petoju / terraform-provider-mysql

Terraform MySQL provider – unofficial fork
https://registry.terraform.io/providers/petoju/mysql
Mozilla Public License 2.0
77 stars 50 forks source link

Grants keep updating in place on every apply #39

Closed vajeen closed 7 months ago

vajeen commented 2 years ago

Terraform Version

Terraform Version = 1.3.0

Affected Resource(s)

Please list the resources as a list, for example:

Terraform Configuration Files

resource "mysql_grant" "core" {
  user = mysql_user.master.user
  host = mysql_user.master.host
  database = mysql_database.core.name
  privileges = [""DELETE", "INSERT", "SELECT", "UPDATE""]
  provider = mysql.core
}

Expected Behavior

Nothing to update

Actual Behavior

Terraform will perform the following actions:
# mysql_grant.core will be updated in-place
  ~ resource "mysql_grant" "public_api_master" {
        id         = "master@172.31.%.%:`core`"
      ~ privileges = [
          + "DELETE",
          + "INSERT",
          + "SELECT",
          + "UPDATE",
        ]
        # (7 unchanged attributes hidden)
    }

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform plan

Every time I run terraform plan, it has an update in place for the user grants with no change

petoju commented 2 years ago

Which MySQL version and provider version are you using? Can you reproduce it in docker?

vajeen commented 2 years ago

It's connecting to two AWS RDS instances hence the provider = mysql.core in mysql_grant block. Above I just pasted one issue in a mysql_grant for simplicity. Two instances are in mysql 5.7 and mysql 8 and it's happening in both.

petoju commented 2 years ago

@vajeen could you please provide logs from such runs? I don't have RDS and it doesn't seem to be happening in Docker.

Just set TF_LOG=TRACE, TF_LOG_FILE=somefile and run it again. You'll then supply the file, stripped of secrets like credentials. Ideally don't remove those lines, just replace secrets with xxxx or similar.

If you could reproduce it in Docker, then it would be really helpful.

rym-dd commented 1 year ago

Hi, I have the same issue.

When trying to use this provider, some mysql_grant are recreated:

# module.mysql.mysql_grant.imported_users["USER.IP.*.*"] will be created
  + resource "mysql_grant" "imported_users" {
      + database   = "*"
      + grant      = false
      + host       = "IP"
      + id         = (known after apply)
      + privileges = [
          + "USAGE",
        ]
      + table      = "*"
      + tls_option = "SSL"
      + user       = "USER"
    }

When I try the apply, i have this error:

│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to module.mysql.mysql_grant.imported_users["USER.IP.*.*"], provider
│ "provider[\"registry.terraform.io/petoju/mysql\"]" produced an unexpected new value: Root resource was present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Mariadb version: 10.3 on AWS rds. Terraform version 1.1.6

petoju commented 1 year ago

@rym-dd would you be able to provide log as described in my comment above?

EDIT: Ah, sorry - you are using privilege "USAGE". That's a pseudo-grant, that's not really supported by this provider as it doesn't grant anything - it's automatic. Maybe we should document that / warn when someone tries to use that.

soar commented 1 year ago

The same for me. I can provide more information, if you need.

petoju commented 1 year ago

@soar please sent the log as I described here: https://github.com/petoju/terraform-provider-mysql/issues/39#issuecomment-1261383096 Ideally, get it from the latest version of the provider that has better logging and everything than previous versions.

duerrt commented 1 year ago

I'm experiencing similar problems. The grants complete at the database level but fail within terraform. Think another user pointed out that it seems like the grant information is not in the TF state. I think this is true since TF wants to re-apply the grants on every TF apply. Also, I can't remove any grants I can only add new ones.

I'm attaching a trace log file for TF.

I'm using RDS mysql Aurora (mysql 8.0/Aurora 3.0.3) Also using CDKTF on top of TF.

Terraform v1.0.11 on linux_amd64

Here is the output from the apply.

`Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically use this backend unless the backend configuration changes.

Initializing provider plugins...

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:

Terraform will perform the following actions:

mysql_grant.rdsstoredevuseast1_2023granttestusertest_E1425180 will be created

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:

Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve.

Enter a value: yes

mysql_grant.rdsstoredevuseast1_2023granttestusertest_E1425180: Creating... ╷ │ Error: Provider produced inconsistent result after apply │ │ When applying changes to mysql_grant.rdsstoredevuseast1_2023granttestusertest_E1425180, provider │ "provider[\"registry.terraform.io/petoju/mysql\"]" produced an unexpected new value: Root resource was present, but now absent. │ │ This is a bug in the provider, which should be reported in the provider's own issue tracker.

`

User is created in SQL with the grant

mysql> show grants for test_user; +-------------------------------------------------+ | Grants for test_user@% | +-------------------------------------------------+ | GRANT USAGE ON *.* TOtest_user@%| | GRANT SELECT,DELETE ONtest.`. TO test_user@% | +-------------------------------------------------+ 2 rows in set (0.08 sec) ` Attaching TF log file Thanks!

tf_log.txt

petoju commented 1 year ago

@duerrt without lots of investigation, your database should be database = "test", not database = "test.*".

duerrt commented 1 year ago

@petoju Thanks for the quick reply. That fixed my problem. (I feel a little foolish!)

I needed to specify the database and table names separately in each of the Grant params.