search

petoju / terraform-provider-mysql

Terraform MySQL provider – unofficial fork
https://registry.terraform.io/providers/petoju/mysql
Mozilla Public License 2.0
65 stars 42 forks source link

MySQL v5.7 mysql_grant drops SSL option from mysql_user #32

Closed ajax-mykhailo-oleksiuk closed 1 year ago

ajax-mykhailo-oleksiuk commented 1 year ago

Terraform Version

terraform 1.1.7

Affected Resource(s)

Please list the resources as a list, for example:

Expected Behavior

Using mysql_grant resource without tls_option won't reset mysql_user.tls_option to NONE value.

Actual Behavior

mysql_grant resource without tls_option resets mysql_user.tls_option to NONE value.

After creation of mysql_grant terraform plan show diff. So to restore SSL on mysql_user you need to apply the same terraform again.

 # mysql_user.this will be updated in-place
  ~ resource "mysql_user" "this" {
        id                 = "aaaaaaaa@%"
      ~ tls_option         = "NONE" -> "SSL" 
        # (5 unchanged attributes hidden)
    }

Steps to Reproduce

  1. Create a single mysql_user.

  2. Add a new resource mysql_grant and perform terraform apply.

    
terraform {
required_version = "1.1.7"

required_providers {
mysql = {
  source  = "petoju/mysql"
  version = "3.0.19"
}
}
}

provider "mysql" { endpoint = "localhost:3306" username = "root" password = "password" tls = "skip-verify" }

STEP-1 - create a new user with SSL

resource "mysql_user" "this" { user = "aaaaaaaa" host = "%" plaintext_password = "plaintext_password" tls_option = "SSL" }

STEP-2 - uncomment & create this new resource.

resource "mysql_grant" "limited_in_all_schemas" {

user = mysql_user.this.user

host = mysql_user.this.host

database = "*"

privileges = ["PROCESS", "REPLICATION CLIENT"]

}


### Important Factoids
Tested on AWS RDS MySQL v5.7.38

**Workarounds:**
No1
apply the same terraform again to restore changed resources.

No2
use `mysql_grant.tls_option` but it's deprecated 😢 
```hcl
resource "mysql_grant" "limited_in_all_schemas" {
  user       = mysql_user.this.user
  host       = mysql_user.this.host
  database   = "*"
  privileges = ["PROCESS", "REPLICATION CLIENT"]

  # use deprecated option
  tls_option         = "SSL"
}
petoju commented 1 year ago

You're right - our tls_option defaults to NONE https://github.com/petoju/terraform-provider-mysql/blob/master/mysql/resource_grant.go#L99

and NONE forces grant with REQUIRE NONE, that in turn removes SSL requirement.

Options I see:

  1. Ignore tls_option=NONE when creating grant here https://github.com/petoju/terraform-provider-mysql/blob/master/mysql/resource_grant.go#L232 . I believe that's the best solution as people without requirements don't want to change the user. At least that's how I see it.
  2. Remove deprecated tls_option. That would work, but we still need to test, what will happen with preexisting resources.
  3. Extend tls_option to provide FORCE_NONE and interpret that as a "real" NONE. But that means extending something deprecated and that's why I don't like this.

WDYT? Would you send a PR?

ajax-mykhailo-oleksiuk commented 1 year ago

Hi @petoju

Thanks for your quick response.

I agree with solution No1.

What about PR, not sure it will be quick for me because I've never worked with go before 😞

petoju commented 1 year ago

@ajax-mykhailo-oleksiuk this should fix it after merging: https://github.com/petoju/terraform-provider-mysql/pull/33

ajax-mykhailo-oleksiuk commented 1 year ago

@petoju it works. thanks!