL command,
causing the other SQL commands to run even if not needed. Rather than ignore
stderr (which might hide something else), or use an arbitrary directory like
/tmp, this code sets the cwd to the data directory, which will exist and be
owned by the postgres user. If someone uses the postgres_psql type and
customises the psql_user parameter, they should also set an appropriate cwd.

lib/puppet/provider/postgresql_psql/ruby.rb

@@ -51,8 +51,14 @@ Puppet::Type.type(:postgresql_psql).provide(:ruby) do
   end
 
   def run_sql_command(sql)
-    Puppet::Util::SUIDManager.
-        run_and_capture('psql -t -c "' << sql.gsub('"', '\"') << '"', resource[:psql_user], resource[:psql_group])
+    command = 'psql -t -c "' << sql.gsub('"', '\"') << '"'
+    if resource[:cwd]
+      Dir.chdir resource[:cwd] do
+        Puppet::Util::SUIDManager.run_and_capture(command, resource[:psql_user], resource[:psql_group])
+      end
+    else
+      Puppet::Util::SUIDManager.run_and_capture(command, resource[:psql_user], resource[:psql_group])
+    end
   end
 
-end
+end

lib/puppet/type/postgresql_psql.rb

@@ -59,6 +59,10 @@ Puppet::Type.newtype(:postgresql_psql) do
     defaultto("postgres")
   end
 
+  newparam(:cwd) do
+    desc "The working directory under which the psql command should be executed."
+  end
+
   newparam(:refreshonly) do
     desc "If 'true', then the SQL will only be executed via a notify/subscribe event."
 
@@ -71,4 +75,4 @@ Puppet::Type.newtype(:postgresql_psql) do
     self.property(:command).sync(true)
   end
 
-end
+end

manifests/database.pp

@@ -34,11 +34,13 @@ define postgresql::database(
   postgresql_psql { "Check for existence of db '$dbname'":
     command => "SELECT 1",
     unless  => "SELECT datname FROM pg_database WHERE datname='$dbname'",
+    cwd     => $postgresql::params::datadir,
   } ~>
 
   exec { $createdb_command :
     refreshonly => true,
     user    => 'postgres',
+    cwd     => $postgresql::params::datadir,
   } ~>
 
   # This will prevent users from connecting to the database unless they've been
@@ -46,6 +48,7 @@ define postgresql::database(
   postgresql_psql {"REVOKE CONNECT ON DATABASE $dbname FROM public":
     db          => 'postgres',
     refreshonly => true,
+    cwd         => $postgresql::params::datadir,
   }
 
 }

manifests/database_grant.pp

@@ -33,6 +33,7 @@ define postgresql::database_grant(
     $psql_db   = 'postgres',
     $psql_user ='postgres'
 ) {
+  include postgresql::params
 
   # TODO: FIXME: only works on databases, due to using has_database_privilege
 
@@ -53,6 +54,7 @@ define postgresql::database_grant(
     db           => $psql_db,
     psql_user    => $psql_user,
     unless       => "SELECT 1 WHERE has_database_privilege('$role', '$db', '$unless_privilege')",
+    cwd          => $postgresql::params::datadir,
   }
 }
 

manifests/role.pp

@@ -25,6 +25,7 @@ define postgresql::role(
     $superuser  = false,
     $username   = $title
 ) {
+  include postgresql::params
 
   $login_sql      = $login      ? { true => 'LOGIN'     , default => 'NOLOGIN' }
   $createrole_sql = $createrole ? { true => 'CREATEROLE', default => 'NOCREATEROLE' }
@@ -36,5 +37,6 @@ define postgresql::role(
     db           => $db,
     psql_user    => 'postgres',
     unless       => "SELECT rolname FROM pg_roles WHERE rolname='$username'",
+    cwd          => $postgresql::params::datadir,
   }
 }