Skip to content

Commit

Permalink
add enable_logs attribute
Browse files Browse the repository at this point in the history
  • Loading branch information
@MatthewPugliese
MatthewPugliese committed Mar 14, 2024
1 parent f46ec22 commit 03f0c41
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 1 deletion.
19 changes: 18 additions & 1 deletion postgresql/resource_postgresql_role.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ const (
roleSearchPathAttr = "search_path"
roleStatementTimeoutAttr = "statement_timeout"
roleAssumeRoleAttr = "assume_role"
roleEnableLogsAttr = "enable_logs"

// Deprecated options
roleDepEncryptedAttr = "encrypted"
Expand Down Expand Up @@ -173,6 +174,12 @@ func resourcePostgreSQLRole() *schema.Resource {
Optional: true,
Description: "Role to switch to at login",
},
roleEnableLogsAttr: {
Type: schema.TypeBool,
Optional: true,
Default: false,
Description: "Enables lobs when creating a role. Keep disabled to preent passwords from leaking into the logs.",
},
},
}
}
Expand Down Expand Up @@ -286,6 +293,15 @@ func resourcePostgreSQLRoleCreate(db *DBConnection, d *schema.ResourceData) erro
}
}

areLogsEnabled := d.Get(roleEnableLogsAttr).(bool)
if areLogsEnabled {
sql := "SET log_statement TO 'none'; SET log_min_duration_statement TO -1; SET log_min_error_statement TO 'log'; SET pg_stat_statements.track_utility = 'off';"

if _, err := txn.Exec(sql); err != nil {
return fmt.Errorf("could not disable logs for %s: %w", roleName, err)
}
}

sql := fmt.Sprintf("CREATE ROLE %s%s", pq.QuoteIdentifier(roleName), createStr)
if _, err := txn.Exec(sql); err != nil {
return fmt.Errorf("error creating role %s: %w", roleName, err)
Expand Down Expand Up @@ -381,7 +397,7 @@ func resourcePostgreSQLRoleRead(db *DBConnection, d *schema.ResourceData) error
}

func resourcePostgreSQLRoleReadImpl(db *DBConnection, d *schema.ResourceData) error {
var roleSuperuser, roleInherit, roleCreateRole, roleCreateDB, roleCanLogin, roleReplication, roleBypassRLS bool
var roleSuperuser, roleInherit, roleCreateRole, roleCreateDB, roleCanLogin, roleReplication, roleBypassRLS, roleEnableLogs bool
var roleConnLimit int
var roleName, roleValidUntil string
var roleRoles, roleConfig pq.ByteaArray
Expand Down Expand Up @@ -457,6 +473,7 @@ func resourcePostgreSQLRoleReadImpl(db *DBConnection, d *schema.ResourceData) er
d.Set(roleRolesAttr, pgArrayToSet(roleRoles))
d.Set(roleSearchPathAttr, readSearchPath(roleConfig))
d.Set(roleAssumeRoleAttr, readAssumeRole(roleConfig))
d.Set(roleEnableLogsAttr, roleEnableLogs)

statementTimeout, err := readStatementTimeout(roleConfig)
if err != nil {
Expand Down
13 changes: 13 additions & 0 deletions postgresql/resource_postgresql_role_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ func TestAccPostgresqlRole_Basic(t *testing.T) {
resource.TestCheckResourceAttr("postgresql_role.role_with_defaults", "create_role", "false"),
resource.TestCheckResourceAttr("postgresql_role.role_with_defaults", "inherit", "false"),
resource.TestCheckResourceAttr("postgresql_role.role_with_defaults", "replication", "false"),
resource.TestCheckResourceAttr("postgresql_role.role_with_defaults", "enable_logs", "false"),
resource.TestCheckResourceAttr("postgresql_role.role_with_defaults", "bypass_row_level_security", "false"),
resource.TestCheckResourceAttr("postgresql_role.role_with_defaults", "connection_limit", "-1"),
resource.TestCheckResourceAttr("postgresql_role.role_with_defaults", "encrypted_password", "true"),
Expand Down Expand Up @@ -115,6 +116,7 @@ resource "postgresql_role" "group_role" {
resource "postgresql_role" "update_role" {
name = "update_role2"
login = true
enable_logs = false
connection_limit = 5
password = "titi"
roles = ["${postgresql_role.group_role.name}"]
Expand Down Expand Up @@ -146,6 +148,7 @@ resource "postgresql_role" "update_role" {
resource.TestCheckResourceAttr("postgresql_role.update_role", "statement_timeout", "0"),
resource.TestCheckResourceAttr("postgresql_role.update_role", "idle_in_transaction_session_timeout", "0"),
resource.TestCheckResourceAttr("postgresql_role.update_role", "assume_role", ""),
resource.TestCheckResourceAttr("postgresql_role.update_role", "enable_logs", "false"),
testAccCheckRoleCanLogin(t, "update_role", "toto"),
),
},
Expand All @@ -167,6 +170,7 @@ resource "postgresql_role" "update_role" {
resource.TestCheckResourceAttr("postgresql_role.update_role", "statement_timeout", "30000"),
resource.TestCheckResourceAttr("postgresql_role.update_role", "idle_in_transaction_session_timeout", "60000"),
resource.TestCheckResourceAttr("postgresql_role.update_role", "assume_role", "group_role"),
resource.TestCheckResourceAttr("postgresql_role.update_role", "enable_logs", "false"),
testAccCheckRoleCanLogin(t, "update_role2", "titi"),
),
},
Expand All @@ -185,6 +189,7 @@ resource "postgresql_role" "update_role" {
resource.TestCheckResourceAttr("postgresql_role.update_role", "statement_timeout", "0"),
resource.TestCheckResourceAttr("postgresql_role.update_role", "idle_in_transaction_session_timeout", "0"),
resource.TestCheckResourceAttr("postgresql_role.update_role", "assume_role", ""),
resource.TestCheckResourceAttr("postgresql_role.update_role", "enable_logs", "false"),
testAccCheckRoleCanLogin(t, "update_role", "toto"),
),
},
Expand Down Expand Up @@ -418,6 +423,7 @@ resource "postgresql_role" "role_with_defaults" {
statement_timeout = 0
idle_in_transaction_session_timeout = 0
assume_role = ""
enable_logs = false
}
resource "postgresql_role" "role_with_create_database" {
Expand All @@ -437,4 +443,11 @@ resource "postgresql_role" "role_with_search_path" {
name = "role_with_search_path"
search_path = ["bar", "foo-with-hyphen"]
}
resource "postgresql_role" "role_with_log_enabled" {
name = "role_with_log_enabled"
login = true
password = "mypass"
enable_logs = false
}
`

0 comments on commit 03f0c41

Please sign in to comment.