From 4724919d8dfd0f4c1bd51d8af7a6491d48bfe2d6 Mon Sep 17 00:00:00 2001
From: Ruben Laban <r.laban@treehouse.nl>
Date: Fri, 5 May 2023 10:06:38 +0200
Subject: [PATCH 1/5] Grant permissions to sequences as well

---
 roles.tf | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 52 insertions(+), 2 deletions(-)

diff --git a/roles.tf b/roles.tf
index b9da8df..ad84b8b 100644
--- a/roles.tf
+++ b/roles.tf
@@ -75,7 +75,7 @@ resource "postgresql_role" "role_ro" {
   statement_timeout         = 0
 }
 
-resource "postgresql_default_privileges" "role_ro" {
+resource "postgresql_default_privileges" "role_ro_table" {
   for_each = {
     for database_writer in local.databases_writers : "${database_writer.database}.${database_writer.role}" => database_writer
   }
@@ -88,6 +88,19 @@ resource "postgresql_default_privileges" "role_ro" {
   privileges  = local.privileges_ro
 }
 
+resource "postgresql_default_privileges" "role_ro_sequence" {
+  for_each = {
+    for database_writer in local.databases_writers : "${database_writer.database}.${database_writer.role}" => database_writer
+  }
+
+  role        = postgresql_role.role_ro[each.value.database].name
+  database    = each.value.database
+  owner       = each.value.role
+  schema      = "public"
+  object_type = "sequence"
+  privileges  = local.privileges_ro
+}
+
 resource "postgresql_grant" "role_ro_table" {
   for_each = local.databases
 
@@ -100,6 +113,18 @@ resource "postgresql_grant" "role_ro_table" {
   with_grant_option = false
 }
 
+resource "postgresql_grant" "role_ro_sequence" {
+  for_each = local.databases
+
+  role              = postgresql_role.role_ro[each.value].name
+  database          = each.value
+  schema            = "public"
+  object_type       = "sequence"
+  privileges        = local.privileges_ro
+  objects           = []
+  with_grant_option = false
+}
+
 resource "postgresql_grant" "role_ro_schema" {
   for_each = local.databases
 
@@ -133,7 +158,7 @@ resource "postgresql_role" "role_rw" {
   statement_timeout         = 0
 }
 
-resource "postgresql_default_privileges" "role_rw" {
+resource "postgresql_default_privileges" "role_rw_table" {
   for_each = {
     for database_writer in local.databases_writers : "${database_writer.database}.${database_writer.role}" => database_writer
   }
@@ -146,6 +171,19 @@ resource "postgresql_default_privileges" "role_rw" {
   privileges  = local.privileges_rw
 }
 
+resource "postgresql_default_privileges" "role_rw_sequence" {
+  for_each = {
+    for database_writer in local.databases_writers : "${database_writer.database}.${database_writer.role}" => database_writer
+  }
+
+  role        = postgresql_role.role_rw[each.value.database].name
+  database    = each.value.database
+  owner       = each.value.role
+  schema      = "public"
+  object_type = "sequence"
+  privileges  = local.privileges_rw
+}
+
 resource "postgresql_grant" "role_rw_table" {
   for_each = local.databases
 
@@ -158,6 +196,18 @@ resource "postgresql_grant" "role_rw_table" {
   with_grant_option = false
 }
 
+resource "postgresql_grant" "role_rw_sequence" {
+  for_each = local.databases
+
+  role              = postgresql_role.role_rw[each.value].name
+  database          = each.value
+  schema            = "public"
+  object_type       = "sequence"
+  privileges        = local.privileges_rw
+  objects           = []
+  with_grant_option = false
+}
+
 resource "postgresql_grant" "role_rw_schema" {
   for_each = local.databases
 

From 06d24b8fdaca6b8052ff75c14d6b1a5cbb5242ad Mon Sep 17 00:00:00 2001
From: Ruben Laban <r.laban@treehouse.nl>
Date: Mon, 8 May 2023 09:42:53 +0200
Subject: [PATCH 2/5] Move

