search

hashicorp / terraform-provider-postgresql

As part of our introduction to self-service publishing in the Terraform Registry, this copy of the provider has been archived, and ownership has been transferred to active maintainers in the community. Please see the new location on the Terraform Registry: https://registry.terraform.io/providers/cyrilgdn/postgresql
https://github.com/cyrilgdn/terraform-provider-postgresql
Mozilla Public License 2.0
103 stars 79 forks source link

Postgresql provider always triggers change when privileges = "ALL" #166

Open jonasneves opened 4 years ago

jonasneves commented 4 years ago

Terraform Version

Terraform v0.12.29
+ provider.postgresql v1.7.1

Affected Resource(s)

Please list the resources as a list, for example:

Terraform Configuration Files

provider "postgresql" {
  host            = "xxxxx.us-east-1.rds.amazonaws.com"
  port            = "5432"
  username        = "master"
  password        = "xxxxx"
  sslmode         = "require"
  connect_timeout = 15
  superuser       = false
}

resource "postgresql_grant" "this" {
  database    = "somedb"
  object_type = "table"
  privileges = [
    "ALL",
  ]
  role              = "someuser"
  schema            = "public"
  with_grant_option = true
}

Expected Behavior

Since the grant was applied previously, I would be expecting the following output:

No changes. Infrastructure is up-to-date.

Actual Behavior

It tries to apply the privileges again:

Terraform will perform the following actions:

  # postgresql_grant.this will be updated in-place
  ~ resource "postgresql_grant" "this" {
        database          = "somedb"
        id                = "someuser_somedb_public_table"
        object_type       = "table"
      ~ privileges        = [
          + "ALL",
        ]
        role              = "someuser"
        schema            = "public"
        with_grant_option = true
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

  1. terraform apply
planetjones commented 4 years ago

We have the same issue when object_type = database and privileges = ["ALL"]

Without an existing state file it works fine. But when there is an existing state file it tries to add ALL again. But this causes:

REVOKE ALL PRIVILEGES ON DATABASE ....

to be executed, which fails because there are dependent privileges.

The official documentation does not say this provider suppports "ALL". If that's the case I think it should be explicitly stated in the documentation.

If the provider shall support "ALL" then I believe terraform will need to know what independent privileges form "ALL" so it knows there has been no change to the state, when it looks at what the actual state in postgreSQL is.

mltsy commented 4 years ago

I've noticed this as well.

You can, of course, work around this by specifying all specific privileges you want to grant (INSERT, SELECT, UPDATE, DELETE, ...?) for now. But I agree with @planetjones - should either be fixed or documented and made invalid.