Open jbunting opened 8 months ago
@cyrilgdn is possible without an actual valid test Azure Database for PostgreSQL to get this PR merged? Also interested in Entra Auth principals being supported which requires Security Label support.
@jbunting Can you bring in https://github.com/jbunting/terraform-provider-postgresql/pull/1 into this PR to add a doc page for this resource?
Would be great to have this officially.
Verified working e2e with this temporary release: https://registry.terraform.io/providers/Teabeats/postgresql/latest/docs/resources/postgresql_security_label
Has this been tested with an azure database? I tested with a basic role like "my_test_role" and it works fine. It fails on any azure entra managed id.
# postgresql_security_label.entra_aadauth["my-entra-id"] will be created
+ resource "postgresql_security_label" "entra_aadauth" {
+ id = (known after apply)
+ label = "aadauth,oid=*****,type=service"
+ label_provider = "pgaadauth"
+ object_name = "my-entra-id"
+ object_type = "role"
}
Plan: 1 to add, 0 to change, 0 to destroy.
postgresql_security_label.entra_aadauth["my-entra-id"]: Creating...
Error: Provider produced inconsistent result after apply
When applying changes to
postgresql_security_label.entra_aadauth["ar-data-services01-devsecops-dev"],
provider "provider[\"registry.terraform.io/teabeats/postgresql\"]" produced
an unexpected new value: Root resource was present, but now absent.
When I query pg_seclabels I notice that all the entra ids are literally quoted in the objname field vs. the basic role I created a security label for is not. Ex., "my-entra-id" vs my_test_role
My thought is, the resource gets created successfully but after it attempts to read it back it's looking for my-entra-id but the value is actually "my-entra-id". I can confirm this by a simple select from pg_seclabels where objname = 'my-entra-id' which returns nothing while select from pg_seclabels where objname = '"my-entra-id"' returns a value.
Edit: maybe it's not so much entra id as it is ids with hyphens. I just noticed that even the individual users and aad group assigned as server admins are quoted.
I've added a security label resource. This allows to create and manage security labels in postgres (https://www.postgresql.org/docs/current/sql-security-label.html).
Unfortunately, in order to test the security label operations, a "security label provider" has to be installed. My first commit in this PR does that, but to be honest its a bit onerous and it copies a little bit of code from postgres's test tree. I'm fully open to thoughts on how to better handle that part.
I believe this also addresses #276 .