New resources: postgresql_grant & postgresql_default_privileges

[cyrilgdn]

Add resources:

• postgresql_grant: Allow to manage grant for tables or sequences for a specified role in a schema.
• postgresql_default_privileges: Allow to manage default privileges for tables or sequences for a specified role in a schema.

[sean-]

@cyrilgdn this is a huge PR, thank you for submitting this.

I have one sizable structural change that I have a bias toward wanting to see, but want to ask you about it first. In your permissions blocks, you're using a slice of strings instead of a set of bools. I understand the desire to use the strings because these map to SQL DCL. In the work I'd done in the past, I have actually mapped these to booleans. Currently you'd use:

 	resource "postgresql_grant" "test_rw" {
 		database    = "%s"
 		role        = "%s"
 		schema      = "public"
 		object_type = "table"
 		privileges   = ["SELECT", "INSERT", "UPDATE"]
 	}

vs

 	resource "postgresql_grant" "test_rw" {
 		database    = "%s"
 		role        = "%s"
 		schema      = "public"
 		object_type = "table"
 		read = true
        insert = true
        update = true
        delete = false
 	}

The latter lets us easily do boolean algebra to assign or remove permissions and be explicit in making sure a permission isn't present.

Also, you may have an interest in: https://github.com/sean-/postgresql-acl which I wrote once upon a time as a prerequisite for adding grant support.

Thoughts?

[cyrilgdn]

this is a huge PR, thank you for submitting this.

@sean- Actually the PR is splitted in two:

• Create new resource: postgresql_grant #51 for the postgresql_grant resource
• This one for the postgresql_default_privileges resource which depends on Create new resource: postgresql_grant #51

So this diff also contains the postgresql_grant resource. I'm not sure if it's the right way to manage dependency between PRs?

But your question is valid for both :)

Currently, the resource postgresql_grant only manages table and sequence but the long term goal is to support all object types.
So if we want to manage all privileges, it means that we'll have around 12 booleans in the resource.

Even if I understand the advantage that can provide the postgresql-acl lib, in this case I'm pretty sure it will not be easier to write the logic with booleans.

Currently, thanks to the aclexplode Postgres function I can easily build a Terraform Set struct which helps me to compare existing vs expected privileges. And thanks to transactions, I don't have to compare privilege by privilege to know what to apply. I revoke all the existing ones and apply all the expected ones in the same transaction (with 2 queries only).

and be explicit in making sure a permission isn't present.

For me it's explicit enough as the goal of Terraform is to describe in which state we want our resources.
I don't feel like we have to precise in which state it's not (even if I can understand this concern is a bit different with the privileges case).

But maybe I'm not the most objective as the author of this code :) So I'm open to other opinions.

[cyrilgdn]

@sean- So what do you think about that ? I'm now a maintainer of this repo and I really want make it evolve.

There's multiple enhancements that I want/need to do on these new resources but as I don't want to stack lots of PRs, I would like to start merging those already open.

Is your remark a no-go for #51 and this one ?

I know you currently don't have much time for that so I'll probably ask other people to do reviews but I don't want to merge PRs against your will.

Thanks !

[evgmoskalenko]

@cyrilgdn, Hello, tell me please, when the release is expected?

[paultyng]

A few comments, some may be related to lack of experience with Postgres though, so please forgive me learning in real time here.

[paultyng]

minor nit, but mind alphabetizing these?

[cyrilgdn]

Will do that yes

[paultyng]

I haven't worked much with sql, but I'm guessing calling Rollback after Commit doesn't cause any issues?

[cyrilgdn]

You're right 👍 !

I didn't see that as I don't manage the error of Rollback 🤦‍♂️

I'll see what I can do

[cyrilgdn]

@paultyng I updated the PR with, among others, your remarks.

I disable these new resources for Postgres < 9 as it uses function and syntax which does not exist prior this version.
I also add documentation page for the website.

[voslartomas]

@cyrilgdn @paultyng When probably are you going to create new release, please?

[cyrilgdn]

@voslartomas Normally this week, I'm just trying to merge a last PR before. I'll let you now here, also you can watch the repository with the new "Releases only" mode in order to alerted.

[voslartomas]

@cyrilgdn Perfect, thanks a lot.

[zytek]

@cyrilgdn could we use postgresql_grant to also manage role membership?

[zytek]

@cyrilgdn also, found one issue, similar to: hashicorp/terraform#11452

when using this on RDS:

resource "postgresql_default_privileges" "priv-sequence-for-user" {
  database    = "${var.db}"
  owner       = "${var.owner}"
  role        = "${var.user}"
  schema      = "public"
  object_type = "sequence"
  privileges  = ["ALL"]
  depends_on  = ["postgresql_database.db"]
}

we need to first run `GRANT ${var.owner} to ${provider.username}"

can / should this be implemented ?

[cyrilgdn]

@zytek

could we use postgresql_grant to also manage role membership?

No, but it will be managed by the PR #52 that I would like to merge for the next release too (just looking for review).

also, found one issue, similar to: hashicorp/terraform#11452

Yes we have this issue too at my work. It can be implemented.
Could you create an issue for that please ?

[zytek]

@zytek

could we use postgresql_grant to also manage role membership?

No, but it will be managed by the PR #52 that I would like to merge for the next release too (just looking for review).

Ah, didn't notice #52, gonna give it a shot tomorrow.

also, found one issue, similar to: hashicorp/terraform#11452

Yes we have this issue too at my work. It can be implemented.
Could you create an issue for that please ?

Yes, along with one concern that I have plus I might try to implement it.

[cyrilgdn]

@voslartomas v0.3.0 has just been released.