Open czka opened 2 years ago
I am facing similar issues. I am creating CLOUD_IAM_SERVICE_ACCOUNT
type user: backstage@my-gcp-project-ops.iam
using google_sql_user
.. and then granting that user a role: postgres
using postgresql_grant_role
.
Role name | Attributes | Member of
-----------------------------------+------------------------------------------------------------+--------------------------------------
backstage@my-gcp-project-ops.iam | | {cloudsqliamserviceaccount,postgres}
cloudsqladmin | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
cloudsqlagent | Create role, Create DB | {cloudsqlsuperuser}
cloudsqliamserviceaccount | Cannot login | {}
cloudsqliamuser | Cannot login | {}
cloudsqlimportexport | Create role, Create DB | {cloudsqlsuperuser}
cloudsqlreplica | Replication | {pg_monitor}
cloudsqlsuperuser | Create role, Create DB | {pg_monitor,pg_signal_backend}
postgres | Create role, Create DB | {cloudsqlsuperuser}
I expect backstage@my-gcp-project-ops.iam
to inherit all privileges for postgres
.. but thats not working.
CREATE DATABASE "backstage_plugin_catalog" - permission denied to create database
I tried creating an intermediate role: create-db-role
using postgresql_role
(setting create_database
and inherit
to true
) and then granting backstage@my-gcp-project-ops.iam
that role (create-db-role
) but that didn't work.
As existing role can't be altered using this module, is there a good workaround to solve this problem using terraform? (not very familiar with postgresql)
Thanks.
hmm looking at the docs, CREATEDB
is never inherited:
The role attributes LOGIN, SUPERUSER, CREATEDB, and CREATEROLE can be thought of as special privileges, but they are never inherited as ordinary privileges on database objects are. You must actually SET ROLE to a specific role having one of these attributes in order to make use of the attribute.
Does that mean Alter
is the only option which this provider doesn't support? Any ideas/workaround please? Thanks.
The use-case is nearly identical on Azure Postgres. Roles created through the azurerm
provider that authenticate with Azure Active Directory are automatically given CREATEDB, CREATEROLE, and membership in a role called azure_pg_admin
that owns things like template0 and template1.
I would like to be able to remove these attributes and role membership in terraform. Currently I am using a local-exec provisioner to do this via psql
but it would be much better to do it natively in terraform.
These roles cannot be created outside of azurerm
due to the special authentication setup for active directory.
My use case:
someone
is added to a GCP Cloud SQL PostgreSQL instance using sql-db module'sadditional_users
[1] (orsql_user
resource [2]).CREATEROLE
andCREATEDB
attributes, as well as thecloudsqlsuperuser
role.Error: error creating role someone: pq: role "someone" already exists
It would be great if the provider just altered
someone
's attributes and role membership instead. The respective SQL statements are:I could import
someone
intopostgresql_role
, thenterraform apply
again. Thing is this takes a manual intervention and 2terraform apply
runs, while ideally a single, automatableterraform apply
should suffice.To fix this I moved my users setup from sql-db module to PostgreSQL provider altogether - at a cost of having to add few lines of code for random password provisioning and outputs, duplicating the functionality already present in sql-db module:
If
postgresql_role
is not the right place to implement update functionality, maybe do it with a dedicated resource - e.g.postgresql_role_alter
?[1]https://registry.terraform.io/modules/GoogleCloudPlatform/sql-db/google/latest/submodules/postgresql [2]https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_user