Provider is using up all PG connections and erroring out the plan

[mltsy]

Terraform Version

Terraform v0.13.0-beta2

• provider registry.terraform.io/terraform-providers/postgresql v1.6.0

Affected Resource(s)

Various postgresql resources... usually gets stuck on a postgresql_role

Terraform Configuration Files

This is the main roles module we use, which is instantiated for each database on each server (so about 15 times or so per plan/apply)

# The Schema Admin role (for each database) is specifically a way to allow other users permission to alter
# tables in the given database, which, currently, are all owned by 'postgres'.
resource "postgresql_role" "schema_admins" {
  for_each = var.databases

  name = "ss_${each.key}_schema_admins"
  inherit = false
  roles = ["postgres"]
}

# The Admin Role (for each database) grants read and write access to all tables in the public schema of the given database
resource "postgresql_role" "admins" {
  for_each = var.databases

  name = "ss_${each.key}_admins"
}

# The Reader Role (for each database) grands read-only access to all tables in the public schema of the given database
resource "postgresql_role" "readers" {
  for_each = var.databases

  name = "ss_${each.key}_readers"
}

# Grants Section (enables the access described above)

resource "postgresql_grant" "admin_tables" {
  for_each = var.databases

  database    = each.value
  role        = postgresql_role.admins[each.key].name
  schema      = "public"
  object_type = "table"
  privileges  = ["SELECT", "INSERT", "DELETE", "UPDATE"]
}

resource "postgresql_grant" "admin_sequences" {
  for_each = var.databases
  
  database    = each.value
  role        = postgresql_role.admins[each.key].name
  schema      = "public"
  object_type = "sequence"
  privileges  = ["USAGE", "SELECT", "UPDATE"]
}

resource "postgresql_grant" "read_tables" {
  for_each = var.databases
  
  database    = each.value
  role        = postgresql_role.readers[each.key].name
  schema      = "public"
  object_type = "table"
  privileges  = ["SELECT"]
}

# This section defines default privileges for the 'postgres' user, so that admins and readers have access
# to read/write any new tables/sequences created by the 'postgres' user

resource "postgresql_default_privileges" "root_admin_tables" {
  for_each = var.databases
  
  database    = each.value
  role        = postgresql_role.admins[each.key].name
  schema      = "public"
  owner       = var.username
  object_type = "table"
  privileges  = ["SELECT", "INSERT", "DELETE", "UPDATE"]
}

resource "postgresql_default_privileges" "root_admin_sequences" {
  for_each = var.databases
  
  database    = each.value
  role        = postgresql_role.admins[each.key].name
  schema      = "public"
  owner       = var.username
  object_type = "sequence"
  privileges  = ["SELECT", "UPDATE", "USAGE"]
}

resource "postgresql_default_privileges" "root_read_tables" {
  for_each = var.databases
  
  database    = each.value
  role        = postgresql_role.readers[each.key].name
  schema      = "public"
  owner       = var.username
  object_type = "table"
  privileges  = ["SELECT"]
}

And then we also have some individual resources that look like this:

resource "postgresql_role" "ss_dbs_user" {
  provider = postgresql.ss_dbs
  for_each = local.permissions.ss_dbs
  
  name     = local.users[each.key].username
  login    = true
  password = local.users[each.key].password
  roles    = each.value
}

Debug Output

https://gist.githubusercontent.com/mltsy/86ae6c5d3361d398b13f58fa433dd458/raw/89a96df95893337b8dfe031dd30fc6da7acd4dfe/tfdebug.log

Expected Behavior

It should connect to all my databases in an efficient, logical way, without using up all the connections

Actual Behavior

It seems like it failed to finish the plan due to some error from the database saying that all remaining connections are reserved for superuser accounts.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. `cloud_sql_proxy -instances=...=tcp:5404 # setup cloud_sql_proxy for databases
2. terraform plan

Important Factoids

We're running the database on Google Cloud, and have to connect through cloud_sql_proxy (which I always start locally before running terraform)

References

None that I know of