fix: ALL implicit privileges equality check #339
Conversation
…mn aswell as for default privilege resource
|
@cyrilgdn any chance you can take a look at that? |
There was a problem hiding this comment.
Hi @talbx,
Thanks for opening this PR and many apologies for the response delay, I didn't have the time to work on this provider.
I like the idea 👍 , it's a simple solution to fix this very old bug. I still need to test what you did though, cf my comment about wanted / granted when you set the value, I'm not sure it works like that.
Thanks for the unittest on the new function 👍
It would be nice to also have acceptance test about that on postgresql_grant resource, there's already many tests in postgresql_grant_test.go
You can have a look at this one for example: https://github.com/cyrilgdn/terraform-provider-postgresql/blob/master/postgresql/resource_postgresql_grant_test.go#L1082-L1140
but let me know if you need help or if you don't have time, I can have a look.
| wanted := d.Get("privileges").(*schema.Set) | ||
| equal := arePrivilegesEqual(granted, wanted, d) | ||
| if !equal { | ||
| return d.Set("privileges", wanted) |
There was a problem hiding this comment.
granted no ? as this function read the state of the database. Otherwise there will never be any diff as you set in the state what's in the state already.
| return d.Set("privileges", wanted) | |
| return d.Set("privileges", granted) |
There was a problem hiding this comment.
I am not quite sure about that. We check whats on the DB...
if the state on the DB does not equal whats requested via terraform, we want to set the privileges that are requested. granted is what we already have. this would then probably also apply to your other comment.
Also, that would be strange because that would be a fundamental bug in the "feature". Since i tested the changes with a database locally and had great success with the former implementation, I would be very much surprised if this was wrong all the way
There was a problem hiding this comment.
the only thing that is weird to me right now is the fact, that I fetch the required privileges from the resourcedata and then put it back there again. this call is quite superflous but still won't hurt.
There was a problem hiding this comment.
we want to set the privileges that are requested. granted is what we already have.
Indeed, but that's not exactly how this function works.
The goal of a resource read function (in this case resourcePostgreSQLGrantRead) is to refresh the Terraform state with the current status of what's in Postgres.
Then Terraform will compare the resource as it's defined in your code with how it is in the state (so in Postgres).
So the goal of this line is to set the privileges as it is in the dabase so it will be compared with what's defined in you resource definition.
Since i tested the changes with a database locally and had great success with the former implementation
It's because you haven't tested all the use cases (if I dare 😅 )
You think you fully fix that because there's no more diff in terraform plan compared to before, but actually there will now never be any diff because you say that the current state in the database is what's defined in your code, so Terraform will always say that everything is already correct.
Easy to demonstrate with this simple code:
resource "postgresql_database" "test" {
name = "test_db"
}
resource "postgresql_role" "test" {
name = "test"
}
resource "postgresql_grant" "db_all" {
database = postgresql_database.test.name
role = postgresql_role.test.name
object_type = "database"
privileges = ["ALL"]
}that you can apply:
terraform apply
Then, you manually remove a permission in Postgres:
$ psql -c "revoke connect ON database test_db from test "
REVOKE
And next terraform plan will not show any diff when it should say that it needs to fix the permissions.
If I rebuild my provider with the suggestion I did above (set granted instead of wanted), if I manually remove a permission from the database, I will have this plan:
$ terraform plan
[...]
Terraform will perform the following actions:
# postgresql_grant.db_all must be replaced
-/+ resource "postgresql_grant" "db_all" {
~ id = "test_test_db_database" -> (known after apply)
~ privileges = [ # forces replacement
- "CREATE",
- "TEMPORARY",
+ "ALL",
]
# (4 unchanged attributes hidden)
}
And once applied, thanks to your fix, there will not be any diff in the next plan.
…egesEqual fn, removed former logging bits, adapted tests
no worries, thanks for checking in again :)
I will give it a shot. |
|
might relate to #303 |
talbx
changed the title
I am still waiting for further feedback by @cyrilgdn; although i am not sure it will resolve your problems, @dzavalkin-scayle since you haven't specified them in detail and also, this PR solely focusses on the implicit "ALL" diff. I haven't tested if this PR fixes other cases aswell. |
Hmm I was under impression that it will fix diff issue entirely, no matter what are the privileges... |
@dzavalkin-scayle can you give me a Terraform snippet to reproduce your problem? i can recheck if its included |
|
@talbx Thanks a lot! Here is the code we have: locals {
default_privileges = merge([
for owner, users in var.rds_postgres_user_default_privileges :
{
for user in users : "${owner}-${user}" => {
owner = owner
user = user
}
}
]...)
