search

hashicorp / terraform-provider-postgresql

As part of our introduction to self-service publishing in the Terraform Registry, this copy of the provider has been archived, and ownership has been transferred to active maintainers in the community. Please see the new location on the Terraform Registry: https://registry.terraform.io/providers/cyrilgdn/postgresql
https://github.com/cyrilgdn/terraform-provider-postgresql
Mozilla Public License 2.0
103 stars 79 forks source link

Bug: Execution does not match expected grants on v1.7.0 #161

Closed jonasneves closed 4 years ago

jonasneves commented 4 years ago

Terraform Version

Terraform v0.12.28

Affected Resource(s)

Terraform Configuration Files

provider "postgresql" {
  host            = "xxxxx.us-east-1.rds.amazonaws.com"
  port            = 5432
  username        = "master"
  password        = "xxxxx"
  sslmode         = "require"
  connect_timeout = 15
  superuser       = false
}

resource "postgresql_grant" "this" {
    database          = "somedb01"
    object_type       = "table"
    privileges        = [
        "ALL",
    ]
    role              = "read_access"
    schema            = "public"
    with_grant_option = true
}

Expected Behavior

Change privileges of the role that the terraform plan indicates that needs to be changed.

Terraform plan:

Terraform will perform the following actions:

  # postgresql_grant.this will be created
  + resource "postgresql_grant" "this" {
      + database          = "somedb01"
      + id                = (known after apply)
      + object_type       = "table"
      + privileges        = [
          + "ALL",
        ]
      + role              = "read_access"
      + schema            = "public"
      + with_grant_option = true
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Actual Behavior

In the terraform output, the "Creating" message shows the correct action that should be made, but the error indicates that it was trying to do something else, it tries to grant a random user role to the "master" role.

Terraform output:

postgresql_grant.this: Creating...

Error: Error granting role randomuser@domain.com to master: pq: role "randomuser@domain.com" is a member of role "master"

  on main.tf line 11, in resource "postgresql_grant" "this":
  11: resource "postgresql_grant" "this" {

Note that may or may not matter: _Those random users roles are members of the "master" and "rdsiam" roles

Workaround

I had to constrain the postgresql provider to the version 1.6.0, which works as expected.

cyrilgdn commented 4 years ago

@jonasneves Thanks for opening this issue.

We encountered the same problem (on role deletion) indeed and we'll create a bugfix release for that as soon as possible.

Those random users roles are members of the "master"

It matters yes, the provider tries to temporary grant the randomuser to the admin user (master in your case) but cannot as there's already the opposite membership (master is granted to randomuser)