terraform-provider-postgresql icon indicating copy to clipboard operation
terraform-provider-postgresql copied to clipboard

Published 20 hours ago verified publisher icon cyrilgdn

Create database using indirect role membership is producing error

Open RamBNarayanan opened this issue 10 months ago • 0 comments

Hi,

I am trying to create a database using an IAM based service account user. But in the provider i am using a Built-In user as there is no easy way to pass the password of the IAM based service account there. Normally when I try to do this, IAM user gets added into the Built-In user role, then the built in user role become of user type IAM, which creates an error. So based on the documentation I try to give the IAM user indirect role membership to the provider user. that is giving the below error.

provider "postgresql" {
  host            = "alloydb-instance-poc.eu.dev.private.company"
  port            = 5432
  database        = "postgres"
  username        = "companyadmin"
  password        = "postgres"
  superuser       = false 
  sslmode         = "require"
  connect_timeout = 15
}


resource "google_alloydb_user" "service_user2" {
  cluster = google_alloydb_cluster.cluster.name
  database_roles = [
    "alloydbiamuser",
  ]
  user_id   = trimsuffix(module.dotnet_service_service_account_migrations.email, ".gserviceaccount.com")
  user_type = "ALLOYDB_IAM_USER"
  depends_on = [ google_alloydb_instance.instance ]
}

resource "postgresql_role" "dbcreate" {
  name     = "dbcreate"
  login    = true
  lifecycle {
    ignore_changes = [
      roles,
    ]
  }
}


resource "postgresql_grant_role" "grant_companyadmin" {
  role              = postgresql_role.dbcreate.name
  grant_role        = "companyadmin"
  with_admin_option = true
}

resource "postgresql_grant_role" "grant_dbcreate_to_migrate" {
  role              = "[email protected]"
  grant_role        = postgresql_role.dbcreate.name
  with_admin_option = true
}



resource "postgresql_database" "database0" {
  name                   = "example"
  owner                  = "[email protected]"
  template               = "template0"
  lc_collate             = "C"
  connection_limit       = -1
  allow_connections      = true
  alter_object_ownership = true
}

The error:

16:57:57.491 INFO   Terragrunt Cache server stopped
16:57:57.491 ERROR  error occurred:

* Failed to execute "terraform apply" in ./.terragrunt-cache/SApfNpFWjt2No5dGYpjr2o3htfI/Db-3prqQH8-oojtnqEKvvnaVFfc/database-poc-service
  ╷
  │ Error: Error granting role [email protected] to companyadmin: pq: role "[email protected]" is a member of role "companyadmin"
  │ 
  │   with postgresql_database.database0,
  │   on alloydb.tf line 122, in resource "postgresql_database" "database0":
  │  122: resource "postgresql_database" "database0" {
  │ 
  ╵
  
  exit status 1

I assume the provider is trying to add the owner of the DB to the provider role again.

Please help.

RamBNarayanan avatar Jan 27 '25 17:01 RamBNarayanan