Mysql grants delete old grants when adding an extra grant

jwtje commented 2 years ago

Hello!

Vote on this issue by adding a 👍 reaction
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already)

Issue details

When adding a grant with pulumi-mysql like this:

mysql.Grant(f"mysql-grant-{username}",
        database="*",
        user=username,
        host="%",
        privileges=[
            "SELECT",
            "INSERT",
            "UPDATE",
            "DELETE",
            "CREATE",
            "ALTER",
            "INDEX",
            "REFERENCES",
            "PROCESS"
        ],
        opts=pulumi.ResourceOptions(provider=mysql_provider, parent=user)
    )

and adding an extra privilege later all the priviliges set before the update will be removed.

Steps to reproduce

create a privilege set see above.
add another privilege to the list.

pulumi output:

pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:prod::accounting::pulumi:pulumi:Stack::accounting-prod]
    > pulumi:pulumi:StackReference: (read)
        [id=buckaroo/prod-v1/prod]
        [urn=urn:pulumi:prod::accounting::pulumi:pulumi:StackReference::buckaroo/prod-v1/prod]
        name: "buckaroo/prod-v1/prod"
        ++mysql:index/grant:Grant: (create-replacement)
            [id=iam_admin@%:*]
            [urn=urn:pulumi:prod::accounting::mysql:index/user:User$mysql:index/grant:Grant::mysql-grant-iam_admin]
            [provider=urn:pulumi:prod::accounting::pulumi:providers:mysql::accounting-prod-rds-root-provider::9efc35f9-e93e-4cf7-8d8b-c53456753faa]
          ~ privileges: [
                [0]: <null>
                [1]: <null>
                [2]: <null>
                [3]: <null>
                [4]: <null>
                [5]: <null>
                [6]: <null>
                [7]: <null>
              + [8]: "PROCESS"
            ]
        +-mysql:index/grant:Grant: (replace)
            [id=iam_admin@%:*]
            [urn=urn:pulumi:prod::accounting::mysql:index/user:User$mysql:index/grant:Grant::mysql-grant-iam_admin]
            [provider=urn:pulumi:prod::accounting::pulumi:providers:mysql::accounting-prod-rds-root-provider::9efc35f9-e93e-4cf7-8d8b-c53456753faa]
          ~ privileges: [
                [0]: <null>
                [1]: <null>
                [2]: <null>
                [3]: <null>
                [4]: <null>
                [5]: <null>
                [6]: <null>
                [7]: <null>
              + [8]: "PROCESS"
            ]
        --outputs:--

Expected: A privilege added but initial privileges intact Actual: old priviliges removed, new privilige added.

leezen commented 2 years ago

@stack72 While not directly related to the bug described above, I wonder if it would make sense to have this provider track https://github.com/winebarrel/terraform-provider-mysql instead? It's continuing to be updated (vs. the current upstream which is in archive mode) and has added functionality such as https://github.com/winebarrel/terraform-provider-mysql/pull/20 to support updating grants vs. having to replace them.

Sefiris commented 2 years ago

👍

Currently we have to work around this by using a opts=ResourceOptions(replace_on_changes=["privileges"]), but i have to hope this is not intended. as it feels ridiculously dirty

pulumi / pulumi-mysql