Multiple resources not allowed to grant different roles

[aloks2019]

I get error when I tried to grant multiple roles using different resources. My end goal is to use gor_each to generate roles dynamically. But existing solution in not working

resource “mysql_grant” “r_grants_roles” {
  host       = “%”
  database   = “*”
  user       = “app_deploy”
  roles      = [“db2_app_deploy_role”]

}
resource “mysql_grant” “r_grants_roles1" {
  host       = “%”
  database   = “*”
  user       = “app_deploy”
  roles      = [“db1_app_deploy_role”]

}

Expected Behavior

Success execution

Actual Behavior

mysql_grant.r_grants_roles1: Creating... ╷ │ Error: user/role {app_deploy %} already has grant &{[db2_app_deploy_role] false {app_deploy %} NONE} - │ │ with mysql_grant.r_grants_roles1, │ on main.tf line 297, in resource “mysql_grant” “r_grants_roles1": │ 297: resource “mysql_grant” “r_grants_roles1" { │ ╵

[petoju]

This is actually the intended behaviour.

mysql_grant enumerates all roles (in your use case; or all grants) that the user should be given. All extra roles are removed, that helps both with auditing and in some edge cases after incomplete apply. That's why we don't allow more grant resources per user.

If you want to give user more roles, you are free to do so using roles = ["db1_app_deploy_role", "db2_app_deploy_role"]. The list can be easily generated dynamically.