search

hashicorp / terraform-provider-mysql

Terraform MySQL provider – This Terraform provider is archived per our provider archiving process: https://terraform.io/docs/internals/archiving.html
https://www.terraform.io/docs/providers/mysql/
Mozilla Public License 2.0
61 stars 190 forks source link

Access denied for user #32

Closed gaba-xyz closed 6 years ago

gaba-xyz commented 6 years ago

When attempting to use the mysql provider with an uncreated GCP Cloud SQL DB instance it is not able to generate a plan.

Terraform Version

Terraform v0.11.4
+ provider.google v1.8.0
+ provider.mysql v1.0.1
+ provider.random v1.1.0
+ provider.vault v1.0.0

Affected Resource(s)

Please list the resources as a list, for example:

Terraform Configuration Files

resource "google_sql_database_instance" "master" {
  name             = "${lookup(local.env[terraform.workspace], "instance_name")}"
  database_version = "MYSQL_5_6"
  region           = "${var.region}"

  settings {
    tier = "${lookup(local.env[terraform.workspace], "tier")}"

    maintenance_window {
      day          = 7
      hour         = 22
      update_track = "stable"
    }

    backup_configuration {
      enabled    = true
      start_time = "00:00"
    }

    ip_configuration {
      authorized_networks {
        value = "${var.cloudsql_access_whitelist}"
      }
    }
  }
}

resource "random_string" "root_password" {
  length  = 16
  special = false
}

resource "google_sql_user" "root" {
  name     = "root"
  password = "${random_string.root_password.result}"
  instance = "${google_sql_database_instance.master.name}"
}

module "mysql_users" {
  source         = "./mysql-users"
  mysql_host     = "${google_sql_database_instance.master.first_ip_address}"
  mysql_user     = "${google_sql_user.root.name}"
  mysql_password = "${google_sql_user.root.password}" 
  mysql_dbs      = "${local.dbs}"
}

mysql-users

provider "mysql" {
  endpoint = "${var.mysql_host}"
  username = "${var.mysql_user}"
  password = "${var.mysql_password}"
}

locals {
  privileges = ["ALL"]
}

resource "random_string" "password" {
  count   = "${length(var.mysql_dbs)}"
  length  = 16
  special = false
}

resource "mysql_user" "default" {
  count              = "${length(var.mysql_dbs)}"
  user               = "${lookup(var.mysql_dbs[count.index], "default_user")}"
  host               = "%"
  plaintext_password = "${element(random_string.password.*.result, count.index)}"
}

resource "mysql_grant" "default" {
  count      = "${length(var.mysql_dbs)}"
  user       = "${element(mysql_user.default.*.user, count.index)}"
  host       = "${element(mysql_user.default.*.host, count.index)}"
  database   = "${lookup(var.mysql_dbs[count.index], "name")}"
  privileges = ["${local.privileges}"]
}

Expected Behavior

Terraform should generate and display a plan successfully.

Actual Behavior

Receiving the following error message:

Error: Error running plan: 1 error(s) occurred:

* module.mysql_users.provider.mysql: Error 1045: Access denied for user 'root'@'172.17.0.1' (using password: NO)
cemo commented 6 years ago

@Gabology have you resolved your issue? Hit the same problem.

i-ghost commented 6 years ago

@cemo An alternative solution is to manage the RDS/db infra in a separate plan/module, then reference the remote state in the main plan/module. Probably not ideal if you didn't plan on using modules.

gaba-xyz commented 6 years ago

@cemo Unfortunately not. What I did to workaround the issue was to comment out the module that depended on the ip address of the Cloud SQL instance and then run terraform apply. After it had created the CloudSQL instance I uncommented the code and ran terraform apply again. Not a very good solution so let's hope they fix it.

quinont commented 6 years ago

Hi @Gabology ! I have the same issue that you. I saw the provider try to connect (for some reason) to the mysql server, but it didn't try with the GCP's mysql server, it try with locally. Also I saw in the message error, the IP changes if you use Docker or not (172.x.x.x or 172.x.x.x) So my workaround was to create a Docker container with mysql 5.7, after that I created an mysql's User without password (with the same name as I use to connect to GCP's mysql) and "terraform plan/apply" worked (I still don't know why...)

I think this isn't a good solution either, so let's hope they fix it. Sorry for my awful English.

mclavel commented 6 years ago

we have the same problem :(

mclavel commented 6 years ago

Hi @Gabology and @cemo with @quinont we sended a PR to fix this situation. The problem is the default configure in mysql provider, because create a sql connection when it's initialized. We changed the way to use the connection.

https://github.com/terraform-providers/terraform-provider-mysql/pull/37

We tested the solution and works fine with GCP provider. We created databases in GCP and changed the default grants with mysql (all in the same terraform file).

(sorry for our awful english)

joestump commented 6 years ago

43 should address this issue. 👍