Grants keep updating in place on every apply

[vajeen]

Terraform Version

Terraform Version = 1.3.0

Affected Resource(s)

Please list the resources as a list, for example:

• mysql_grant

Terraform Configuration Files

resource "mysql_grant" "core" {
  user = mysql_user.master.user
  host = mysql_user.master.host
  database = mysql_database.core.name
  privileges = [""DELETE", "INSERT", "SELECT", "UPDATE""]
  provider = mysql.core
}

Expected Behavior

Nothing to update

Actual Behavior

Terraform will perform the following actions:
# mysql_grant.core will be updated in-place
  ~ resource "mysql_grant" "public_api_master" {
        id         = "master@172.31.%.%:`core`"
      ~ privileges = [
          + "DELETE",
          + "INSERT",
          + "SELECT",
          + "UPDATE",
        ]
        # (7 unchanged attributes hidden)
    }

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform plan

Every time I run terraform plan, it has an update in place for the user grants with no change

[petoju]

Which MySQL version and provider version are you using? Can you reproduce it in docker?

[vajeen]

It's connecting to two AWS RDS instances hence the provider = mysql.core in mysql_grant block. Above I just pasted one issue in a mysql_grant for simplicity. Two instances are in mysql 5.7 and mysql 8 and it's happening in both.

[petoju]

@vajeen could you please provide logs from such runs? I don't have RDS and it doesn't seem to be happening in Docker.

Just set TF_LOG=TRACE, TF_LOG_FILE=somefile and run it again. You'll then supply the file, stripped of secrets like credentials. Ideally don't remove those lines, just replace secrets with xxxx or similar.

If you could reproduce it in Docker, then it would be really helpful.

[rym-dd]

Hi, I have the same issue.

When trying to use this provider, some mysql_grant are recreated:

# module.mysql.mysql_grant.imported_users["USER.IP.*.*"] will be created
  + resource "mysql_grant" "imported_users" {
      + database   = "*"
      + grant      = false
      + host       = "IP"
      + id         = (known after apply)
      + privileges = [
          + "USAGE",
        ]
      + table      = "*"
      + tls_option = "SSL"
      + user       = "USER"
    }

When I try the apply, i have this error:

│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to module.mysql.mysql_grant.imported_users["USER.IP.*.*"], provider
│ "provider[\"registry.terraform.io/petoju/mysql\"]" produced an unexpected new value: Root resource was present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Mariadb version: 10.3 on AWS rds. Terraform version 1.1.6

[petoju]

@rym-dd would you be able to provide log as described in my comment above?

EDIT: Ah, sorry - you are using privilege "USAGE". That's a pseudo-grant, that's not really supported by this provider as it doesn't grant anything - it's automatic. Maybe we should document that / warn when someone tries to use that.

[soar]

The same for me. I can provide more information, if you need.

[petoju]

@soar please sent the log as I described here: https://github.com/petoju/terraform-provider-mysql/issues/39#issuecomment-1261383096 Ideally, get it from the latest version of the provider that has better logging and everything than previous versions.

[duerrt]

I'm experiencing similar problems. The grants complete at the database level but fail within terraform. Think another user pointed out that it seems like the grant information is not in the TF state. I think this is true since TF wants to re-apply the grants on every TF apply. Also, I can't remove any grants I can only add new ones.

I'm attaching a trace log file for TF.

I'm using RDS mysql Aurora (mysql 8.0/Aurora 3.0.3) Also using CDKTF on top of TF.

Terraform v1.0.11 on linux_amd64

• provider registry.terraform.io/hashicorp/aws v3.76.1
• provider registry.terraform.io/petoju/mysql v3.0.32

Here is the output from the apply.

`Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically use this backend unless the backend configuration changes.

Initializing provider plugins...

• Finding petoju/mysql versions matching "~> 3.0.32"...
• Finding hashicorp/aws versions matching "~> 3.0"...
• Installing hashicorp/aws v3.76.1...
• Installed hashicorp/aws v3.76.1 (signed by HashiCorp)
• Installing petoju/mysql v3.0.32...
• Installed petoju/mysql v3.0.32 (self-signed, key ID 298A405CE1C450D2)

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:

• create

Terraform will perform the following actions:

mysql_grant.rdsstoredevuseast1_2023granttestusertest_E1425180 will be created

• resource "mysql_grant" "rdsstoredevuseast1_2023granttestusertest_E1425180" {
  • database = "test.*"
  • grant = false
  • host = "%"
  • id = (known after apply)
  • privileges = [
    • "DELETE", ]
  • table = "*"
  • tls_option = "NONE"
  • user = "test_user" }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:

• rdsstoredevuseast1_userimportsmysqlUserobjectat0x7fb8c3596bf0_019C4E34 = "mysql_user.rdsstoredevuseast1_2023testuser_EFC6EBE9"
• rdsstoredevuseast1_userimportsmysqlUserobjectat0x7fc3ea4fabc0_6AE53530 = "mysql_user.rdsstoredevuseast1_2023testuser_EFC6EBE9" -> null

Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve.

Enter a value: yes

mysql_grant.rdsstoredevuseast1_2023granttestusertest_E1425180: Creating... ╷ │ Error: Provider produced inconsistent result after apply │ │ When applying changes to mysql_grant.rdsstoredevuseast1_2023granttestusertest_E1425180, provider │ "provider[\"registry.terraform.io/petoju/mysql\"]" produced an unexpected new value: Root resource was present, but now absent. │ │ This is a bug in the provider, which should be reported in the provider's own issue tracker.

`

User is created in SQL with the grant

mysql> show grants for test_user; +-------------------------------------------------+ | Grants for test_user@% | +-------------------------------------------------+ | GRANT USAGE ON *.* TOtest_user@%| | GRANT SELECT,DELETE ONtest.`. TO test_user@% | +-------------------------------------------------+ 2 rows in set (0.08 sec) ` Attaching TF log file Thanks!

tf_log.txt

[petoju]

@duerrt without lots of investigation, your database should be database = "test", not database = "test.*".

[duerrt]

@petoju Thanks for the quick reply. That fixed my problem. (I feel a little foolish!)

I needed to specify the database and table names separately in each of the Grant params.