search

cyrilgdn / terraform-provider-postgresql

Terraform PostgreSQL provider
https://www.terraform.io/docs/providers/postgresql/
Mozilla Public License 2.0
356 stars 181 forks source link

Add security label resource #365

Open jbunting opened 8 months ago

jbunting commented 8 months ago

I've added a security label resource. This allows to create and manage security labels in postgres (https://www.postgresql.org/docs/current/sql-security-label.html).

Unfortunately, in order to test the security label operations, a "security label provider" has to be installed. My first commit in this PR does that, but to be honest its a bit onerous and it copies a little bit of code from postgres's test tree. I'm fully open to thoughts on how to better handle that part.

I believe this also addresses #276 .

djr747 commented 5 months ago

@cyrilgdn is possible without an actual valid test Azure Database for PostgreSQL to get this PR merged? Also interested in Entra Auth principals being supported which requires Security Label support.

Teabeats commented 2 months ago

@jbunting Can you bring in https://github.com/jbunting/terraform-provider-postgresql/pull/1 into this PR to add a doc page for this resource?

glangho commented 20 hours ago

Would be great to have this officially.

Verified working e2e with this temporary release: https://registry.terraform.io/providers/Teabeats/postgresql/latest/docs/resources/postgresql_security_label

Has this been tested with an azure database? I tested with a basic role like "my_test_role" and it works fine. It fails on any azure entra managed id. 

# postgresql_security_label.entra_aadauth["my-entra-id"] will be created
+ resource "postgresql_security_label" "entra_aadauth" {
        + id                 = (known after apply)
        + label            = "aadauth,oid=*****,type=service"
        + label_provider     = "pgaadauth"
        + object_name       = "my-entra-id"
        + object_type         = "role"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
postgresql_security_label.entra_aadauth["my-entra-id"]: Creating...

Error: Provider produced inconsistent result after apply

When applying changes to
postgresql_security_label.entra_aadauth["ar-data-services01-devsecops-dev"],
provider "provider[\"registry.terraform.io/teabeats/postgresql\"]" produced
an unexpected new value: Root resource was present, but now absent.

When I query pg_seclabels I notice that all the entra ids are literally quoted in the objname field vs. the basic role I created a security label for is not. Ex., "my-entra-id" vs my_test_role

My thought is, the resource gets created successfully but after it attempts to read it back it's looking for my-entra-id but the value is actually "my-entra-id". I can confirm this by a simple select from pg_seclabels where objname = 'my-entra-id' which returns nothing while select from pg_seclabels where objname = '"my-entra-id"' returns a value.

Edit: maybe it's not so much entra id as it is ids with hyphens. I just noticed that even the individual users and aad group assigned as server admins are quoted.