search

cyrilgdn / terraform-provider-postgresql

Terraform PostgreSQL provider
https://www.terraform.io/docs/providers/postgresql/
Mozilla Public License 2.0
356 stars 181 forks source link

Need to execute destroy twice for deployment with postgresql_default_privileges #381

Closed nicolamarangoni closed 4 months ago

nicolamarangoni commented 7 months ago

Hi there,

I added default privileges on a schema for a specific role. Now I need to execute terragrunt destroy twice to really destroy the deployment.

Thanks, Nicola

Terraform Version

1.6.5

Affected Resource(s)

Terraform Configuration Files

resource "postgresql_database" "airflow" {
  name  = var.aws_rds_database
  owner = postgresql_role.airflow.name
}

resource "postgresql_role" "airflow" {
  name     = var.aws_rds_username
  login    = true
  password = random_password.airflow_rds.result
}

resource "postgresql_role" "airflow_ro" {
  name     = var.aws_rds_username_ro
  login    = true
  password = random_password.airflow_rds_ro.result
}

resource "postgresql_default_privileges" "airflow_ro" {
  database    = var.aws_rds_database
  owner       = var.aws_rds_username
  role        = var.aws_rds_username_ro
  schema      = "public"
  object_type = "table"
  privileges  = ["SELECT"]

  depends_on = [postgresql_database.airflow]
}

Expected Behavior

First terragrunt destroy successful

Actual Behavior

After the first destroy I get the error: could not delete role role_name: pq: role "role_name" cannot be dropped because some objects depend on it However, the terragrunt/terraform output of the first execution says that the postgresql_default_privileges resource has been successfully destroyed: postgresql_default_privileges.airflow_ro: Destruction complete after 5s Actually the second attempt just destroy postgresql_role.airflow_ro, that was the only resource left by the first attempt.

Steps to Reproduce

Important Factoids

We only use terraform with terragrunt.

cyrilgdn commented 4 months ago

Hi @nicolamarangoni ,

Sorry for the late reply, if you still have this issue, it's not a provider bug but you simply need to configure dependencies between resources correctly in your code.

In your code example, you provide role name in postgresql_default_privileges directly with the variable where you should actually reference the postgresql_role resource instead (same for database, owner, etc...) , e.g.:

resource "postgresql_database" "airflow" {
  name  = var.aws_rds_database
  owner = postgresql_role.airflow.name
}

resource "postgresql_role" "airflow" {
  name     = var.aws_rds_username
  login    = true
  password = random_password.airflow_rds.result
}

resource "postgresql_role" "airflow_ro" {
  name     = var.aws_rds_username_ro
  login    = true
  password = random_password.airflow_rds_ro.result
}

resource "postgresql_default_privileges" "airflow_ro" {
  database    = postgresql_database.airflow.name
  owner       = postgresql_role.airflow.name
  role        = postgresql_role.airflow_ro.name
  schema      = "public"
  object_type = "table"
  privileges  = ["SELECT"]
}

Thanks to that, Terraform will now that your postgresql_default_privileges depends on the other resources and will destroy it before trying to destroy the roles & database. Also, you don't need to define the depends_on for the database anymore.

I allow myself to close this issue but feel free to open it back if needed.

nicolamarangoni commented 4 months ago

Hi @cyrilgdn , thank you for the answer. Indeed I came to the same conclusion in December and corrected my deployment. Best regards,