Remove old docs. Update docs and code to support the PUBLIC role.

2016-12-26 07:00:03 -08:00 · 2016-12-26 07:00:03 -08:00 · 73be4bc21f
parent c3a3ddc0f5
commit 73be4bc21f
4 changed files with 67 additions and 94 deletions
--- a/builtin/providers/postgresql/resource_postgresql_schema.go
+++ b/builtin/providers/postgresql/resource_postgresql_schema.go
@ -79,8 +79,9 @@ func resourcePostgreSQLSchema() *schema.Resource {
 						schemaPolicyRoleAttr: {
 							Type:        schema.TypeString,
 							Elem:        &schema.Schema{Type: schema.TypeString},
-							Required:    true,
-							Description: "ROLE who will receive this policy",
+							Optional:    true,
+							Default:     "",
+							Description: "ROLE who will receive this policy (default: PUBLIC)",
 						},
 						schemaPolicyUsageAttr: {
 							Type:          schema.TypeBool,
@ -351,16 +352,20 @@ func setSchemaPolicy(txn *sql.Tx, d *schema.ResourceData) error {
 		pMap := p.(map[string]interface{})
 		rolePolicy := schemaPolicyToACL(pMap)

-		var foundUser bool
-		err := txn.QueryRow(`SELECT TRUE FROM pg_catalog.pg_user WHERE usename = $1`, rolePolicy.Role).Scan(&foundUser)
-		switch {
-		case err == sql.ErrNoRows:
-			// Don't execute this role's REVOKEs because the role
-			// was dropped first and therefore doesn't exist.
-		case err != nil:
-			return errwrap.Wrapf("Error reading schema: {{err}}", err)
-		default:
-			queries = append(queries, rolePolicy.Revokes(schemaName)...)
+		// The PUBLIC role can not be DROP'ed, therefore we do not need
+		// to prevent revoking against it not existing.
+		if rolePolicy.Role != "" {
+			var foundUser bool
+			err := txn.QueryRow(`SELECT TRUE FROM pg_catalog.pg_user WHERE usename = $1`, rolePolicy.Role).Scan(&foundUser)
+			switch {
+			case err == sql.ErrNoRows:
+				// Don't execute this role's REVOKEs because the role
+				// was dropped first and therefore doesn't exist.
+			case err != nil:
+				return errwrap.Wrapf("Error reading schema: {{err}}", err)
+			default:
+				queries = append(queries, rolePolicy.Revokes(schemaName)...)
+			}
 		}
 	}

--- a/website/source/docs/providers/postgresql/r/postgresql_schema.html.markdown
+++ b/website/source/docs/providers/postgresql/r/postgresql_schema.html.markdown
@ -8,16 +8,48 @@ description: |-

 # postgresql\_schema

-The ``postgresql_schema`` resource creates and manages a schema within a
-PostgreSQL database.
+The ``postgresql_schema`` resource creates and manages a [schema
+objects](https://www.postgresql.org/docs/current/static/ddl-schemas.html) within
+a PostgreSQL database.


 ## Usage

 ```
+resource "postgresql_role" "app_www" {
+  name = "app_www"
+}
+
+resource "postgresql_role" "app_dba" {
+  name = "app_dba"
+}
+
+resource "postgresql_role" "app_releng" {
+  name = "app_releng"
+}
+
 resource "postgresql_schema" "my_schema" {
  name  = "my_schema"
  owner = "postgres"
+
+  policy {
+    usage = true
+    role = "${postgresql_role.app_www.name}"
+  }
+
+  # app_releng can create new objects in the schema.  This is the role that
+  # migrations are executed as.
+  policy {
+    create = true
+    usage = true
+    role = "${postgresql_role.app_releng.name}"
+  }
+
+  policy {
+    create_with_grant = true
+    usage_with_grant = true
+    role = "${postgresql_role.app_dba.name}"
+  }
 }
 ```

