Resource: postgresql_schema privilege support
#10808
Conversation
|
|
||
| resource "postgresql_role" "app1" { | ||
| name = "app1" | ||
| # depends_on = ["postgresql_schema_policy.foo_allow"] |
There was a problem hiding this comment.
@stack72 e.g. This is what should be required, but only on destroy. ?
|
@sean- The dependency edges in the DAG are dealt with in the opposite order during the destroy phase, so if a This means we don't need to explicitly draw the opposing dependency to deal with the destroy case, and so the need for a cycle is avoided. As long as all of the relevant objects were created by Terraform, Terraform should be able to unwind them all in an appropriate order automatically. A tricky situation is if a role and a policy are created by two separate Terraform configs or the role policy was created manually outside of Terraform. In that case Terraform can't know it needs to delete the policy first because it doesn't know the policy exists. But this is generally desirable behavior because Terraform does its best to guarantee that it will never interfere with a resource it didn't create. It seems like you've already been working with @stack72 on this, so I'll leave him to do a full review but I hope the above info is helpful in answering your question about how to deal with the destroy process. |
|
@apparentlymart Yup, understood. The problem I'm trying to figure out is how to deal with a quirk in PostgreSQL where the create/destroy order of objects is asymmetric. By that I mean: Which in Terraform is written out like: I've been chewing on this a bit and started out thinking I wanted a Which creates a DAG roughly like: But I don't like the aesthetics of that. What I'm going to do instead, and this resolves my own initial question above, is to move forward toward the following: Which I like a lot more. |
|
There's another quirk with PostgreSQL and Terraform: PostgreSQL has its own dependency graph and resolves things just fine on its own! Said differently in Terraform-speak: When you go to drop the Which is correct, but irritating from Terraform's perspective because you have no way of knowing that |
|
@stack72 whenever you're back and have time. The only thing that I'm not happy about with this is the need to individually spell out the policies, one per role. For instance: What I was originally aiming to do was: so that an array of roles could receive the same target permission. Internally this was very problematic because PostgreSQL stores this per-policy. What I attempted to do was flatten the input of a list of roles into synthesized list of policies, however there isn't a delete method that allows for easy rewriting of the resource data. Anyway, for another day. Regardless, PTAL. Thanks in advance! |
issues with cycles when an object is destroyed.
removing a PostgreSQL role. Add manual overrides if this isn't the desired behavior, but it should universally be the desired outcome except when a ROLE name is reused across multiple databases in the same PostgreSQL cluster, in which case the `skip_drop_role` is necessary for all but the last PostgreSQL provider.
It is now possible to begin specifying DCL for schemas.
applied. This is only a problem when the ROLE is removed before the revokation of the schema's policies on the doomed PostgreSQL ROLE. Comment out the tests for now to get unit tests to pass. Using hard-coded values that exist outside of the Terraform unit test work.
sean-
force-pushed
the
f-postgresql-owner
branch
from
4bc264e to
d92a3ca
Compare
string if there is whitespace present. Aesthetics. What can I say.
This restores the original behavior of the initial patch.
sean-
changed the title
postgresql_schema privilege support
@sean- This is a fairly common case where things which are logically subresources are modelled as top level resources. It is also needed to deal with divergence caused by operator intervention - there is a specific operation for |
This commit modifies the GNUmakefile used for starting PostgreSQL for testing purposes to prefer the version installed via Homebrew, followed by the version installed via MacPorts. POSTGRES, PSQL and INITDB may be overriden as Make variables if neither of these package management systems is in use.
| @@ -70,7 +81,7 @@ func (c *Config) NewClient() (*Client, error) { | |||
| func (c *Client) Connect() (*sql.DB, error) { | |||
| db, err := sql.Open("postgres", c.connStr) | |||
| if err != nil { | |||
| return nil, fmt.Errorf("Error connecting to PostgreSQL server: %s", err) | |||
| return nil, fmt.Errorf("Error connecting to PostgreSQL server: %v", err) | |||
There was a problem hiding this comment.
We should switch all of these to use the err wrap.Wrapf pattern as we have been rolling through the rest of the code base.
There was a problem hiding this comment.
There were only two call sites where fmt.Errorf() was still being used. Fixed the remaining two sites.
| @@ -46,7 +46,7 @@ func resourcePostgreSQLDatabase() *schema.Resource { | |||
| Type: schema.TypeString, | |||
| Optional: true, | |||
| Computed: true, | |||
| Description: "The role name of the user who will own the new database", | |||
| Description: "The ROLE name who owns the database", | |||
There was a problem hiding this comment.
s/who/that/ or s/who/which/? "Who" seems unusual for a non-person.
| @@ -8,37 +8,86 @@ description: |- | |||
|
|
|||
| # postgresql\_schema | |||
|
|
|||
| The ``postgresql_schema`` resource creates and manages a schema within a | |||
| PostgreSQL database. | |||
| The ``postgresql_schema`` resource creates and manages a [schema | |||
| * `usage` - (Optional) Should the specified ROLE have USAGE privileges to the specified SCHEMA. | ||
| * `usage_with_grant` - (Optional) Should the specified ROLE have USAGE privileges to the specified SCHEMA and the ability to GRANT the USAGE privilege to other ROLEs. | ||
|
|
||
| ~> **NOTE on `policy`:** The permissions of a role specified in multiple policy blocks is cumulative. For example, if the same role is specified in two different `policy` each with different permissions (e.g. `create` and `usage_with_grant`, respectively), then the specified role with have both `create` and `usage_with_grant` privileges. | ||
|
|
||
| ## Import Example | ||
|
|
||
| `postgresql_schema` supports importing resources. Supposing the following |
There was a problem hiding this comment.
We usually give the command line to import rather than the configuration code for import examples.
There was a problem hiding this comment.
I started there but added the examples because the import without a config is opaque to new users who want to move to TF. I can remove the import sample if you'd like but think it's a net win for users for the time being. Happy to go either way, however.
There was a problem hiding this comment.
I think we at least need the import command line as well as the example code.
…Mutex. Some of the checks didn't support concurrent updates. This should improve the reliability of the provider.
| * `usage` - (Optional) Should the specified ROLE have USAGE privileges to the specified SCHEMA. | ||
| * `usage_with_grant` - (Optional) Should the specified ROLE have USAGE privileges to the specified SCHEMA and the ability to GRANT the USAGE privilege to other ROLEs. | ||
|
|
||
| ~> **NOTE on `policy`:** The permissions of a role specified in multiple policy blocks is cumulative. For example, if the same role is specified in two different `policy` each with different permissions (e.g. `create` and `usage_with_grant`, respectively), then the specified role with have both `create` and `usage_with_grant` privileges. | ||
|
|
||
| ## Import Example | ||
|
|
||
| `postgresql_schema` supports importing resources. Supposing the following |
There was a problem hiding this comment.
I think we at least need the import command line as well as the example code.
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Updates to the PostgreSQL provider.
postgresql_roleto include theskip_drop_roleandskip_reassign_ownedattributes, which are required when deleting a PostgreSQL database where a ROLE is used across multiple database instances within a single PostgreSQL cluster.postgresql_schemaresource to include apolicyblock that allows for setting permissions on a per-schema basis to zero or more roles (one per block).Note: due to the way that locking is handled within PostgreSQL, it is required to run these tests with a parallelism of 1 because concurrent access for updating permissions results in error messages about concurrent updates to system catalogs.