Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Role.roles default conflicts with RoleGrant resources #131

Open
TonyRippy opened this issue Dec 17, 2021 · 1 comment
Open

Role.roles default conflicts with RoleGrant resources #131

TonyRippy opened this issue Dec 17, 2021 · 1 comment
Labels
area/providers impact/reliability Something that feels unreliable or flaky kind/bug Some behavior is incorrect or out of spec

Comments

@TonyRippy
Copy link

TonyRippy commented Dec 17, 2021
edited
Loading

Hello!

  • Vote on this issue by adding a 👍 reaction
  • To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already)

Issue details

In our Pulumi code, we had something like the following:

replication_role = postgresql.Role(
    "replication-role",
    login=True,
    name="firehose",
    password=replication_password.result,
    opts=pulumi.ResourceOptions(
        provider=database.provider,
        depends_on=[database.instance, database.rds_proxy_provider],
    ),
)
postgresql.GrantRole(
    "grant-replication",
    grant_role="rds_replication",
    role=replication_role.name,
    opts=pulumi.ResourceOptions(
        provider=database.provider,
        depends_on=[replication_role],
    ),
)

The problem is that postgresql.Role has an optional roles property, and the default behavior has a bad interaction with GrantRole:

  • After the initial update, everything is fine and works as expected. (The "firehose" user has the rds_replication grant.)
  • On the next refresh+update, the existence of the grant causes a diff with Role, which we suspect assumes roles=[]. This causes an update where the grant is revoked. Now the grant does to exist and our replication starts failing.
  • On a third refresh+update, GrantRole sees a diff because the grant doesn't exist. It updates again, adding the grant back.

... and so the cycle begins anew. We see regular cycles where replication stops working, comes back, breaks again, comes back, and so on.

This was somewhat acknowledged by the owners of the underlying Terraform provider here:

The postgresql_grant_role is more to grant a role to a user you are not managing with Terraform (e.g.: postgres) or not in the same state.

We've fixed the issue in our code by using roles instead of GrantRole, but this seems like a footgun.

Steps to reproduce

See the steps described above.

Expected:
I would expect the postgresql.Role resource to ignore grants when the optional roles property is not set, rather than assuming a default of roles=[].

Actual:
For Pulumi staff, an update showing the delta is here:
https://app.pulumi.com/materialize/mzcloud/production/updates/681
You can see the removal of the rds_replication grant in the Diff Log.
@TonyRippy TonyRippy added the kind/bug Some behavior is incorrect or out of spec label Dec 17, 2021
@TonyRippy TonyRippy changed the title postgresql.Role.roles default conflicts with postgresql.RoleGrant resources Role.roles default conflicts with RoleGrant resources Dec 17, 2021
@leezen leezen added area/providers impact/reliability Something that feels unreliable or flaky labels Dec 21, 2021
@mikhailshilkov
Copy link
Member

Related upstream issue: cyrilgdn/terraform-provider-postgresql#285

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/providers impact/reliability Something that feels unreliable or flaky kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@leezen @mikhailshilkov @TonyRippy