}
resource "random_password" "user_password" {
for_each = { for k, v in var.rds_postgres_users : k => v if !lookup(v, "allow_iam_role_access", false) }
length = 42
special = true
numeric = true
lower = true
upper = true
override_special = "!()-_=[]{}"
min_numeric = 3
min_lower = 3
min_upper = 3
}
resource "postgresql_role" "postgres_users" {
for_each = var.rds_postgres_users
name = each.key
login = true
password = lookup(each.value, "allow_iam_role_access", false) ? "" : random_password.user_password[each.key].result
roles = lookup(each.value, "allow_iam_role_access", false) ? ["rds_iam"] : []
}
resource "postgresql_default_privileges" "postgresql_user_default_table_privileges" {
for_each = {
for key, value in local.default_privileges :
key => value
if lookup(var.rds_postgres_users[value.user], "table_privileges", "") != ""
}
database = var.rds_database_name
object_type = "table"
owner = each.value.owner
privileges = split(",", var.rds_postgres_users[each.value.user].table_privileges)
role = each.value.user
schema = "public"
depends_on = [
postgresql_role.postgres_users
]
}
resource "postgresql_default_privileges" "postgresql_user_default_sequence_privileges" {
for_each = {
for key, value in local.default_privileges :
key => value
if lookup(var.rds_postgres_users[value.user], "sequence_privileges", "") != ""
}
database = var.rds_database_name
object_type = "sequence"
owner = each.value.owner
privileges = split(",", var.rds_postgres_users[each.value.user].sequence_privileges)
role = each.value.user
schema = "public"
depends_on = [
postgresql_role.postgres_users
]
}
resource "postgresql_default_privileges" "postgresql_user_default_routine_privileges" {
for_each = {
for key, value in local.default_privileges :
key => value
if lookup(var.rds_postgres_users[value.user], "routine_privileges", "") != ""
}
database = var.rds_database_name
object_type = "function"
owner = each.value.owner
privileges = split(",", var.rds_postgres_users[each.value.user].routine_privileges)
role = each.value.user
schema = "public"
depends_on = [
postgresql_role.postgres_users
]
}
resource "postgresql_grant" "postgresql_user_table_privileges" {
for_each = {
for username, user_settings in var.rds_postgres_users :
username => user_settings
if lookup(user_settings, "table_privileges", "") != ""
}
database = var.rds_database_name
object_type = "table"
privileges = split(",", each.value.table_privileges)
role = each.key
schema = "public"
with_grant_option = lookup(each.value, "grant", false)
depends_on = [
postgresql_role.postgres_users
]
}
resource "postgresql_grant" "postgresql_user_database_privileges" {
for_each = {
for username, user_settings in var.rds_postgres_users :
username => user_settings
if lookup(user_settings, "database_privileges", "") != ""
}
database = var.rds_database_name
object_type = "database"
privileges = split(",", each.value.database_privileges)
role = each.key
with_grant_option = lookup(each.value, "grant", false)
depends_on = [
postgresql_role.postgres_users
]
}
resource "postgresql_grant" "postgresql_user_routine_privileges" {
for_each = {
for username, user_settings in var.rds_postgres_users :
username => user_settings
if lookup(user_settings, "routine_privileges", "") != ""
}
database = var.rds_database_name
role = each.key
object_type = "routine"
schema = "public"
privileges = split(",", each.value["routine_privileges"])
with_grant_option = lookup(each.value, "grant", false)
depends_on = [
postgresql_role.postgres_users
]
}
resource "postgresql_grant" "postgresql_user_schema_privileges" {
for_each = {
for username, user_settings in var.rds_postgres_users :
username => user_settings
if lookup(user_settings, "schema_privileges", "") != ""
}
database = var.rds_database_name
object_type = "schema"
privileges = split(",", each.value["schema_privileges"])
role = each.key
schema = "public"
with_grant_option = lookup(each.value, "grant", false)
depends_on = [
postgresql_role.postgres_users
]
}
resource "postgresql_grant" "postgresql_user_sequence_privileges" {
for_each = {
for username, user_settings in var.rds_postgres_users :
username => user_settings
if lookup(user_settings, "sequence_privileges", "") != ""
}
database = var.rds_database_name
role = each.key
object_type = "sequence"
schema = "public"
privileges = split(",", each.value["sequence_privileges"])
with_grant_option = lookup(each.value, "grant", false)
depends_on = [
postgresql_role.postgres_users
]
}and values for input variables are (passed from Terragrunt): rds_postgres_users = {
app_schema = {
database_privileges = "CONNECT"
grant = true
schema_privileges = "CREATE,USAGE"
