Undocumented Setting Recreating postresql_grant resource

[andydkelly-ig]

Hi there,

Thank you for opening an issue. Please provide the following information:

Terraform Version

0.12.30

Affected Resource(s)

postgresql_grant

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource postgresql_grant "all_privileges" {
  database       = var.postgresDatabaseName
  role           = postgresql_role.postgresDatabaseRole.name
  schema         = postgresql_schema.default.name
  object_type    = "table"
  privileges     = ["ALL"]
}

Expected Behavior

This infra was builat a while ago using Terraform config. There have been no changes to the infrastructure. Running a Plan today should have no changes to make.

Actual Behavior

The resource is going to be recreated due to a new setting being added that isn't in my code and isn't in the docs:

  # module.postgresqlengdev.postgresql_grant.all_privileges must be replaced
-/+ resource "postgresql_grant" "all_privileges" {
        database          = "igxcafe"
      ~ id                = "engdev_igxcafe_engdev_table" -> (known after apply)
        object_type       = "table"
      ~ privileges        = [
          + "ALL",
        ]
        role              = "engdev"
        schema            = "engdev"
      + with_grant_option = false # forces replacement
    }

The option in question is with_grant_option.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

Important Factoids

Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? Custom version of OpenStack? Tight ACLs?

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

• GH-1234

[anyeone]

I just came here to report this exact issue, you beat me to it :) I'm pinning the previous version until I can spend time testing in a non-critical environment that it won't actually break anything. At a minimum it should be documented with an explanation though.

[benesch]

This looks like a duplicate of #32.

[anyeone]

They are two different issues.
This report is not about the "ALL" privilege turning into a list of the individual privileges in a later diff, which is what #32 is about.

It is about this line showing up in the diff for an unchanged script, which never showed up before this version:

"with_grant_option = false # forces replacement"

with_grant_option is apparently a new undocumented option, we're not explicitly defining it in the resource, and it's trying to force a replacement. Without knowing whether it's going to cause a problem, since its effect isn't documentd (or wasn't at the time of this report anyway, not sure if it is now) it leaves folks uncertain whether it is "safe" or not.

[cyrilgdn]

I'll close this issue in favor of #32

Sorry for unexpected update, we'll try to be careful for future releases.
The option is documented now, we'll not document the behavior between this 2 specific versions as these are old versions now.