search

petoju / terraform-provider-mysql

Terraform MySQL provider – unofficial fork
https://registry.terraform.io/providers/petoju/mysql
Mozilla Public License 2.0
73 stars 48 forks source link

`mysql_user_password`: An argument named `pgp_key` is not expected here. #26

Open chrs-myrs opened 2 years ago

chrs-myrs commented 2 years ago

Terraform Version

Terraform v1.2.6
on linux_amd64
+ provider registry.terraform.io/andrewchubatiuk/ssh v0.1.4
+ provider registry.terraform.io/hashicorp/aws v3.75.2
+ provider registry.terraform.io/hashicorp/random v3.3.2
+ provider registry.terraform.io/petoju/mysql v3.0.18

Affected Resource(s)

Please list the resources as a list, for example:

Terraform Configuration Files

terraform {
  required_providers {
    mysql = {
      source  = "petoju/mysql"
      version = "3.0.18"
    }
  }
}

resource "mysql_database" "symfony" {
  name = "symfony_app"
}

resource "mysql_user" "staff_users" {
  for_each           = local.staff_users
  user               = each.key
  host               = "%"
}

resource "mysql_user_password" "staff_users" {
  for_each = mysql_user.staff_users
  user = each.value.user
  host       = each.value.host
  pgp_key = "keybase:${local.staff_users[each.key].keybase-username}"
}

resource "mysql_grant" "staff_user_access" {
  for_each   = mysql_user.staff_users
  user       = each.value.user
  host       = each.value.host
  database   = mysql_database.symfony.name
  privileges = ["SELECT", "UPDATE", "DELETE", "EXECUTE", "INSERT", "CREATE", "ALTER", "INDEX"]
}

Debug Output

https://gist.github.com/chrs-myrs/f70647ce9a7ed35c37747ce721d65aa6

Panic Output

N/A

Expected Behavior

The user should be assigned a password which is then PGP decrypted.

Actual Behavior

Terraform rejects the documented attribute, even though it is required on this resource type (https://registry.terraform.io/providers/petoju/mysql/latest/docs/resources/user_password).

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply

Important Factoids

Tunnelling into mysql via an ssh bastion

petoju commented 2 years ago

My bad - some time ago, this was removed in one refactoring while docs were not removed: it is commit 443494e32832ee004eabd06e1f3535ed7c0220d1 - it merged handling of different passwords.

Is it still necessary for you?

OurFriendIrony commented 1 year ago

I've recently hit this same issue. I don't need the feature but it would be worth updating the documentation to reflect the refactor :)

JoeyHoutenbos commented 1 year ago

@petoju I am using the pgp_key attribute as this makes sure only the owner of the Keybase account can actually decrypt the passwords.

First I was using the "winebarrel/mysql" provider for this, but they refer to this repository since they don't maintain it anymore. Is it possible to add support for the pgp_key again? Or maybe there's another way to accomplish this?

petoju commented 1 year ago

@OurFriendIrony you're right, I will remove it from docs.

@JoeyHoutenbos It may return, but I feel like that is solving an issue on incorrect level. Maybe this provider would be willing to add pgp_encrypt? That would solve your situation: https://registry.terraform.io/providers/ekristen/pgp/latest/docs/data-sources/pgp_decrypt

corleone77 commented 1 year ago

@petoju I am using the pgp _key attribute also and my question Is it would be possible to add again ? It will be great ¡¡ I was working with "winebarrel/mysql" and we have all pgp files added to the terraform. Thanks.