@ -25,8 +57,19 @@ resource "postgresql_schema" "my_schema" {

 * `name` - (Required) The name of the schema. Must be unique in the PostgreSQL
  database instance where it is configured.
-
 * `owner` - (Optional) The ROLE who owns the schema.
+* `policy` - (Optional) Can be specified multiple times for each policy.  Each
+    policy block supports fields documented below.
+
+The `policy` block supports:
+
+* `create` - (Optional) Should the specified ROLE have CREATE privileges to the specified SCHEMA.
+* `create_with_grant` - (Optional) Should the specified ROLE have CREATE privileges to the specified SCHEMA and the ability to GRANT the CREATE privilege to other ROLEs.
+* `role` - (Optional) The ROLE who is receiving the policy.  If this value is empty or not specified it implies the policy is referring to the [`PUBLIC` role](https://www.postgresql.org/docs/current/static/sql-grant.html).
+* `usage` - (Optional) Should the specified ROLE have USAGE privileges to the specified SCHEMA.
+* `usage_with_grant` - (Optional) Should the specified ROLE have USAGE privileges to the specified SCHEMA and the ability to GRANT the USAGE privilege to other ROLEs.
+
+~> **NOTE on `policy`:** The permissions of a role specified in multiple policy blocks is cumulative.  For example, if the same role is specified in two different `policy` each with different permissions (e.g. `create` and `usage_with_grant`, respectively), then the specified role with have both `create` and `usage_with_grant` privileges.

 ## Import Example

@ -41,6 +84,10 @@ resource "postgresql_schema" "public" {
 resource "postgresql_schema" "schema_foo" {
  name  = "my_schema"
  owner = "postgres"
+
+  policy {
+    usage = true
+  }
 }
 ```

--- a/website/source/docs/providers/postgresql/r/postgresql_schema_policy.html.markdown
+++ b/website/source/docs/providers/postgresql/r/postgresql_schema_policy.html.markdown
@ -1,76 +0,0 @@
---
-layout: "postgresql"
-page_title: "PostgreSQL: postgresql_schema_policy"
-sidebar_current: "docs-postgresql-resource-postgresql_schema_policy"
-description: |-
-  Manages the permissions of PostgreSQL schemas.
---
-
-# postgresql\_schema\_policy
-
-The ``postgresql_schema_policy`` resource applies the necessary SQL DCL
-(`GRANT`s and `REVOKE`s) necessary to ensure access compliance to a particular
-SCHEMA within a PostgreSQL database.
-
-
-## Usage
-
-```
-resource "postgresql_role" "my_app" {
-  name = "my_app"
-}
-
-resource "postgresql_schema" "my_schema" {
-  name  = "my_schema"
-}
-
-resource "postgresql_schema_policy" "my_schema" {
-  create = true
-  usage = true
-  schema = "${postgresql_schema.my_schema.name}"
-  role = "${postgresql_role.my_app.name}"
-}
-```
-
-## Argument Reference
-
-* `create` - (Optional) Should the specified ROLE have CREATE privileges to the specified SCHEMA.
-
-* `create_with_grant` - (Optional) Should the specified ROLE have CREATE privileges to the specified SCHEMA and the ability to GRANT the CREATE privilege to other ROLEs.
-
-* `usage` - (Optional) Should the specified ROLE have USAGE privileges to the specified SCHEMA.
-
-* `usage_with_grant` - (Optional) Should the specified ROLE have USAGE privileges to the specified SCHEMA and the ability to GRANT the USAGE privilege to other ROLEs.
-
-* `role` - (Required) The ROLE who is receiving the policy.
-
-* `schema` - (Required) The SCHEMA that is the target of the policy.
-
-## Import Example
-
-`postgresql_schema_policy` supports importing resources.  Supposing the
-following Terraform:
-
-```
-resource "postgresql_schema" "public" {
-  name  = "public"
-}
-
-resource "postgresql_schema_policy" "public" {
-  create = true
-  usage = true
-  schema = "${postgresql_schema.public.name}"
-  role = "${postgresql_role.my_app.name}"
-}
-```
-
-It is possible to import a `postgresql_schema_policy` resource with the
-following command:
-
-```
-$ terraform import postgresql_schema_policy.public public
-```
-
-Where `public` is the name of the schema in the PostgreSQL database and
-`postgresql_schema_policy.public` is the name of the resource whose state will
-be populated as a result of the command.
--- a/website/source/layouts/postgresql.erb
+++ b/website/source/layouts/postgresql.erb
@ -25,9 +25,6 @@
                    <li<%= sidebar_current("docs-postgresql-resource-postgresql_schema") %>>
                        <a href="/docs/providers/postgresql/r/postgresql_schema.html">postgresql_schema</a>
                    </li>
-                    <li<%= sidebar_current("docs-postgresql-resource-postgresql_schema_policy") %>>
-                        <a href="/docs/providers/postgresql/r/postgresql_schema_policy.html">postgresql_schema_policy</a>
-                    </li>
                </ul>
        </li>
      </ul>