Create new resource: postgresql_grant

This resource allow to grant privileges on all existing tables or sequences
for a specified role in a specified schema.

CHANGELOG.md

@@ -5,6 +5,10 @@ BUG FIXES:
 * Parse Azure PostgreSQL version
   ([#40](https://github.com/terraform-providers/terraform-provider-postgresql/pull/40))
 
+FEATURES:
+
+* New resource: postgresql_grant. This resource allows to grant privileges on all existing tables or sequences for a specified role in a specified schema.
+
 ## 0.1.2 (July 06, 2018)
 
 FEATURES:

postgresql/config.go

@@ -64,7 +64,6 @@ var (
 type Config struct {
 	Host              string
 	Port              int
-	Database          string
 	Username          string
 	Password          string
 	SSLMode           string
@@ -80,6 +79,8 @@ type Client struct {
 	// Configuration for the client
 	config Config
 
+	databaseName string
+
 	// db is a pointer to the DB connection.  Callers are responsible for
 	// releasing their connections.
 	db *sql.DB
@@ -96,21 +97,23 @@ type Client struct {
 	catalogLock sync.RWMutex
 }
 
-// NewClient returns new client config
-func (c *Config) NewClient() (*Client, error) {
+// NewClient returns client config for the specified database.
+func (c *Config) NewClient(database string) (*Client, error) {
 	dbRegistryLock.Lock()
 	defer dbRegistryLock.Unlock()
 
-	dsn := c.connStr()
+	dsn := c.connStr(database)
 	dbEntry, found := dbRegistry[dsn]
 	if !found {
 		db, err := sql.Open("postgres", dsn)
 		if err != nil {
 			return nil, errwrap.Wrapf("Error connecting to PostgreSQL server: {{err}}", err)
 		}
 
-		// only one connection
-		db.SetMaxIdleConns(1)
+		// We don't want to retain connection
+		// So when we connect on a specific database which might be managed by terraform,
+		// we don't keep opened connection in case of the db has to be dopped in the plan.
+		db.SetMaxIdleConns(0)
 		db.SetMaxOpenConns(c.MaxConns)
 
 		version, err := fingerprintCapabilities(db)
@@ -127,8 +130,9 @@ func (c *Config) NewClient() (*Client, error) {
 	}
 
 	client := Client{
-		config: *c,
-		db:     dbEntry.db,
+		config:       *c,
+		databaseName: database,
+		db:           dbEntry.db,
 	}
 
 	return &client, nil
@@ -147,7 +151,7 @@ func (c *Config) featureSupported(name featureName) bool {
 	return fn(c.ExpectedVersion)
 }
 
-func (c *Config) connStr() string {
+func (c *Config) connStr(database string) string {
 	// NOTE: dbname must come before user otherwise dbname will be set to
 	// user.
 	var dsnFmt string
@@ -202,7 +206,7 @@ func (c *Config) connStr() string {
 		logValues := []interface{}{
 			quote(c.Host),
 			c.Port,
-			quote(c.Database),
+			quote(database),
 			quote(c.Username),
 			quote("<redacted>"),
 			quote(c.SSLMode),
@@ -221,7 +225,7 @@ func (c *Config) connStr() string {
 		connValues := []interface{}{
 			quote(c.Host),
 			c.Port,
-			quote(c.Database),
+			quote(database),
 			quote(c.Username),
 			quote(c.Password),
 			quote(c.SSLMode),

postgresql/helpers.go

@@ -1,8 +1,13 @@
 package postgresql
 
 import (
+	"database/sql"
 	"fmt"
 	"strings"
+
+	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/terraform/helper/schema"
+	"github.com/lib/pq"
 )
 
