Commit Graph

94 Commits

Author SHA1 Message Date
Sean Chittenden 1ab22e1dba Drop the optional WITH token from CREATE ROLE. (#14864)
Fixes: #11273
2017-05-31 21:10:56 +03:00
Sean Chittenden 2ebac5226c PostgreSQL: leaked pg privs (#14817)
* Fix doc bug. Spell `collation` like `lc_collate`.

* Whitespace nit in error message

* Use %q as the format verb for error messages in postgresql_database resource messages.

* REVOKE the `GRANT` given to the connection user when creating a database.

For `ROLE`s who have been delegated `CREATEDB` privileges and are not a
superuser, in order for them to `CREATE DATABASE` they need to be a member
of the `ROLE` who will be `OWNER` for the new database.  Once the
`CREATE DATABASE` is complete, `REVOKE` the `GRANT` that was given to role
so that the user who ran the `CREATE DATABASE` looses all privileges to the
target database (unless of course they're a superuser).

Fixes a regression introduced in #11452

* Delegated DBA ROLEs can now fix OWNER drift for PostgreSQL databases.

Uses the helper functions introduced in #11452
2017-05-31 20:03:32 +03:00
Jake Champlin bd68789006
core: Use environment variables to set VersionPrerelease at compile time
Instead of using a hardcoded version prerelease string, which makes release automation difficult, set the version prerelease string from an environment variable via the go linker tool during compile time.

The environment variable `TF_RELEASE` should only be set via the `make bin` target, and thus leaves the version prerelease string unset. Otherwise, when running a local compile of terraform via the `make dev` makefile target, the version prerelease string is set to `"dev"`, as usual.

This also requires some changes to both the circonus and postgresql providers, as they directly used the `VersionPrerelease` constant. We now simply call the `VersionString()` function, which returns the proper interpolated version string with the prerelease string populated correctly.

`TF_RELEASE` is unset:

```sh
$ make dev
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/05/22 10:38:19 Generated command/internal_plugin_list.go
==> Removing old directory...
==> Building...
Number of parallel builds: 3

-->     linux/amd64: github.com/hashicorp/terraform

==> Results:
total 209M
-rwxr-xr-x 1 jake jake 209M May 22 10:39 terraform

$ terraform version
Terraform v0.9.6-dev (fd472e4a86500606b03c314f70d11f2bc4bc84e5+CHANGES)
```

`TF_RELEASE` is set (mimicking the `make bin` target):

```sh
$ TF_RELEASE=1 make dev
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/05/22 10:40:39 Generated command/internal_plugin_list.go
==> Removing old directory...
==> Building...
Number of parallel builds: 3

-->     linux/amd64: github.com/hashicorp/terraform

==> Results:
total 121M
-rwxr-xr-x 1 jake jake 121M May 22 10:42 terraform

$ terraform version
Terraform v0.9.6
```
2017-05-22 10:49:15 -04:00
Jake Champlin 78955efdd7 Merge pull request #11452 from pbthorste/master
provider/postgres grant role when creating database
2017-05-02 11:41:26 -04:00
julius-bonial 5d8662d5da fix wrong usage of hashicorp/errwrap (#11500)
According to https://github.com/hashicorp/errwrap
'{{err}}' has to be used instead of '%s'

Without this patch, error output from terraform is missing important information:
* aws_cloudwatch_log_group.logs: Error Getting CloudWatch Logs Tag List: %s

With this patch, I get the important information. E.g.:
* aws_cloudwatch_log_group.logs: Error Getting CloudWatch Logs Tag List: AccessDeniedException: User: arn:aws:sts::XYZ:assumed-role/AAA-BBB-CCC/terraform-assuming-role-assume-role-ReadOnly is not authorized to perform: logs:ListTagsLogGroup on resource: arn:aws:logs:us-east-1:XYZ:log-group:logs:log-stream:
2017-01-29 19:19:48 +00:00
pbthorste deb56bd93d improve error message 2017-01-27 01:50:45 +01:00
pbthorste daba1aff9d grant role membership for when connection user is not superuser 2017-01-27 01:46:37 +01:00
Radek Simko 4f7f048f76 provider/postgresql: Fix failing acceptance test (#11375) 2017-01-24 14:10:56 +02:00
Sean Chittenden 4278c615af
Follow up to #11161 to fix `connection_limit` updates to a ROLE. 2017-01-11 16:24:00 -08:00
Sean Chittenden 864c7691b1 Merge pull request #11165 from hashicorp/b-11161
Add a test to make sure the implied `connection_limit` default of `-1` is always set.
2017-01-11 15:23:32 -08:00
Sean Chittenden 9201265395
Add a test to make sure the implied `connection_limit` default of `-1` is always set.
Covers: #11161
2017-01-11 15:21:17 -08:00
pbthorste 11f680a88e remove computed true for postgres connections 2017-01-11 22:55:50 +01:00
pbthorste 0c1175f78b set default postgres connection limit 2017-01-11 22:45:30 +01:00
Sean Chittenden a96f7408dd
Fix a few small grammar nits. 2016-12-27 15:50:25 -08:00
Sean Chittenden 152b0b1ff6
Fix compile: return a string, not an error to `errwrap` 2016-12-27 15:50:25 -08:00
Sean Chittenden 4919f16cca
Use `fmt.Fprint()` instead of `Fprintf()`. 2016-12-27 15:50:25 -08:00
Sean Chittenden 4570460f4e
Audit all call sites where `fmt.Errorf()` was being used and switch to errwrap. 2016-12-27 15:50:25 -08:00
Sean Chittenden 9ab60ecc7b
Add an Exists function for each resource type. Also add a provider RWMutex.
Some of the checks didn't support concurrent updates.  This should
improve the reliability of the provider.
2016-12-27 15:50:25 -08:00
James Nugent 15e58310bd provider/postgres: Ignore temporary Postgres data 2016-12-27 15:13:27 -06:00
James Nugent 97420f523c provider/postgres: Allow brew installed postgresql
This commit modifies the GNUmakefile used for starting PostgreSQL for
testing purposes to prefer the version installed via Homebrew, followed
by the version installed via MacPorts. POSTGRES, PSQL and INITDB may be
overriden as Make variables if neither of these package management
systems is in use.
2016-12-27 15:10:20 -06:00
Sean Chittenden 73be4bc21f
Remove old docs. Update docs and code to support the PUBLIC role. 2016-12-26 07:00:03 -08:00
Sean Chittenden c3a3ddc0f5
Return an empty string if no value was provided.
This restores the original behavior of the initial patch.
2016-12-25 15:26:54 -08:00
Sean Chittenden 7d19fcae25
Improve a bit more upon work done in #10922 and only return a quoted
string if there is whitespace present.

