azurernm_postgresql_aad_administrator - prevent invalid usernames for…

… the `login` property (#10757) Fixes issue #10726
hashicorp · Mar 10, 2021 · fd1e43b · fd1e43b
1 parent 92700b8
commit fd1e43b
Show file tree

Hide file tree

Showing 5 changed files with 75 additions and 6 deletions.
diff --git a/azurerm/internal/services/postgres/postgresql_aad_administrator_resource.go b/azurerm/internal/services/postgres/postgresql_aad_administrator_resource.go
@@ -13,6 +13,7 @@ import (
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/tf"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/clients"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/postgres/parse"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/postgres/validate"
 	azSchema "github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/tf/schema"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/timeouts"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
@@ -46,8 +47,9 @@ func resourcePostgreSQLAdministrator() *schema.Resource {
 			"resource_group_name": azure.SchemaResourceGroupName(),
 
 			"login": {
-				Type:     schema.TypeString,
-				Required: true,
+				Type:         schema.TypeString,
+				Required:     true,
+				ValidateFunc: validate.AdminUsernames,
 			},
 
 			"object_id": {

diff --git a/azurerm/internal/services/postgres/postgresql_aad_administrator_resource_test.go b/azurerm/internal/services/postgres/postgresql_aad_administrator_resource_test.go
@@ -79,7 +79,7 @@ func (r PostgreSqlAdministratorResource) Exists(ctx context.Context, clients *cl
 
 	resp, err := clients.Postgres.ServerAdministratorsClient.Get(ctx, id.ResourceGroup, id.ServerName)
 	if err != nil {
-		return nil, fmt.Errorf("reading Postgresql AAD Admnistrator (%s): %+v", id.String(), err)
+		return nil, fmt.Errorf("reading Postgresql AAD Administrator (%s): %+v", id.String(), err)
 	}
 
 	return utils.Bool(resp.ID != nil), nil
@@ -92,7 +92,7 @@ func (r PostgreSqlAdministratorResource) Destroy(ctx context.Context, client *cl
 	}
 
 	if _, err := client.Postgres.ServerAdministratorsClient.Delete(ctx, id.ResourceGroup, id.ServerName); err != nil {
-		return nil, fmt.Errorf("deleting Postgresql AAD Admnistrator (%s): %+v", id.String(), err)
+		return nil, fmt.Errorf("deleting Postgresql AAD Administrator (%s): %+v", id.String(), err)
 	}
 
 	return utils.Bool(true), nil

diff --git a/azurerm/internal/services/postgres/postgresql_server_resource.go b/azurerm/internal/services/postgres/postgresql_server_resource.go
@@ -177,7 +177,7 @@ func resourcePostgreSQLServer() *schema.Resource {
 				Optional:     true,
 				Computed:     true,
 				ForceNew:     true,
-				ValidateFunc: validation.StringIsNotWhiteSpace,
+				ValidateFunc: validation.All(validation.StringIsNotWhiteSpace, validate.AdminUsernames),
 			},
 
 			"administrator_login_password": {
@@ -459,7 +459,6 @@ func resourcePostgreSQLServerCreate(d *schema.ResourceData, meta interface{}) er
 	case postgresql.CreateModeDefault:
 		admin := d.Get("administrator_login").(string)
 		pass := d.Get("administrator_login_password").(string)
-
 		if admin == "" {
 			return fmt.Errorf("`administrator_login` must not be empty when `create_mode` is `default`")
 		}

diff --git a/azurerm/internal/services/postgres/validate/admin_usernames.go b/azurerm/internal/services/postgres/validate/admin_usernames.go
@@ -0,0 +1,20 @@
+package validate
+
+import (
+	"fmt"
+	"strings"
+)
+
+func AdminUsernames(i interface{}, k string) (_ []string, errors []error) {
+	disallowedLogins := [7]string{"azure_superuser", "azure_pg_admin", "admin", "administrator", "root", "guest", "public"}
+	for _, v := range disallowedLogins {
+		if v == strings.ToLower(i.(string)) {
+			return nil, append(errors, fmt.Errorf("Error - PostgreSQL AD Administrator login can not be %q", i.(string)))
+		}
+	}
+	if strings.HasPrefix(strings.ToLower(i.(string)), "pg_") {
+		return nil, append(errors, fmt.Errorf("Error - PostgreSQL AD Administrator login can not start with 'pg_'"))
+	}
+
+	return nil, nil
+}
diff --git a/azurerm/internal/services/postgres/validate/admin_usernames_test.go b/azurerm/internal/services/postgres/validate/admin_usernames_test.go
@@ -0,0 +1,48 @@
+package validate
+
+import (
+	"testing"
+)
+
+func TestValidateAdminUsernames(t *testing.T) {
+	testData := []struct {
+		input    string
+		expected bool
+	}{
+		{
+			// guest
+			input:    "guest",
+			expected: false,
+		},
+		{
+			// basic example
+			input:    "blah",
+			expected: true,
+		},
+		{
+			// contains pg_
+			input:    "pg_blah",
+			expected: false,
+		},
+		{
+			// azure_pg_admin
+			input:    "azure_pg_admin",
+			expected: false,
+		},
+		{
+			// Capitalised example
+			input:    "Azure_superuser",
+			expected: false,
+		},
+	}
+
+	for _, v := range testData {
+		t.Logf("[DEBUG] Testing %q..", v.input)
+
+		_, errors := AdminUsernames(v.input, "name")
+		actual := len(errors) == 0
+		if v.expected != actual {
+			t.Fatalf("Expected %t but got %t", v.expected, actual)
+		}
+	}
+}