From 73be4bc21f7105f60f8f6979cb2d7b20fa82552c Mon Sep 17 00:00:00 2001 From: Sean Chittenden Date: Mon, 26 Dec 2016 07:00:03 -0800 Subject: [PATCH] Remove old docs. Update docs and code to support the PUBLIC role. --- .../postgresql/resource_postgresql_schema.go | 29 ++++--- .../r/postgresql_schema.html.markdown | 53 ++++++++++++- .../r/postgresql_schema_policy.html.markdown | 76 ------------------- website/source/layouts/postgresql.erb | 3 - 4 files changed, 67 insertions(+), 94 deletions(-) delete mode 100644 website/source/docs/providers/postgresql/r/postgresql_schema_policy.html.markdown diff --git a/builtin/providers/postgresql/resource_postgresql_schema.go b/builtin/providers/postgresql/resource_postgresql_schema.go index dbfba4c59..4d3edad30 100644 --- a/builtin/providers/postgresql/resource_postgresql_schema.go +++ b/builtin/providers/postgresql/resource_postgresql_schema.go @@ -79,8 +79,9 @@ func resourcePostgreSQLSchema() *schema.Resource { schemaPolicyRoleAttr: { Type: schema.TypeString, Elem: &schema.Schema{Type: schema.TypeString}, - Required: true, - Description: "ROLE who will receive this policy", + Optional: true, + Default: "", + Description: "ROLE who will receive this policy (default: PUBLIC)", }, schemaPolicyUsageAttr: { Type: schema.TypeBool, @@ -351,16 +352,20 @@ func setSchemaPolicy(txn *sql.Tx, d *schema.ResourceData) error { pMap := p.(map[string]interface{}) rolePolicy := schemaPolicyToACL(pMap) - var foundUser bool - err := txn.QueryRow(`SELECT TRUE FROM pg_catalog.pg_user WHERE usename = $1`, rolePolicy.Role).Scan(&foundUser) - switch { - case err == sql.ErrNoRows: - // Don't execute this role's REVOKEs because the role - // was dropped first and therefore doesn't exist. - case err != nil: - return errwrap.Wrapf("Error reading schema: {{err}}", err) - default: - queries = append(queries, rolePolicy.Revokes(schemaName)...) + // The PUBLIC role can not be DROP'ed, therefore we do not need + // to prevent revoking against it not existing. + if rolePolicy.Role != "" { + var foundUser bool + err := txn.QueryRow(`SELECT TRUE FROM pg_catalog.pg_user WHERE usename = $1`, rolePolicy.Role).Scan(&foundUser) + switch { + case err == sql.ErrNoRows: + // Don't execute this role's REVOKEs because the role + // was dropped first and therefore doesn't exist. + case err != nil: + return errwrap.Wrapf("Error reading schema: {{err}}", err) + default: + queries = append(queries, rolePolicy.Revokes(schemaName)...) + } } } diff --git a/website/source/docs/providers/postgresql/r/postgresql_schema.html.markdown b/website/source/docs/providers/postgresql/r/postgresql_schema.html.markdown index 16694a5c0..c634c7f77 100644 --- a/website/source/docs/providers/postgresql/r/postgresql_schema.html.markdown +++ b/website/source/docs/providers/postgresql/r/postgresql_schema.html.markdown @@ -8,16 +8,48 @@ description: |- # postgresql\_schema -The ``postgresql_schema`` resource creates and manages a schema within a -PostgreSQL database. +The ``postgresql_schema`` resource creates and manages a [schema +objects](https://www.postgresql.org/docs/current/static/ddl-schemas.html) within +a PostgreSQL database. ## Usage ``` +resource "postgresql_role" "app_www" { + name = "app_www" +} + +resource "postgresql_role" "app_dba" { + name = "app_dba" +} + +resource "postgresql_role" "app_releng" { + name = "app_releng" +} + resource "postgresql_schema" "my_schema" { name = "my_schema" owner = "postgres" + + policy { + usage = true + role = "${postgresql_role.app_www.name}" + } + + # app_releng can create new objects in the schema. This is the role that + # migrations are executed as. + policy { + create = true + usage = true + role = "${postgresql_role.app_releng.name}" + } + + policy { + create_with_grant = true + usage_with_grant = true + role = "${postgresql_role.app_dba.name}" + } } ``` @@ -25,8 +57,19 @@ resource "postgresql_schema" "my_schema" { * `name` - (Required) The name of the schema. Must be unique in the PostgreSQL database instance where it is configured. - * `owner` - (Optional) The ROLE who owns the schema. +* `policy` - (Optional) Can be specified multiple times for each policy. Each + policy block supports fields