routine_privileges = "EXECUTE"
sequence_privileges = "SELECT,UPDATE"
table_privileges = "SELECT,INSERT,UPDATE,DELETE,TRUNCATE,REFERENCES,TRIGGER"
},
app_unrestricted = {
database_privileges = "CONNECT"
routine_privileges = "EXECUTE"
schema_privileges = "USAGE"
sequence_privileges = "SELECT,UPDATE"
table_privileges = "SELECT,INSERT,UPDATE,DELETE,TRIGGER"
},
readonly_user = {
allow_iam_role_access = true
schema_privileges = "USAGE"
sequence_privileges = "SELECT"
table_privileges = "SELECT"
},
rw_user = {
allow_iam_role_access = true
database_privileges = "CONNECT"
routine_privileges = "EXECUTE"
schema_privileges = "USAGE"
sequence_privileges = "SELECT"
table_privileges = "SELECT,UPDATE,INSERT,DELETE,TRIGGER"
}
}
rds_postgres_user_default_privileges = {
app_schema = [
"app_unrestricted",
"readonly_user",
"rw_user",
],
}Please let me know if you can use this code or you want me to simplify it somehow (though in this case we won't test our exact use cases). |
|
@dzavalkin-scayle It would be nice if you could simplify that setup to a minimum so I can test it more easily. Would also appreciate it if you could make it self-contained so I can just copy paste and run. Thanks in advance! |
|
@cyrilgdn can you take another look 👀 |
|
@cyrilgdn just a friendly reminder about this very import PR. |
|
hey @cyrilgdn, are you alive 😅 ? |
cyrilgdn
force-pushed
the
main
branch
2 times, most recently
from
f2c2e47 to
dea1401
Compare
|
friendly reminder to take a look again @cyrilgdn. |
There was a problem hiding this comment.
This PR already celebrated its first birthday 🎂
At 1yo I was still peeing on myself, this is quite young actually 
Joke apart sorry for this huuuge delay again, with my work and personal life I have not much time for this project and each review takes hours 😅
But I still try to come back from time to time to create new releases with community PRs.
Two small comment otherwise it seems good to me 👍
I promise to merge quickly after your fix
hey @cyrilgdn, are you alive 😅 ?
unless I die meanwhile 🤷♂️
I'd be careful with this kind of comment though, you don't know who is behind a nickname and what happen in their personal life 😉
| @@ -45,3 +46,78 @@ func TestQuoteTableName(t *testing.T) { | |||
| }) | |||
| } | |||
| } | |||
|
|
|||
| func TestArePrivilegesEqual(t *testing.T) { | |||
|
|
||
| if !privilegesEqual { | ||
| d.Set("privileges", privilegesSet) | ||
| d.SetId(generateDefaultPrivilegesID(d)) |
There was a problem hiding this comment.
Why the SetId is in the if? It's not the case for postgresql_grant and I think we want to set it in any cases.
Currently this works anyway because the ID is based on fields that recreate the resource if they change so it will never change here, but this is still totally unrelated to privileges
There was a problem hiding this comment.
you are right, this was probably just a slip.
changed this with c35441d
| @@ -1139,6 +1139,83 @@ resource "postgresql_grant" "test" { | |||
| }) | |||
| } | |||
|
|
|||
| func TestAccPostgresqlImplicitGrants(t *testing.T) { | |||
|
@cyrilgdn Can we please get a release soon with this changes? |
|
@talbx @alamin-floenergy This has just been release in https://github.com/cyrilgdn/terraform-provider-postgresql/releases/tag/v1.25.0 |
When using resources
postgresql_default_privilegesorpostgresql_grantyou have the option to define a fine grained set of privileges (for example onlyCONNECTfor object_typedatabase) or all at once, either by setting all privileges (for database:["CREATE", "CONNECT", "TEMPORARY"]or simply["ALL"].The latter one is quite handy, since you do not have to find out which privileges are part of it. When using
ALL, the provider will grant the privileges by using the set of the actual grants, so in this scenario by granting"CREATE", "CONNECT", "TEMPORARY"and notALL. Probably becauseALLis not known to postgres. 🤷🏼♂️Anyways, when executing a
terraform planthe next time after the apply forALL, the diff will find out, that notALLis set as privilege, but"CREATE", "CONNECT", "TEMPORARY". Since these privileges are the same or have the same semantic to it, there shouldn't be really a update each time you use terraform, because the state on the DB is totally fine and according to the resource.To prevent this unnecessary modification, I implemented some more detailed equality check for all
object_types exceptcolumn.I tested the changes locally with a dockerized postgres and also wrote some unit tests for it.
Would love to hear some feedback about it, especially since it's my first time working on a terraform provider..
Cheers
fix #32