terraform-provider-postgresql icon indicating copy to clipboard operation
terraform-provider-postgresql copied to clipboard

Published 20 hours ago verified publisher icon cyrilgdn

Undocumented Setting Recreating postresql_grant resource

Open andydkelly-ig opened this issue 4 years ago • 3 comments

Hi there,

Thank you for opening an issue. Please provide the following information:

Terraform Version

0.12.30

Affected Resource(s)

postgresql_grant

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource postgresql_grant "all_privileges" {
  database       = var.postgresDatabaseName
  role           = postgresql_role.postgresDatabaseRole.name
  schema         = postgresql_schema.default.name
  object_type    = "table"
  privileges     = ["ALL"]
}

Expected Behavior

This infra was builat a while ago using Terraform config. There have been no changes to the infrastructure. Running a Plan today should have no changes to make.

Actual Behavior

The resource is going to be recreated due to a new setting being added that isn't in my code and isn't in the docs:

  # module.postgresqlengdev.postgresql_grant.all_privileges must be replaced
-/+ resource "postgresql_grant" "all_privileges" {
        database          = "igxcafe"
      ~ id                = "engdev_igxcafe_engdev_table" -> (known after apply)
        object_type       = "table"
      ~ privileges        = [
          + "ALL",
        ]
        role              = "engdev"
        schema            = "engdev"
      + with_grant_option = false # forces replacement
    }

The option in question is with_grant_option.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply

Important Factoids

Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? Custom version of OpenStack? Tight ACLs?

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

  • GH-1234

andydkelly-ig avatar Mar 29 '21 11:03 andydkelly-ig

I just came here to report this exact issue, you beat me to it :) I'm pinning the previous version until I can spend time testing in a non-critical environment that it won't actually break anything. At a minimum it should be documented with an explanation though.

anyeone avatar Apr 09 '21 16:04 anyeone

This looks like a duplicate of #32.

benesch avatar Jul 18 '21 16:07 benesch

They are two different issues. This report is not about the "ALL" privilege turning into a list of the individual privileges in a later diff, which is what #32 is about.

It is about this line showing up in the diff for an unchanged script, which never showed up before this version:

"with_grant_option = false # forces replacement"

with_grant_option is apparently a new undocumented option, we're not explicitly defining it in the resource, and it's trying to force a replacement. Without knowing whether it's going to cause a problem, since its effect isn't documentd (or wasn't at the time of this report anyway, not sure if it is now) it leaves folks uncertain whether it is "safe" or not.

anyeone avatar Jul 19 '21 01:07 anyeone

I'll close this issue in favor of #32

Sorry for unexpected update, we'll try to be careful for future releases. The option is documented now, we'll not document the behavior between this 2 specific versions as these are old versions now.

cyrilgdn avatar Jul 16 '23 08:07 cyrilgdn