Forge Home


Offers support for basic management of PostgreSQL databases.


1,697 latest version

4.7 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 9.2.0 (latest)
  • 9.1.0
  • 9.0.3
  • 9.0.2
  • 9.0.1
  • 9.0.0
  • 8.3.0
  • 8.2.1
  • 8.2.0
  • 8.1.0
  • 8.0.0
  • 7.5.0
  • 7.4.1
  • 7.4.0
  • 7.3.0
  • 7.2.0
  • 7.1.0
  • 7.0.3
  • 7.0.2
  • 7.0.1
  • 7.0.0
  • 6.10.2
  • 6.10.1
  • 6.10.0
  • 6.9.0
  • 6.8.0
  • 6.7.0
  • 6.6.0
  • 6.5.0
  • 6.4.0
  • 6.3.0
  • 6.2.0
  • 6.1.0
  • 6.0.0
  • 5.12.1
  • 5.12.0
  • 5.11.0
  • 5.10.0
  • 5.9.0
  • 5.8.0
  • 5.7.0
  • 5.6.0
  • 5.5.0
  • 5.4.0
  • 5.3.0
  • 5.2.1
  • 5.2.0
  • 5.1.0
  • 5.0.0
  • 4.9.0
  • 4.8.0
  • 4.7.1
  • 4.7.0
  • 4.6.1
  • 4.6.0
  • 4.5.0
  • 4.4.2
  • 4.4.1
  • 4.4.0
  • 4.3.0
  • 4.2.0
  • 4.1.0
  • 4.0.0
  • 3.4.2
  • 3.4.1
  • 3.4.0
  • 3.3.3
  • 3.3.2
  • 3.3.0 (deleted)
  • 3.2.0
  • 3.1.0 (deleted)
  • 3.0.0 (deleted)
  • 3.0.0-rc2 (deleted)
  • 3.0.0-rc1 (pre-release)
  • 2.5.0
  • 2.4.1
  • 2.4.0
  • 2.3.0
  • 2.2.1
  • 2.2.0
  • 2.1.1
  • 2.1.0
  • 2.0.1
  • 2.0.0
  • 1.0.0
released Aug 30th 2023
This version is compatible with:
  • Puppet Enterprise 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • , , , , , , , ,
  • sql

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'puppetlabs-postgresql', '9.2.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppetlabs-postgresql
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppetlabs-postgresql --version 9.2.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



puppetlabs/postgresql — version 9.2.0 Aug 30th 2023


Table of Contents

  1. Module Description - What does the module do?
  2. Setup - The basics of getting started with postgresql module
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module
  7. Tests
  8. Contributors - List of module contributors

Module description

The postgresql module allows you to manage PostgreSQL databases with Puppet.

PostgreSQL is a high-performance, free, open-source relational database server. The postgresql module allows you to manage packages, services, databases, users, and common security settings in PostgreSQL.


What postgresql affects

  • Package, service, and configuration files for PostgreSQL
  • Listened-to ports
  • IP and mask (optional)

Getting started with postgresql

To configure a basic default PostgreSQL server, declare the postgresql::server class.

class { 'postgresql::server':


Configure a server

For default settings, declare the postgresql::server class as above. To customize PostgreSQL server settings, specify the parameters you want to change:

class { 'postgresql::server':
  ip_mask_deny_postgres_user => '',
  ip_mask_allow_all_users    => '',
  ipv4acls                   => ['hostssl all johndoe cert'],
  postgres_password          => 'TPSrep0rt!',

After configuration, test your settings from the command line:

psql -h localhost -U postgres
psql -h my.postgres.server -U

If you get an error message from these commands, your permission settings restrict access from the location you're trying to connect from. Depending on whether you want to allow connections from that location, you might need to adjust your permissions.

For more details about server configuration parameters, consult the PostgreSQL Runtime Configuration documentation.

Create a database

You can set up a variety of PostgreSQL databases with the postgresql::server::db defined type. For instance, to set up a database for PuppetDB:

class { 'postgresql::server':

postgresql::server::db { 'mydatabasename':
  user     => 'mydatabaseuser',
  password => postgresql::postgresql_password('mydatabaseuser', 'mypassword'),

Manage users, roles, and permissions

To manage users, roles, and permissions:

class { 'postgresql::server':

postgresql::server::role { 'marmot':
  password_hash => postgresql::postgresql_password('marmot', 'mypasswd'),

postgresql::server::database_grant { 'test1':
  privilege => 'ALL',
  db        => 'test1',
  role      => 'marmot',

postgresql::server::table_grant { 'my_table of test2':
  privilege => 'ALL',
  table     => 'my_table',
  db        => 'test2',
  role      => 'marmot',

This example grants all privileges on the test1 database and on the my_table table of the test2 database to the specified user or group. After the values are added into the PuppetDB config file, this database would be ready for use.

