terraform-provider-postgresql
terraform-provider-postgresql copied to clipboard
cyrilgdn
Document using `postgresql_grant_role` instead of `postgresql_role` to create a superuser for rds
Terraform Version
Terraform 1.0.4
Affected Resource(s)
Please list the resources as a list, for example:
- postgresql_grant
- postgresql_grant_role
Terraform Configuration Files
This block returns ERROR: must be superuser to create superusers
resource "postgresql_role" "default" {
name = "service"
password = "service"
login = true
superuser = true
}
This works.
resource "postgresql_role" "default" {
name = "service"
password = "service"
login = true
superuser = false
}
resource "postgresql_grant_role" "default" {
role = postgresql_role.default.name
grant_role = "rds_superuser"
with_admin_option = false
}
Debug Output
N/A
Panic Output
N/A
Important Factoids
N/A
References
- https://aws.amazon.com/premiumsupport/knowledge-center/rds-aurora-postgresql-clone-master-user/
- https://serverfault.com/questions/661661/why-cant-i-create-a-superuser-in-aws-postgresql-instance
Hi @nitrocode ,
Thanks for opening this issue. We could indeed document how to manage RDS "superuser".
Note that you can simply write:
resource "postgresql_role" "default" {
name = "service"
password = "service"
login = true
roles = [
"rds_superuser",
]
}
The postgresql_grant_role is more to grant a role to a user you are not managing with Terraform (e.g.: postgres) or not in the same state.
Please also note that you are not creating a real Postgres superuser. RDS does not allow to create SUPERUSER role, even the existing postgres user (or whatever the name of the admin user you choose at the instance creation) is not a real superuser. It's just a role with many administration privileges. (the real supuser is rdsadmin)
Is it possible to ignore_lifecycle for roles. Its useful to be able to loop over a list of roles and add their membership to another role