Aesthetics.  What can I say.
2016-12-25 06:19:14 -08:00
Sean Chittenden d92a3caedf
Before revoking a privilege from a schema, check to ensure role exists. 2016-12-25 06:13:34 -08:00
Sean Chittenden 6c91676c40
Comment out the role that gets dropped before the schema's policies are
applied.

This is only a problem when the ROLE is removed before the revokation of
the schema's policies on the doomed PostgreSQL ROLE.  Comment out the
tests for now to get unit tests to pass.  Using hard-coded values that
exist outside of the Terraform unit test work.
2016-12-25 06:13:34 -08:00
Sean Chittenden ed7511e004
Add a small note re: needing `-test.parallel=1` when running PG tests. 2016-12-25 06:13:33 -08:00
Sean Chittenden 38928b91ba
Update the postgresql_schema resource to accept policies.
It is now possible to begin specifying DCL for schemas.
2016-12-25 06:13:33 -08:00
Sean Chittenden 897609878f
Automatically perform a `REASSIGN OWNED` and `DROP OWNED BY` when
removing a PostgreSQL role.

Add manual overrides if this isn't the desired behavior, but it should
universally be the desired outcome except when a ROLE name is reused
across multiple databases in the same PostgreSQL cluster, in which case
the `skip_drop_role` is necessary for all but the last PostgreSQL
provider.
2016-12-25 06:13:33 -08:00
Sean Chittenden 6e200c98d0
Use the right verb for errors. 2016-12-25 06:13:33 -08:00
Sean Chittenden ebc81727da
Add the postgresql_schema_policy resource. This is a WIP due to
issues with cycles when an object is destroyed.
2016-12-25 06:13:33 -08:00
Sean Chittenden de6dcbd8cd
Add the `owner` attribute to the `postgresql_schema` resource. 2016-12-25 06:13:32 -08:00
Sean Chittenden 1d60e9ab04
Clean up the description on postgresql_database.owner. 2016-12-25 06:13:32 -08:00
Sean Chittenden d673a0b532
Properly escape DSN parameters. 2016-12-25 05:53:12 -08:00
Igor Dubinskiy 56a1ea9012 provider/postgresql: Quote connection string parameters 2016-12-23 10:09:32 -08:00
Sean Chittenden 56a193f228
Dept of second thoughts: remove authorization support before 0.8
releases.

When postgresql_schema_policy lands this attribute should be removed in
order to provide a single way of accomplishing setting permissions on
schema objects.
2016-12-13 10:28:06 -08:00
Sean Chittenden ce60c4fede
gofmt cleanup on imports. 2016-12-12 15:21:20 -08:00
Sean Chittenden 2ecd42c0be
Remove non-standard environment variables in prep for 0.8. 2016-12-12 15:21:00 -08:00
Sean Chittenden 6ed37770c3
Add the testing Makefile that I'm using for testing the provider locally. 2016-12-12 14:44:46 -08:00
Sean Chittenden 8c41f0859b
Add the version attribute to postgresql_extension. 2016-12-12 14:37:40 -08:00
Sean Chittenden a4965c01af
Fix up helpers.
Pointed out by: @stack72
2016-12-12 14:30:25 -08:00
Sean Chittenden c602f024f4
Fix the remaining `postgresql_extension` unit test. 2016-12-12 13:40:49 -08:00
Sean Chittenden daa951434f
Teach postgresql_extension about schemas. 2016-12-12 13:15:57 -08:00
Sean Chittenden d1c9ebb6c2
Add PostgreSQL schema support 2016-12-12 13:11:47 -08:00
Sean Chittenden 1a93309e50
Expand postgresql_role support to include all known options. 2016-12-12 01:37:00 -08:00
Sean Chittenden 4c6c52ee8d
Nuke some whitespace. 2016-12-12 01:36:14 -08:00
Sean Chittenden 6deb61b0cf
Enable import support for PostgreSQL's extensions. 2016-12-12 01:33:02 -08:00
Sean Chittenden e36827c5fe
Change the default for `valid_until` to `infinity` to match the default. 2016-12-12 01:18:13 -08:00
Sean Chittenden e9dc92c18d
Change the default for `inherit` from `false` to `true` to match PostgreSQL. 2016-12-12 01:11:07 -08:00
Sean Chittenden b576a3eda1
Rename variable from `roleSuperUserAttr` to `roleSuperuserAttr`. 2016-12-12 01:07:26 -08:00
Sean Chittenden 15cd542392
Remove a duplicate `connect_timeout` from a rebase+stash. 2016-12-12 00:53:06 -08:00