documented below. + +The `policy` block supports: + +* `create` - (Optional) Should the specified ROLE have CREATE privileges to the specified SCHEMA. +* `create_with_grant` - (Optional) Should the specified ROLE have CREATE privileges to the specified SCHEMA and the ability to GRANT the CREATE privilege to other ROLEs. +* `role` - (Optional) The ROLE who is receiving the policy. If this value is empty or not specified it implies the policy is referring to the [`PUBLIC` role](https://www.postgresql.org/docs/current/static/sql-grant.html). +* `usage` - (Optional) Should the specified ROLE have USAGE privileges to the specified SCHEMA. +* `usage_with_grant` - (Optional) Should the specified ROLE have USAGE privileges to the specified SCHEMA and the ability to GRANT the USAGE privilege to other ROLEs. + +~> **NOTE on `policy`:** The permissions of a role specified in multiple policy blocks is cumulative. For example, if the same role is specified in two different `policy` each with different permissions (e.g. `create` and `usage_with_grant`, respectively), then the specified role with have both `create` and `usage_with_grant` privileges. ## Import Example @@ -41,6 +84,10 @@ resource "postgresql_schema" "public" { resource "postgresql_schema" "schema_foo" { name = "my_schema" owner = "postgres" + + policy { + usage = true + } } ``` diff --git a/website/source/docs/providers/postgresql/r/postgresql_schema_policy.html.markdown b/website/source/docs/providers/postgresql/r/postgresql_schema_policy.html.markdown deleted file mode 100644 index 1905adf25..000000000 --- a/website/source/docs/providers/postgresql/r/postgresql_schema_policy.html.markdown +++ /dev/null @@ -1,76 +0,0 @@ ---- -layout: "postgresql" -page_title: "PostgreSQL: postgresql_schema_policy" -sidebar_current: "docs-postgresql-resource-postgresql_schema_policy" -description: |- - Manages the permissions of PostgreSQL schemas. ---- - -# postgresql\_schema\_policy - -The ``postgresql_schema_policy`` resource applies the necessary SQL DCL -(`GRANT`s and `REVOKE`s) necessary to ensure access compliance to a particular -SCHEMA within a PostgreSQL database. - - -## Usage - -``` -resource "postgresql_role" "my_app" { - name = "my_app" -} - -resource "postgresql_schema" "my_schema" { - name = "my_schema" -} - -resource "postgresql_schema_policy" "my_schema" { - create = true - usage = true - schema = "${postgresql_schema.my_schema.name}" - role = "${postgresql_role.my_app.name}" -} -``` - -## Argument Reference - -* `create` - (Optional) Should the specified ROLE have CREATE privileges to the specified SCHEMA. - -* `create_with_grant` - (Optional) Should the specified ROLE have CREATE privileges to the specified SCHEMA and the ability to GRANT the CREATE privilege to other ROLEs. - -* `usage` - (Optional) Should the specified ROLE have USAGE privileges to the specified SCHEMA. - -* `usage_with_grant` - (Optional) Should the specified ROLE have USAGE privileges to the specified SCHEMA and the ability to GRANT the USAGE privilege to other ROLEs. - -* `role` - (Required) The ROLE who is receiving the policy. - -* `schema` - (Required) The SCHEMA that is the target of the policy. - -## Import Example - -`postgresql_schema_policy` supports importing resources. Supposing the -following Terraform: - -``` -resource "postgresql_schema" "public" { - name = "public" -} - -resource "postgresql_schema_policy" "public" { - create = true - usage = true - schema = "${postgresql_schema.public.name}" - role = "${postgresql_role.my_app.name}" -} -``` - -It is possible to import a `postgresql_schema_policy` resource with the -following command: - -``` -$ terraform import postgresql_schema_policy.public public -``` - -Where `public` is the name of the schema in the PostgreSQL database and -`postgresql_schema_policy.public` is the name of the resource whose state will -be populated as a result of the command. diff --git a/website/source/layouts/postgresql.erb b/website/source/layouts/postgresql.erb index 5d20ce9be..fcec78de3 100644 --- a/website/source/layouts/postgresql.erb +++ b/website/source/layouts/postgresql.erb @@ -25,9 +25,6 @@ > postgresql_schema - > - postgresql_schema_policy -