---
 roles.tf | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/roles.tf b/roles.tf
index ad84b8b..1342c00 100644
--- a/roles.tf
+++ b/roles.tf
@@ -218,3 +218,14 @@ resource "postgresql_grant" "role_rw_schema" {
   privileges        = ["CREATE", "USAGE"]
   with_grant_option = false
 }
+
+
+moved {
+  from = postgresql_default_privileges.role_ro
+  to   = postgresql_default_privileges.role_ro_table
+}
+
+moved {
+  from = postgresql_default_privileges.role_rw
+  to   = postgresql_default_privileges.role_rw_table
+}

From f780835b362dcdfe18e321859c001acae951f0e1 Mon Sep 17 00:00:00 2001
From: Ruben Laban <r.laban@treehouse.nl>
Date: Mon, 8 May 2023 09:50:30 +0200
Subject: [PATCH 3/5] No references for sequences

---
 locals.tf | 10 +++++++++-
 roles.tf  |  8 ++++----
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/locals.tf b/locals.tf
index 85a5a8c..e161d63 100644
--- a/locals.tf
+++ b/locals.tf
@@ -30,7 +30,7 @@ locals {
   privileges_ro = [
     "SELECT",
   ]
-  privileges_rw = [
+  privileges_rw_tables = [
     "DELETE",
     "INSERT",
     "REFERENCES",
@@ -39,4 +39,12 @@ locals {
     "TRUNCATE",
     "UPDATE",
   ]
+  privileges_rw_sequences = [
+    "DELETE",
+    "INSERT",
+    "SELECT",
+    "TRIGGER",
+    "TRUNCATE",
+    "UPDATE",
+  ]
 }
diff --git a/roles.tf b/roles.tf
index 1342c00..d024be8 100644
--- a/roles.tf
+++ b/roles.tf
@@ -168,7 +168,7 @@ resource "postgresql_default_privileges" "role_rw_table" {
   owner       = each.value.role
   schema      = "public"
   object_type = "table"
-  privileges  = local.privileges_rw
+  privileges  = local.privileges_rw_tables
 }
 
 resource "postgresql_default_privileges" "role_rw_sequence" {
@@ -181,7 +181,7 @@ resource "postgresql_default_privileges" "role_rw_sequence" {
   owner       = each.value.role
   schema      = "public"
   object_type = "sequence"
-  privileges  = local.privileges_rw
+  privileges  = local.privileges_rw_sequences
 }
 
 resource "postgresql_grant" "role_rw_table" {
@@ -191,7 +191,7 @@ resource "postgresql_grant" "role_rw_table" {
   database          = each.value
   schema            = "public"
   object_type       = "table"
-  privileges        = local.privileges_rw
+  privileges        = local.privileges_rw_tables
   objects           = []
   with_grant_option = false
 }
@@ -203,7 +203,7 @@ resource "postgresql_grant" "role_rw_sequence" {
   database          = each.value
   schema            = "public"
   object_type       = "sequence"
-  privileges        = local.privileges_rw
+  privileges        = local.privileges_rw_sequences
   objects           = []
   with_grant_option = false
 }

From 3da07f698b5ad2b5d2c8f98e155fc2f375cd5652 Mon Sep 17 00:00:00 2001
From: Ruben Laban <r.laban@treehouse.nl>
Date: Mon, 8 May 2023 09:54:52 +0200
Subject: [PATCH 4/5] No truncate for sequences

---
 locals.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/locals.tf b/locals.tf
index e161d63..d2c2cc4 100644
--- a/locals.tf
+++ b/locals.tf
@@ -44,7 +44,6 @@ locals {
     "INSERT",
     "SELECT",
     "TRIGGER",
-    "TRUNCATE",
     "UPDATE",
   ]
 }

From 22c7bae02a4753fcef957c38512ab9ea3d35d8d9 Mon Sep 17 00:00:00 2001
From: Ruben Laban <r.laban@treehouse.nl>
Date: Mon, 8 May 2023 09:56:05 +0200
Subject: [PATCH 5/5] Fix sequence perms

---
 locals.tf | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/locals.tf b/locals.tf
index d2c2cc4..e669524 100644
--- a/locals.tf
+++ b/locals.tf
@@ -40,10 +40,8 @@ locals {
     "UPDATE",
   ]
   privileges_rw_sequences = [
-    "DELETE",
-    "INSERT",
     "SELECT",
-    "TRIGGER",
     "UPDATE",
+    "USAGE",
   ]
 }