terraform-provider-postgresql icon indicating copy to clipboard operation
terraform-provider-postgresql copied to clipboard
verified publisher icon hashicorp

Postgresql provider always triggers change when privileges = "ALL"

Open jonasdoneves opened this issue 5 years ago • 2 comments

Terraform Version

Terraform v0.12.29
+ provider.postgresql v1.7.1

Affected Resource(s)

Please list the resources as a list, for example:

  • postgresql_grant

Terraform Configuration Files

provider "postgresql" {
  host            = "xxxxx.us-east-1.rds.amazonaws.com"
  port            = "5432"
  username        = "master"
  password        = "xxxxx"
  sslmode         = "require"
  connect_timeout = 15
  superuser       = false
}

resource "postgresql_grant" "this" {
  database    = "somedb"
  object_type = "table"
  privileges = [
    "ALL",
  ]
  role              = "someuser"
  schema            = "public"
  with_grant_option = true
}

Expected Behavior

Since the grant was applied previously, I would be expecting the following output:

No changes. Infrastructure is up-to-date.

Actual Behavior

It tries to apply the privileges again:

Terraform will perform the following actions:

  # postgresql_grant.this will be updated in-place
  ~ resource "postgresql_grant" "this" {
        database          = "somedb"
        id                = "someuser_somedb_public_table"
        object_type       = "table"
      ~ privileges        = [
          + "ALL",
        ]
        role              = "someuser"
        schema            = "public"
        with_grant_option = true
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

  1. terraform apply

jonasdoneves avatar Jul 31 '20 19:07 jonasdoneves

We have the same issue when object_type = database and privileges = ["ALL"]

Without an existing state file it works fine. But when there is an existing state file it tries to add ALL again. But this causes:

REVOKE ALL PRIVILEGES ON DATABASE ....

to be executed, which fails because there are dependent privileges.

The official documentation does not say this provider suppports "ALL". If that's the case I think it should be explicitly stated in the documentation.

If the provider shall support "ALL" then I believe terraform will need to know what independent privileges form "ALL" so it knows there has been no change to the state, when it looks at what the actual state in postgreSQL is.

planetjones avatar Aug 04 '20 14:08 planetjones

I've noticed this as well.

You can, of course, work around this by specifying all specific privileges you want to grant (INSERT, SELECT, UPDATE, DELETE, ...?) for now. But I agree with @planetjones - should either be fixed or documented and made invalid.

mltsy avatar Aug 07 '20 18:08 mltsy