Unable to set passwords on MariaDB 10.3.7+.

[DFurnes]

Terraform Version

Terraform v0.11.11

Affected Resource(s)

• mysql_user_password

Terraform Configuration Files

provider "mysql" {
  version  = "~> 1.5"
  endpoint = "rds.aaaaaaaaaaaa.us-east-1.rds.amazonaws.com:3306"
  username = "admin"
  password = "secret"
}

resource "mysql_user" "readonly" {
  user = "readonly"
}

resource "mysql_user_password" "readonly" {
  user = "${mysql_user.readonly.user}"
  pgp_key = "${chomp(file("${path.root}/shared/pgp/public.key"))}"
}

resource "mysql_grant" "readonly" {
  user       = "${mysql_user.readonly.user}"
  database   = "${aws_db_instance.database.name}"
  privileges = ["SELECT"]
}

Debug Output

* mysql_user_password.readonly: 1 error(s) occurred:

* mysql_user_password.readonly: Error 1372: Password hash should be a 41-digit hexadecimal number

Panic Output

N/A

Expected Behavior

The generated password for the readonly account should have been set without errors.

Actual Behavior

It wasn't!

The provider checks against @@GLOBAL.innodb_version, which as of MariaDB 10.3.7+ returns the MariaDB version. This means that this check will return false, even though MariaDB is still only MySQL 5.7 compatible, and so needs the PASSWORD() helper.

Because of this, the evaluated SQL looks like this:

SET PASSWORD FOR 'readonly'@'localhost' = "11e65882-ca47-4328-876e-50735457dd51";
# --> Error 1372: Password hash should be a 41-digit hexadecimal number

If we use the MySQL 5.7 compatible version instead, this runs successfully:

SET PASSWORD FOR 'readonly'@'localhost' = PASSWORD("11e65882-ca47-4328-876e-50735457dd51");

Steps to Reproduce

1. terraform apply

Important Factoids

Running a MariaDB 10.3.8 instance in Amazon RDS.

References

This was originally addressed in #18, until MariaDB changed behavior in 10.3.7.

[DFurnes]

It looks like another possible solution would be to take the approach used in mysql_user, and use ALTER USER … IDENTIFIED BY for versions above MySQL 5.7.6. (See hashicorp/terraform#8230.)