Skip to content

Grant permissions to sequences as well #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tun0 merged 5 commits into from
May 8, 2023
Merged

Grant permissions to sequences as well #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4724919
Grant permissions to sequences as well
tun0 May 5, 2023
06d24b8
Move
tun0 May 8, 2023
f780835
No references for sequences
tun0 May 8, 2023
3da07f6
No truncate for sequences
tun0 May 8, 2023
22c7bae
Fix sequence perms
tun0 May 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ locals {
privileges_ro = [
"SELECT",
]
privileges_rw = [
privileges_rw_tables = [
"DELETE",
"INSERT",
"REFERENCES",
Expand All @@ -39,4 +39,9 @@ locals {
"TRUNCATE",
"UPDATE",
]
privileges_rw_sequences = [
"SELECT",
"UPDATE",
"USAGE",
]
}
69 changes: 65 additions & 4 deletions roles.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ resource "postgresql_role" "role_ro" {
statement_timeout = 0
}

resource "postgresql_default_privileges" "role_ro" {
resource "postgresql_default_privileges" "role_ro_table" {
for_each = {
for database_writer in local.databases_writers : "${database_writer.database}.${database_writer.role}" => database_writer
}
Expand All @@ -88,6 +88,19 @@ resource "postgresql_default_privileges" "role_ro" {
privileges = local.privileges_ro
}

resource "postgresql_default_privileges" "role_ro_sequence" {
for_each = {
for database_writer in local.databases_writers : "${database_writer.database}.${database_writer.role}" => database_writer
}

role = postgresql_role.role_ro[each.value.database].name
database = each.value.database
owner = each.value.role
schema = "public"
object_type = "sequence"
privileges = local.privileges_ro
}

resource "postgresql_grant" "role_ro_table" {
for_each = local.databases

Expand All @@ -100,6 +113,18 @@ resource "postgresql_grant" "role_ro_table" {
with_grant_option = false
}

resource "postgresql_grant" "role_ro_sequence" {
for_each = local.databases

role = postgresql_role.role_ro[each.value].name
database = each.value
schema = "public"
object_type = "sequence"
privileges = local.privileges_ro
objects = []
with_grant_option = false
}

resource "postgresql_grant" "role_ro_schema" {
for_each = local.databases

Expand Down Expand Up @@ -133,7 +158,7 @@ resource "postgresql_role" "role_rw" {
statement_timeout = 0
}

resource "postgresql_default_privileges" "role_rw" {
resource "postgresql_default_privileges" "role_rw_table" {
for_each = {
for database_writer in local.databases_writers : "${database_writer.database}.${database_writer.role}" => database_writer
}
Expand All @@ -143,7 +168,20 @@ resource "postgresql_default_privileges" "role_rw" {
owner = each.value.role
schema = "public"
object_type = "table"
privileges = local.privileges_rw
privileges = local.privileges_rw_tables
}

resource "postgresql_default_privileges" "role_rw_sequence" {
for_each = {
for database_writer in local.databases_writers : "${database_writer.database}.${database_writer.role}" => database_writer
}

role = postgresql_role.role_rw[each.value.database].name
database = each.value.database
owner = each.value.role
schema = "public"
object_type = "sequence"
privileges = local.privileges_rw_sequences
}

resource "postgresql_grant" "role_rw_table" {
Expand All @@ -153,7 +191,19 @@ resource "postgresql_grant" "role_rw_table" {
database = each.value
schema = "public"
object_type = "table"
privileges = local.privileges_rw
privileges = local.privileges_rw_tables
objects = []
with_grant_option = false
}

resource "postgresql_grant" "role_rw_sequence" {
for_each = local.databases

role = postgresql_role.role_rw[each.value].name
database = each.value
schema = "public"
object_type = "sequence"
privileges = local.privileges_rw_sequences
objects = []
with_grant_option = false
}
Expand All @@ -168,3 +218,14 @@ resource "postgresql_grant" "role_rw_schema" {
privileges = ["CREATE", "USAGE"]
with_grant_option = false
}


moved {
from = postgresql_default_privileges.role_ro
to = postgresql_default_privileges.role_ro_table
}

moved {
from = postgresql_default_privileges.role_rw
to = postgresql_default_privileges.role_rw_table
}