Closed ajax-mykhailo-oleksiuk closed 1 year ago
You're right - our tls_option
defaults to NONE
https://github.com/petoju/terraform-provider-mysql/blob/master/mysql/resource_grant.go#L99
and NONE forces grant with REQUIRE NONE
, that in turn removes SSL requirement.
Options I see:
tls_option=NONE
when creating grant here https://github.com/petoju/terraform-provider-mysql/blob/master/mysql/resource_grant.go#L232 . I believe that's the best solution as people without requirements don't want to change the user. At least that's how I see it.tls_option
. That would work, but we still need to test, what will happen with preexisting resources.tls_option
to provide FORCE_NONE
and interpret that as a "real" NONE
. But that means extending something deprecated and that's why I don't like this.WDYT? Would you send a PR?
Hi @petoju
Thanks for your quick response.
I agree with solution No1.
What about PR, not sure it will be quick for me because I've never worked with go before 😞
@ajax-mykhailo-oleksiuk this should fix it after merging: https://github.com/petoju/terraform-provider-mysql/pull/33
@petoju it works. thanks!
Terraform Version
terraform 1.1.7
Affected Resource(s)
Please list the resources as a list, for example:
Expected Behavior
Using
mysql_grant
resource withouttls_option
won't resetmysql_user.tls_option
toNONE
value.Actual Behavior
mysql_grant
resource withouttls_option
resetsmysql_user.tls_option
toNONE
value.After creation of
mysql_grant
terraform plan show diff. So to restore SSL on mysql_user you need to apply the same terraform again.Steps to Reproduce
mysql_user
.Add a new resource
mysql_grant
and perform terraform apply.provider "mysql" { endpoint = "localhost:3306" username = "root" password = "password" tls = "skip-verify" }
STEP-1 - create a new user with SSL
resource "mysql_user" "this" { user = "aaaaaaaa" host = "%" plaintext_password = "plaintext_password" tls_option = "SSL" }
STEP-2 - uncomment & create this new resource.
resource "mysql_grant" "limited_in_all_schemas" {
user = mysql_user.this.user
host = mysql_user.this.host
database = "*"
privileges = ["PROCESS", "REPLICATION CLIENT"]
}