Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rdb: allow to set permission on a database for a user #847

Closed
nsteinmetz opened this issue May 31, 2021 · 4 comments
Closed

rdb: allow to set permission on a database for a user #847

nsteinmetz opened this issue May 31, 2021 · 4 comments
Labels
enhancement rdb Managed MySQL and PostgreSQL issues, bugs and feature requests

Comments

@nsteinmetz
Copy link

nsteinmetz commented May 31, 2021
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Created user via scaleway_rdb_user has no access to any db by default. There is no terraform way to grant access to a db to a user.

resource "scaleway_rdb_instance" "postgresql_instance" {
  name      = local.postgresql_instance_name
  node_type = var.postgresql_machine_type
  engine    = var.postgresql_version
  is_ha_cluster  = var.postgresql_ha_cluster
  disable_backup = var.postgresql_disable_backup
  user_name      = var.postgresql_admin_user
  password       = var.postgresql_admin_password
  region         = var.region
  project_id     = var.project_id

  count = var.production_mode && var.cloud_provider == "scw" ? 1 : 0
}

resource "scaleway_rdb_database" "postgresql_auth_db" {
  instance_id = scaleway_rdb_instance.postgresql_instance[0].id
  name        = var.postgresql_auth_db_name

  depends_on = [scaleway_rdb_instance.postgresql_instance, scaleway_rdb_user.postgresql_user]

  count = var.production_mode && var.cloud_provider == "scw" ? 1 : 0
}

resource "scaleway_rdb_user" "postgresql_user" {
  instance_id = scaleway_rdb_instance.postgresql_instance[0].id
  name        = var.postgresql_db_user
  password    = var.postgresql_db_password
  is_admin    = false

  count      = var.production_mode && var.cloud_provider == "scw" ? 1 : 0
  depends_on = [scaleway_rdb_instance.postgresql_instance]
}

I would like that my next action is something like

resource "scaleway_rdb_policy" "postgresql_user_policy" {
  instance_id = scaleway_rdb_instance.postgresql_instance[0].id
  user_id = scaleway_rdb_instance.postgresql_user[0].id
  database = scaleway_rdb_database.postgresql_auth_db[0].id
  policy = "ReadWrite"

  count      = var.production_mode && var.cloud_provider == "scw" ? 1 : 0
  depends_on = [scaleway_rdb_instance.postgresql_instance]
}

New or Affected Resource(s)

  • scaleway_rdb_policy

Potential Terraform Configuration

resource "scaleway_rdb_policy" "postgresql_user_policy" {
  instance_id = scaleway_rdb_instance.postgresql_instance[0].id
  user_id = scaleway_rdb_instance.postgresql_user[0].id
  database_id = scaleway_rdb_database.postgresql_auth_db[0].id
  policy = "ReadWrite"

  count      = var.production_mode && var.cloud_provider == "scw" ? 1 : 0
  depends_on = [scaleway_rdb_instance.postgresql_instance]
}

With policy being:

  • Read
  • ReadWrite
  • All
  • None
  • Custom ?

References

N/A
@nsteinmetz
Copy link
Author

In the meantime:

resource "null_resource" "pgsql_user_access_db" {
  provisioner "local-exec" {
    command     = "scw rdb privilege set instance-id=${split("/", scaleway_rdb_instance.postgresql_instance[0].id)[1]} database-name=${scaleway_rdb_database.postgresql_auth_db[0].name} user-name=${scaleway_rdb_user.postgresql_user[0].name} permission=all region=${var.scw_region}"
    environment = {
      SCW_ACCESS_KEY              = var.scw_access_key
      SCW_SECRET_KEY              = var.scw_secret_key
      SCW_DEFAULT_ORGANIZATION_ID = var.scw_organisation_id
      SCW_DEFAULT_PROJECT_ID      = var.scw_project_id
      SCW_DEFAULT_REGION          = var.scw_region
      SCW_DEFAULT_ZONE            = var.scw_zone
    }
  }
  provisioner "local-exec" {
    when    = destroy
    command = "true"
  }
}

@sambonbonne
Copy link

sambonbonne commented Jun 3, 2021
edited
Loading

Thanks @nsteinmetz for the workaround!

I see the RDB API uses privileges and not policy (like the scw CLI on the workaround) and does not need instance_id so maybe the Terraform config could be:

resource "scaleway_rdb_privilege" "database_user_privilage" {
  user_id = scaleway_rdb_user.database_user.id
  database_id = scaleway_rdb_database.database_database.id

  privilege = "readwrite" # defaults to readonly like the API?
}

EDIT: I just re-read the API and in fact we need instance_id, user_name and database_name, sorry for the wrong proposition.

@sambonbonne
Copy link

I just saw #844 seems to address this issue.

@nsteinmetz
Copy link
Author

Indeed, I missed it - closing here and I'll follow the PR.

@remyleone remyleone added the rdb Managed MySQL and PostgreSQL issues, bugs and feature requests label Jul 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement rdb Managed MySQL and PostgreSQL issues, bugs and feature requests
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nsteinmetz @remyleone @sambonbonne