 // pqQuoteLiteral returns a string literal safe for inclusion in a PostgreSQL
@@ -22,3 +27,98 @@ func validateConnLimit(v interface{}, key string) (warnings []string, errors []e
 	}
 	return
 }
+
+func sliceContainsStr(haystack []string, needle string) bool {
+	for _, s := range haystack {
+		if s == needle {
+			return true
+		}
+	}
+	return false
+}
+
+// allowedPrivileges is the list of privileges allowed per object types in Postgres.
+// see: https://www.postgresql.org/docs/current/sql-grant.html
+var allowedPrivileges = map[string][]string{
+	"table":    []string{"ALL", "SELECT", "INSERT", "UPDATE", "DELETE", "TRUNCATE", "REFERENCES", "TRIGGER"},
+	"sequence": []string{"ALL", "USAGE", "SELECT", "UPDATE"},
+}
+
+// validatePrivileges checks that privileges to apply are allowed for this object type.
+func validatePrivileges(objectType string, privileges []interface{}) error {
+	allowed, ok := allowedPrivileges[objectType]
+	if !ok {
+		return fmt.Errorf("unknown object type %s", objectType)
+	}
+
+	for _, priv := range privileges {
+		if !sliceContainsStr(allowed, priv.(string)) {
+			return fmt.Errorf("%s is not an allowed privilege for object type %s", priv, objectType)
+		}
+	}
+	return nil
+}
+
+func pgArrayToSet(arr pq.ByteaArray) *schema.Set {
+	s := make([]interface{}, len(arr))
+	for i, v := range arr {
+		s[i] = string(v)
+	}
+	return schema.NewSet(schema.HashString, s)
+}
+
+// startTransaction starts a new DB transaction on the specified database.
+// If the database is specified and different from the one configured in the provider,
+// it will create a new connection pool if needed.
+func startTransaction(client *Client, database string) (*sql.Tx, error) {
+	if database != "" && database != client.databaseName {
+		var err error
+		client, err = client.config.NewClient(database)
+		if err != nil {
+			return nil, err
+		}
+	}
+	db := client.DB()
+	txn, err := db.Begin()
+	if err != nil {
+		return nil, errwrap.Wrapf("could not start transaction: {{err}}", err)
+	}
+
+	return txn, nil
+}
+
+func dbExists(txn *sql.Tx, dbname string) (bool, error) {
+	err := txn.QueryRow("SELECT datname FROM pg_database WHERE datname=$1", dbname).Scan(&dbname)
+	switch {
+	case err == sql.ErrNoRows:
+		return false, nil
+	case err != nil:
+		return false, errwrap.Wrapf("could not check if database exists: {{err}}", err)
+	}
+
+	return true, nil
+}
+
+func roleExists(txn *sql.Tx, rolname string) (bool, error) {
+	err := txn.QueryRow("SELECT 1 FROM pg_roles WHERE rolname=$1", rolname).Scan(&rolname)
+	switch {
+	case err == sql.ErrNoRows:
+		return false, nil
+	case err != nil:
+		return false, errwrap.Wrapf("could not check if role exists: {{err}}", err)
+	}
+
+	return true, nil
+}
+
+func schemaExists(txn *sql.Tx, schemaname string) (bool, error) {
+	err := txn.QueryRow("SELECT 1 FROM pg_namespace WHERE nspname=$1", schemaname).Scan(&schemaname)
+	switch {
+	case err == sql.ErrNoRows:
+		return false, nil
+	case err != nil:
+		return false, errwrap.Wrapf("could not check if schema exists: {{err}}", err)
+	}
+
+	return true, nil
+}

postgresql/provider.go

@@ -88,6 +88,7 @@ func Provider() terraform.ResourceProvider {
 			"postgresql_extension": resourcePostgreSQLExtension(),
 			"postgresql_schema":    resourcePostgreSQLSchema(),
 			"postgresql_role":      resourcePostgreSQLRole(),
+			"postgresql_grant":     resourcePostgreSQLGrant(),
 		},
 
 		ConfigureFunc: providerConfigure,
@@ -133,7 +134,6 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 	config := Config{
 		Host:              d.Get("host").(string),
 		Port:              d.Get("port").(int),
-		Database:          d.Get("database").(string),
 		Username:          d.Get("username").(string),
 		Password:          d.Get("password").(string),
 		SSLMode:           sslMode,
@@ -143,7 +143,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		ExpectedVersion:   version,
 	}
 
-	client, err := config.NewClient()
+	client, err := config.NewClient(d.Get("database").(string))
 	if err != nil {
 		return nil, errwrap.Wrapf("Error initializing PostgreSQL client: {{err}}", err)
 	}

postgresql/resource_postgresql_database.go

@@ -263,16 +263,13 @@ func resourcePostgreSQLDatabaseExists(d *schema.ResourceData, meta interface{})
 	c.catalogLock.RLock()
 	defer c.catalogLock.RUnlock()
 
-	var dbName string
-	err := c.DB().QueryRow("SELECT d.datname from pg_database d WHERE datname=$1", d.Id()).Scan(&dbName)
-	switch {
-	case err == sql.ErrNoRows:
-		return false, nil
-	case err != nil:
+	txn, err := startTransaction(c, "")
+	if err != nil {
 		return false, err
 	}
+	defer txn.Rollback()
 
-	return true, nil
+	return dbExists(txn, d.Id())
 }
 
 func resourcePostgreSQLDatabaseRead(d *schema.ResourceData, meta interface{}) error {