Manage ownership of DB objects

To change the ownership of all objects within a database using REASSIGN OWNED:

postgresql::server::reassign_owned_by { 'new owner is meerkat':
  db       => 'test_db',
  old_role => 'marmot',
  new_role => 'meerkat',

This would run the PostgreSQL statement 'REASSIGN OWNED' to update to ownership of all tables, sequences, functions and views currently owned by the role 'marmot' to be owned by the role 'meerkat' instead.

This applies to objects within the nominated database, 'test_db' only.

For Postgresql >= 9.3, the ownership of the database is also updated.

Manage default permissions (PostgreSQL >= 9.6)

To change default permissions for newly created objects using ALTER DEFAULT PRIVILEGES:

postgresql::server::default_privileges { 'marmot access to new tables on test_db':
  db          => 'test_db',
  role        => 'marmot',
  privilege   => 'ALL',
  object_type => 'TABLES',

Override defaults

The postgresql::globals class allows you to configure the main settings for this module globally, so that other classes and defined resources can use them. By itself, it does nothing.

For example, to overwrite the default locale and encoding for all classes, use the following:

class { 'postgresql::globals':
  encoding => 'UTF-8',
  locale   => 'en_US.UTF-8',

class { 'postgresql::server':

To use a specific version of the PostgreSQL package:

class { 'postgresql::globals':
  manage_package_repo => true,
  version             => '9.2',

class { 'postgresql::server':

Manage remote users, roles, and permissions

Remote SQL objects are managed using the same Puppet resources as local SQL objects, along with a connect_settings hash. This provides control over how Puppet connects to the remote Postgres instances and which version is used for generating SQL commands.

The connect_settings hash can contain environment variables to control Postgres client connections, such as 'PGHOST', 'PGPORT', 'PGPASSWORD', and 'PGSSLKEY'. See the PostgreSQL Environment Variables documentation for a complete list of variables.

Additionally, you can specify the target database version with the special value of 'DBVERSION'. If the connect_settings hash is omitted or empty, then Puppet connects to the local PostgreSQL instance.

You can provide a connect_settings hash for each of the Puppet resources, or you can set a default connect_settings hash in postgresql::globals. Configuring connect_settings per resource allows SQL objects to be created on multiple databases by multiple users.

$connection_settings_super2 = {
  'PGUSER'     => 'super2',
  'PGPASSWORD' => 'foobar2',
  'PGHOST'     => '',
  'PGPORT'     => '5432',
  'PGDATABASE' => 'postgres',

include postgresql::server

# Connect with no special settings, i.e domain sockets, user postgres
postgresql::server::role { 'super2':
  password_hash    => 'foobar2',
  superuser        => true,

  connect_settings => {},

# Now using this new user connect via TCP
postgresql::server::database { 'db1':
  connect_settings => $connection_settings_super2,
  require          => Postgresql::Server::Role['super2'],

Create an access rule for pg_hba.conf

To create an access rule for pg_hba.conf:

postgresql::server::pg_hba_rule { 'allow application network to access app database':
  description => 'Open up PostgreSQL for access from',
  type        => 'host',
  database    => 'app',
  user        => 'app',
  address     => '',
  auth_method => 'md5',

This would create a ruleset in pg_hba.conf similar to:

# Rule Name: allow application network to access app database
# Description: Open up PostgreSQL for access from
# Order: 150
host  app  app  md5

By default, pg_hba_rule requires that you include postgresql::server. However, you can override that behavior by setting target and postgresql_version when declaring your rule. That might look like the following:

postgresql::server::pg_hba_rule { 'allow application network to access app database':
  description        => 'Open up postgresql for access from',
  type               => 'host',
  database           => 'app',
  user               => 'app',
  address            => '',
  auth_method        => 'md5',
  target             => '/path/to/pg_hba.conf',
  postgresql_version => '9.4',

Create user name maps for pg_ident.conf

To create a user name map for the pg_ident.conf:

postgresql::server::pg_ident_rule { 'Map the SSL certificate of the backup server as a replication user':
  map_name          => 'sslrepli',
  system_username   => '',
  database_username => 'replication',

