-
Notifications
You must be signed in to change notification settings - Fork 214
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1.19.0 replaces postgresql_grant all the time #321
1.19.0 replaces postgresql_grant all the time #321
Comments
Hello @cyrilgdn, Did you have the oportunity to look at this problem (and the solution implemented in this fork)? I'm currently writing a module to manage users and permissions and this behavior (destroy the grant resource and then re-create it) makes it impracticable to manage high load databases or even medium load but on critical applications. I'm developing my module using I can also confirm that Do you think is there a chance to fix this behavior on a future version? Thanks! |
Based on doctolib's fork.
Terraform Version
Terraform v1.5.2.
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
The resource should be updated in-place.
Actual Behavior
The resource is being replaced (destroyed then created).
Steps to Reproduce
Tested on PostgreSQL version 12.
db1
.main.tf
file containing the snippet above. Modify the provider block to point to your local/test PostgreSQL instance.psql
and change the privileges on the public schema. For example, runDescription of the issue
It looks like with version 1.19.0 (and more specifically this PR #135), the
postgresql_grant
resource gets re-created when there is a change.Replacing the resource is not a good idea because the "destroy/create" operations are completely separate. i.e. they are not atomic which means (given the example in the "Steps to Reproduce" section above) for a short moment between the 2 operations the public role loses access to the public schema. If for any reason Terraform fails midway or it gets interrupted, users will end up not being able to access the objects in the public schema. This is what happens in the PostgreSQL log:
As you can see they are done in 2 different transactions.
This gets even worse if there is a
create_before_destroy
lifecycle defined, as the resource will be replaced in reverse order! It gets created (privileges are granted) and then destroyed (revoking everything on the public schema from the public role). The apply looks like this:And here is what you see in the PostgreSQL log (notice REVOKE ALL... is being executed last):
This caused an outage for us recently!
The behaviour was different with version 1.18.0. The resource was updated in-place. If we pin the 1.18.0 version we get this apply output:
and you see this in the PostgreSQL log:
The old behaviour should be restored where the resource gets updated in-place as the revoke and grant are done in the same transaction as shown in the log above and as noted here:
https://github.com/cyrilgdn/terraform-provider-postgresql/blob/v1.19.0/postgresql/resource_postgresql_grant.go#L188-L189
The text was updated successfully, but these errors were encountered: