Remove old docs. Update docs and code to support the PUBLIC role.
This commit is contained in:
parent
c3a3ddc0f5
commit
73be4bc21f
|
@ -79,8 +79,9 @@ func resourcePostgreSQLSchema() *schema.Resource {
|
|||
schemaPolicyRoleAttr: {
|
||||
Type: schema.TypeString,
|
||||
Elem: &schema.Schema{Type: schema.TypeString},
|
||||
Required: true,
|
||||
Description: "ROLE who will receive this policy",
|
||||
Optional: true,
|
||||
Default: "",
|
||||
Description: "ROLE who will receive this policy (default: PUBLIC)",
|
||||
},
|
||||
schemaPolicyUsageAttr: {
|
||||
Type: schema.TypeBool,
|
||||
|
@ -351,6 +352,9 @@ func setSchemaPolicy(txn *sql.Tx, d *schema.ResourceData) error {
|
|||
pMap := p.(map[string]interface{})
|
||||
rolePolicy := schemaPolicyToACL(pMap)
|
||||
|
||||
// The PUBLIC role can not be DROP'ed, therefore we do not need
|
||||
// to prevent revoking against it not existing.
|
||||
if rolePolicy.Role != "" {
|
||||
var foundUser bool
|
||||
err := txn.QueryRow(`SELECT TRUE FROM pg_catalog.pg_user WHERE usename = $1`, rolePolicy.Role).Scan(&foundUser)
|
||||
switch {
|
||||
|
@ -363,6 +367,7 @@ func setSchemaPolicy(txn *sql.Tx, d *schema.ResourceData) error {
|
|||
queries = append(queries, rolePolicy.Revokes(schemaName)...)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for _, p := range added {
|
||||
pMap := p.(map[string]interface{})
|
||||
|
|
|
@ -8,16 +8,48 @@ description: |-
|
|||
|
||||
# postgresql\_schema
|
||||
|
||||
The ``postgresql_schema`` resource creates and manages a schema within a
|
||||
PostgreSQL database.
|
||||
The ``postgresql_schema`` resource creates and manages a [schema
|
||||
objects](https://www.postgresql.org/docs/current/static/ddl-schemas.html) within
|
||||
a PostgreSQL database.
|
||||
|
||||
|
||||
## Usage
|
||||
|
||||
```
|
||||
resource "postgresql_role" "app_www" {
|
||||
name = "app_www"
|
||||
}
|
||||
|
||||
resource "postgresql_role" "app_dba" {
|
||||
name = "app_dba"
|
||||
}
|
||||
|
||||
resource "postgresql_role" "app_releng" {
|
||||
name = "app_releng"
|
||||
}
|
||||
|
||||
resource "postgresql_schema" "my_schema" {
|
||||
name = "my_schema"
|
||||
owner = "postgres"
|
||||
|
||||
policy {
|
||||
usage = true
|
||||
role = "${postgresql_role.app_www.name}"
|
||||
}
|
||||
|
||||
# app_releng can create new objects in the schema. This is the role that
|
||||
# migrations are executed as.
|
||||
policy {
|
||||
create = true
|
||||
usage = true
|
||||
role = "${postgresql_role.app_releng.name}"
|
||||
}
|
||||
|
||||
policy {
|
||||
create_with_grant = true
|
||||
usage_with_grant = true
|
||||
role = "${postgresql_role.app_dba.name}"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
|
@ -25,8 +57,19 @@ resource "postgresql_schema" "my_schema" {
|
|||
|
||||
* `name` - (Required) The name of the schema. Must be unique in the PostgreSQL
|
||||
database instance where it is configured.
|
||||
|
||||
* `owner` - (Optional) The ROLE who owns the schema.
|
||||
* `policy` - (Optional) Can be specified multiple times for each policy. Each
|
||||
policy block supports fields documented below.
|
||||
|
||||
The `policy` block supports:
|
||||
|
||||
* `create` - (Optional) Should the specified ROLE have CREATE privileges to the specified SCHEMA.
|
||||
* `create_with_grant` - (Optional) Should the specified ROLE have CREATE privileges to the specified SCHEMA and the ability to GRANT the CREATE privilege to other ROLEs.
|
||||
* `role` - (Optional) The ROLE who is receiving the policy. If this value is empty or not specified it implies the policy is referring to the [`PUBLIC` role](https://www.postgresql.org/docs/current/static/sql-grant.html).
|
||||
* `usage` - (Optional) Should the specified ROLE have USAGE privileges to the specified SCHEMA.
|
||||
* `usage_with_grant` - (Optional) Should the specified ROLE have USAGE privileges to the specified SCHEMA and the ability to GRANT the USAGE privilege to other ROLEs.
|
||||
|
||||
~> **NOTE on `policy`:** The permissions of a role specified in multiple policy blocks is cumulative. For example, if the same role is specified in two different `policy` each with different permissions (e.g. `create` and `usage_with_grant`, respectively), then the specified role with have both `create` and `usage_with_grant` privileges.
|
||||
|
||||
## Import Example
|
||||
|
||||
|
@ -41,6 +84,10 @@ resource "postgresql_schema" "public" {
|
|||
resource "postgresql_schema" "schema_foo" {
|
||||
name = "my_schema"
|
||||
owner = "postgres"
|
||||
|
||||
policy {
|
||||
usage = true
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
|
|
|
@ -1,76 +0,0 @@
|
|||
---
|
||||
layout: "postgresql"
|
||||
page_title: "PostgreSQL: postgresql_schema_policy"
|
||||
sidebar_current: "docs-postgresql-resource-postgresql_schema_policy"
|
||||
description: |-
|
||||
Manages the permissions of PostgreSQL schemas.
|
||||
---
|
||||
|
||||
# postgresql\_schema\_policy
|
||||
|
||||
The ``postgresql_schema_policy`` resource applies the necessary SQL DCL
|
||||
(`GRANT`s and `REVOKE`s) necessary to ensure access compliance to a particular
|
||||
SCHEMA within a PostgreSQL database.
|
||||
|
||||
|
||||
## Usage
|
||||
|
||||
```
|
||||
resource "postgresql_role" "my_app" {
|
||||
name = "my_app"
|
||||
}
|
||||
|
||||
resource "postgresql_schema" "my_schema" {
|
||||
name = "my_schema"
|
||||
}
|
||||
|
||||
resource "postgresql_schema_policy" "my_schema" {
|
||||
create = true
|
||||
usage = true
|
||||
schema = "${postgresql_schema.my_schema.name}"
|
||||
role = "${postgresql_role.my_app.name}"
|
||||
}
|
||||
```
|
||||
|
||||
## Argument Reference
|
||||
|
||||
* `create` - (Optional) Should the specified ROLE have CREATE privileges to the specified SCHEMA.
|
||||
|
||||
* `create_with_grant` - (Optional) Should the specified ROLE have CREATE privileges to the specified SCHEMA and the ability to GRANT the CREATE privilege to other ROLEs.
|
||||
|
||||
* `usage` - (Optional) Should the specified ROLE have USAGE privileges to the specified SCHEMA.
|
||||
|
||||
* `usage_with_grant` - (Optional) Should the specified ROLE have USAGE privileges to the specified SCHEMA and the ability to GRANT the USAGE privilege to other ROLEs.
|
||||
|
||||
* `role` - (Required) The ROLE who is receiving the policy.
|
||||
|
||||
* `schema` - (Required) The SCHEMA that is the target of the policy.
|
||||
|
||||
## Import Example
|
||||
|
||||
`postgresql_schema_policy` supports importing resources. Supposing the
|
||||
following Terraform:
|
||||
|
||||
```
|
||||
resource "postgresql_schema" "public" {
|
||||
name = "public"
|
||||
}
|
||||
|
||||
resource "postgresql_schema_policy" "public" {
|
||||
create = true
|
||||
usage = true
|
||||
schema = "${postgresql_schema.public.name}"
|
||||
role = "${postgresql_role.my_app.name}"
|
||||
}
|
||||
```
|
||||
|
||||
It is possible to import a `postgresql_schema_policy` resource with the
|
||||
following command:
|
||||
|
||||
```
|
||||
$ terraform import postgresql_schema_policy.public public
|
||||
```
|
||||
|
||||
Where `public` is the name of the schema in the PostgreSQL database and
|
||||
`postgresql_schema_policy.public` is the name of the resource whose state will
|
||||
be populated as a result of the command.
|
|
@ -25,9 +25,6 @@
|
|||
<li<%= sidebar_current("docs-postgresql-resource-postgresql_schema") %>>
|
||||
<a href="/docs/providers/postgresql/r/postgresql_schema.html">postgresql_schema</a>
|
||||
</li>
|
||||
<li<%= sidebar_current("docs-postgresql-resource-postgresql_schema_policy") %>>
|
||||
<a href="/docs/providers/postgresql/r/postgresql_schema_policy.html">postgresql_schema_policy</a>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
|
|
Loading…
Reference in New Issue