search

hashicorp / terraform-provider-mysql

Terraform MySQL provider – This Terraform provider is archived per our provider archiving process: https://terraform.io/docs/internals/archiving.html
https://www.terraform.io/docs/providers/mysql/
Mozilla Public License 2.0
61 stars 189 forks source link

Granting roles to user requires useless database parameter #122

Open tomalok opened 4 years ago

tomalok commented 4 years ago

Terraform Version

Terraform v0.12.23`
* provider.mysql: version = "~> 1.9"

MariaDB 10.4.12

Affected Resource(s)

mysql_grant (when granting roles to user)

Terraform Configuration Files

resource mysql_database "test_db" {
  name = "test_db"
}

resource mysql_role "test_role" {
  name = "test_role"
}

resource mysql_user "test_user" {
  user = "test_user"
}

resource mysql_grant "test_role_grant" {
  role        = mysql_role.test_role.name
  database    = mysql_database.test_db.name
  privileges  = [ "SELECT" ]
}

resource mysql_grant "test_user_grant_roles" {
  user      = mysql_user.test_user.user
  roles     = [ mysql_role.test_role.name ]
  database  = mysql_database.test_db.name # insists required, but is unnecessary
}

Plan Output

  # mysql_database.test_db will be created
  + resource "mysql_database" "test_db" {
      + default_character_set = "utf8"
      + default_collation     = "utf8_general_ci"
      + id                    = (known after apply)
      + name                  = "test_db"
    }

  # mysql_grant.test_role_grant will be created
  + resource "mysql_grant" "test_role_grant" {
      + database   = "test_db"
      + grant      = false
      + host       = "localhost"
      + id         = (known after apply)
      + privileges = [
          + "SELECT",
        ]
      + role       = "test_role"
      + table      = "*"
      + tls_option = "NONE"
    }

  # mysql_grant.test_user_grant_roles will be created
  + resource "mysql_grant" "test_user_grant_roles" {
      + database   = "test_db"
      + grant      = false
      + host       = "localhost"
      + id         = (known after apply)
      + roles      = [
          + "test_role",
        ]
      + table      = "*"
      + tls_option = "NONE"
      + user       = "test_user"
    }

  # mysql_role.test_role will be created
  + resource "mysql_role" "test_role" {
      + id   = (known after apply)
      + name = "test_role"
    }

  # mysql_user.test_user will be created
  + resource "mysql_user" "test_user" {
      + host       = "localhost"
      + id         = (known after apply)
      + tls_option = "NONE"
      + user       = "test_user"
    }

Resulting GRANTs

MariaDB [(none)]> show grants for 'test_role';
+--------------------------------------------+
| Grants for test_role                       |
+--------------------------------------------+
| GRANT USAGE ON *.* TO 'test_role'          |
| GRANT SELECT ON `test_db`.* TO 'test_role' |
+--------------------------------------------+
MariaDB [(none)]> show grants for 'test_user'@'localhost';
+-----------------------------------------------+
| Grants for test_user@localhost                |
+-----------------------------------------------+
| GRANT test_role TO 'test_user'@'localhost'    |
| GRANT USAGE ON *.* TO 'test_user'@'localhost' |
+-----------------------------------------------+

Expected Behavior

The mysql_grant resource should not require database attribute when roles attribute is being set. The database and table attributes probably should also be disallowed (like privileges) when roles is present.

Actual Behavior

The mysql_grant resource is requiring the unnecessary (and unused) database attribute when the roles attribute is being set.

As An Aside...

The MySQL Terraform provider's host default of localhost does not match MySQL/MariaDB's default of % when host is not specified.