我成功地在RDS Postgres数据库中获得了Terraform创建数据库和角色的功能,但是由于rds_superuser的权限被剥离,我看不到一种简单的方法来销毁由另一个用户拥有的创建的数据库。
使用以下配置:
resource "postgresql_role" "app" {
name = "app"
login = true
password = "foo"
skip_reassign_owned = true
}
resource "postgresql_database" "database" {
name = "app_database"
owner = "${postgresql_role.app.name}"
}
(作为参考,
skip_reassign_owned是必需的,因为rds_superuser组没有获得重新分配所有权所需的权限)导致此错误:
Error applying plan:
1 error(s) occurred:
* postgresql_database.database (destroy): 1 error(s) occurred:
* postgresql_database.database: Error dropping database: pq: must be owner of database debug_db1
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
使用本地exec provisioners,我能够将拥有数据库的角色授予管理用户和应用程序用户:
resource "aws_db_instance" "database" {
...
}
provider "postgresql" {
host = "${aws_db_instance.database.address}"
port = 5432
username = "myadminuser"
password = "adminpassword"
sslmode = "require"
connect_timeout = 15
}
resource "postgresql_role" "app" {
name = "app"
login = true
password = "apppassword"
skip_reassign_owned = true
}
resource "postgresql_role" "group" {
name = "${postgresql_role.app.name}_group"
skip_reassign_owned = true
provisioner "local-exec" {
command = "PGPASSWORD=adminpassword psql -h ${aws_db_instance.database.address} -U myadminuser postgres -c 'GRANT ${self.name} TO myadminuser, ${postgresql_role.app.name};'"
}
}
resource "postgresql_database" "database" {
name = "mydatabase"
owner = "${postgresql_role.group.name}"
}
与只为应用程序用户设置所有权相比,这似乎有效。我想知道是否有更好的方法可以做到这一点,而不必在一个本地的执行,虽然?
最佳答案
在提出这个问题之后,我设法提出了一个pull request with the fix版本,它在version 0.1.1 of the Postgresql provider中发布,所以现在在提供者的最新版本中运行良好。