Skip to content
This repository has been archived by the owner on Nov 14, 2020. It is now read-only.

Postgresql provider always triggers change when privileges = "ALL" #166

Open
jonasneves opened this issue Jul 31, 2020 · 2 comments
Open

Postgresql provider always triggers change when privileges = "ALL" #166

jonasneves opened this issue Jul 31, 2020 · 2 comments

Comments

@jonasneves
Copy link

Terraform Version

Terraform v0.12.29
+ provider.postgresql v1.7.1

Affected Resource(s)

Please list the resources as a list, for example:

  • postgresql_grant

Terraform Configuration Files

provider "postgresql" {
  host            = "xxxxx.us-east-1.rds.amazonaws.com"
  port            = "5432"
  username        = "master"
  password        = "xxxxx"
  sslmode         = "require"
  connect_timeout = 15
  superuser       = false
}

resource "postgresql_grant" "this" {
  database    = "somedb"
  object_type = "table"
  privileges = [
    "ALL",
  ]
  role              = "someuser"
  schema            = "public"
  with_grant_option = true
}

Expected Behavior

Since the grant was applied previously, I would be expecting the following output:

No changes. Infrastructure is up-to-date.

Actual Behavior

It tries to apply the privileges again:

Terraform will perform the following actions:

  # postgresql_grant.this will be updated in-place
  ~ resource "postgresql_grant" "this" {
        database          = "somedb"
        id                = "someuser_somedb_public_table"
        object_type       = "table"
      ~ privileges        = [
          + "ALL",
        ]
        role              = "someuser"
        schema            = "public"
        with_grant_option = true
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

  1. terraform apply
@planetjones
Copy link

We have the same issue when object_type = database and privileges = ["ALL"]

Without an existing state file it works fine. But when there is an existing state file it tries to add ALL again. But this causes:

REVOKE ALL PRIVILEGES ON DATABASE ....

to be executed, which fails because there are dependent privileges.

The official documentation does not say this provider suppports "ALL". If that's the case I think it should be explicitly stated in the documentation.

If the provider shall support "ALL" then I believe terraform will need to know what independent privileges form "ALL" so it knows there has been no change to the state, when it looks at what the actual state in postgreSQL is.

@mltsy
Copy link
Contributor

mltsy commented Aug 7, 2020

I've noticed this as well.

You can, of course, work around this by specifying all specific privileges you want to grant (INSERT, SELECT, UPDATE, DELETE, ...?) for now. But I agree with @planetjones - should either be fixed or documented and made invalid.

@cyrilgdn cyrilgdn mentioned this issue Jan 10, 2021
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@planetjones @mltsy @jonasneves