terraform-provider-mysql icon indicating copy to clipboard operation
terraform-provider-mysql copied to clipboard

Published 20 hours ago verified publisher icon petoju

Support for the "columns" argument in "mysql_grant"

Open maxmansonkiv opened this issue 7 months ago • 2 comments

The mysql_grant has resource has table argument but lacks "columns" argument. See column_list parameter in MySQL GRANT statement: https://dev.mysql.com/doc/refman/8.4/en/grant.html

For comparison, the PostgreSQL provider for Terraform has support for the "columns" argument: https://registry.terraform.io/providers/cyrilgdn/postgresql/latest/docs/resources/postgresql_grant

Please consider implementing the "columns" parameter for the mysql_grant resource.

maxmansonkiv avatar Apr 15 '25 12:04 maxmansonkiv

@max-manson column_list is supported - it's just not using columns fields. This is a deliberate decision because of the way we represent grants.

You can specify it as SELECT(column1, column2) inside privileges field.

We see is as that MySQL has multiple "grant levels" - global (GRANT ... ON *.* TO ...), database-level (GRANT ... ON db.* TO ...) and table-level (GRANT ... ON db.table TO ...).

My idea - different from other MySQL/Postgres providers - is that we should have only one grant resource per existing grant on one "grant level". This is to have some unification in our terraform, where if you see user john having only SELECT permissions in one mysql_grant, john cannot have INSERT permissions elsewhere. This makes reading and auditing a bit easier. It makes it easier to maintain it - because john sometimes copied mysql_grant from alice and created a new one with ["SELECT", "INSERT"] - that granted him more permissions, but deleting the old grant removed his SELECT permissions, that led to confusion.

Now let's take the example with ["SELECT", "INSERT"]. We had some cases, where it should be ["SELECT(id, something_public)", "INSERT(id, something_public, something_secret)"]. We cannot represent that with columns and along with the idea mentioned in the previous paragraph.

If you want to document that, feel free to.

petoju avatar Apr 15 '25 17:04 petoju

Thank you for your prompt reply! I will make use of this feature and then submit a pull request to document it. Sorry for using my second account in the initial message of this issue report.

maximmasiutin avatar Apr 15 '25 19:04 maximmasiutin

Thank you very much! In your example, you gave "id" which can be a column name that does not work. I described the issues at https://github.com/petoju/terraform-provider-mysql/issues/219 and proposed a fix in https://github.com/petoju/terraform-provider-mysql/issues/222

maximmasiutin avatar Apr 22 '25 15:04 maximmasiutin

Please consider this issue closed.

maximmasiutin avatar Apr 22 '25 17:04 maximmasiutin