estokes-vs
commented
1 year ago @johnlister i ran into this issue recently as well, and found the documentation indicates to use a Lifecycle mechanism to ignore changes on the role itself. It's goofy as the grant_role should ideally override the role creation declaration but it worked for us.
https://registry.terraform.io/providers/cyrilgdn/postgresql/latest/docs/resources/postgresql_grant_role#usage
lifecycle {
ignore_changes = [
roles,
]
}
johnlister
Hi there,
Thank you for opening an issue. Please provide the following information:
Terraform Version
v1.3.6
Affected Resource(s)
postgresql_role
Terraform Configuration Files
n/a
Debug Output
n/a
Panic Output
n/a
Expected Behavior
Create a role using role using postgresql_role with the roles value missing shouldn't result in existing roles being removed. It is expected that if the list is optional then no changes are made to roles
Actual Behavior
Running apply a second time, removes all role memberships from the created role as it treats the expected list as empty. Running a third time will reassign all the roles using the explicit grant and so on.
Steps to Reproduce
Create a role using role using postgresql_role with the roles value missing shouldn't result in existing roles being removed. Manually grant the role membership of another role using postgresql_grant_role. When you run apply the first time, the role is created and granted membership to the second role. Running apply a subsequent time should not make any changes as the optional list of roles is empty.
Important Factoids
Why is roles an option any way, except as a shortcut? You can manually grant them using postgresql_grant_role. As a minimum the documentation should reflect that you need to use ignore_changes if manually making a role a member of another role.
References
No