This would create a user name map in pg_ident.conf similar to:

#Rule Name: Map the SSL certificate of the backup server as a replication user
#Description: none
#Order: 150
sslrepli  replication

Create recovery configuration

To create the recovery configuration file (recovery.conf):

postgresql::server::recovery { 'Create a recovery.conf file with the following defined parameters':
  restore_command           => 'cp /mnt/server/archivedir/%f %p',
  archive_cleanup_command   => undef,
  recovery_end_command      => undef,
  recovery_target_name      => 'daily backup 2015-01-26',
  recovery_target_time      => '2015-02-08 22:39:00 EST',
  recovery_target_xid       => undef,
  recovery_target_inclusive => true,
  recovery_target           => 'immediate',
  recovery_target_timeline  => 'latest',
  pause_at_recovery_target  => true,
  standby_mode              => 'on',
  primary_conninfo          => 'host=localhost port=5432',
  primary_slot_name         => undef,
  trigger_file              => undef,
  recovery_min_apply_delay  => 0,

The above creates this recovery.conf config file:

restore_command = 'cp /mnt/server/archivedir/%f %p'
recovery_target_name = 'daily backup 2015-01-26'
recovery_target_time = '2015-02-08 22:39:00 EST'
recovery_target_inclusive = true
recovery_target = 'immediate'
recovery_target_timeline = 'latest'
pause_at_recovery_target = true
standby_mode = 'on'
primary_conninfo = 'host=localhost port=5432'
recovery_min_apply_delay = 0

Only the specified parameters are recognized in the template. The recovery.conf is only created if at least one parameter is set and manage_recovery_conf is set to true.

Validate connectivity

To validate client connections to a remote PostgreSQL database before starting dependent tasks, use the postgresql_conn_validator resource. You can use this on any node where the PostgreSQL client software is installed. It is often chained to other tasks such as starting an application server or performing a database migration.

Example usage:

postgresql_conn_validator { 'validate my postgres connection':
  host              => '',
  db_username       => 'mydbuser',
  db_password       => 'mydbpassword',
  db_name           => 'mydbname',
  psql_path         => '/usr/bin/psql',
-> exec { 'rake db:migrate':
  cwd => '/opt/myrubyapp',


This example demonstrates how to configure PostgreSQL backups with "pg_dump". This sets up a daily cron job to perform a full backup. Each backup will create a new directory. A cleanup job will automatically remove backups that are older than 15 days.

class { 'postgresql::server':
  backup_enable   => true,
  backup_provider => 'pg_dump',
  backup_options  => {
    db_user     => 'backupuser',
    db_password => 'secret',
    manage_user => true,
    rotate      => 15,

It is possible to set parameter $ensure to absent in order to remove the backup job, user/role, backup script and password file. However, the actual backup files and directories will remain untouched.


For information on the classes and types, see the


Works with versions of PostgreSQL on supported OSes.

For an extensive list of supported operating systems, see metadata.json

Apt module support

While this module supports both 1.x and 2.x versions of the 'puppetlabs-apt' module, it does not support 'puppetlabs-apt' 2.0.0 or 2.0.1.

PostGIS support

PostGIS is currently considered an unsupported feature, as it doesn't work on all platforms correctly.

All versions of RHEL/CentOS with manage_selinux => false

If you have SELinux enabled and you are not using the selinux module to manage SELinux (this is the default configuration) you will need to label any custom ports you use with the postgresql_port_t context. The postgresql service will not start until this is done. To label a port use the semanage command as follows:

semanage port -a -t postgresql_port_t -p tcp $customport


Puppet Labs modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad hardware, software, and deployment configurations that Puppet is intended to serve. We want to keep it as easy as possible to contribute changes so that our modules work in your environment. There are a few guidelines that we need contributors to follow so that we can have a chance of keeping on top of things. For more information, see our module contribution guide.


There are two types of tests distributed with this module. Unit tests with rspec-puppet and system tests using rspec-system.

For unit testing, make sure you have:

  • rake
  • bundler

Install the necessary gems:

bundle install --path=vendor

And then run the unit tests:

bundle exec rake spec

To run the system tests, make sure you also have:

  • Vagrant > 1.2.x
  • VirtualBox > 4.2.10

Then run the tests using:

bundle exec rspec spec/acceptance

To run the tests on different operating systems, see the sets available in .nodeset.yml and run the specific set with the following syntax:

RSPEC_SET=debian-607-x64 bundle exec rspec spec/acceptance


View the full list of contributors on Github.