postgresql_default_privileges and postgresql_grant

[johnB96]

We noticed a similar issue that's described in this SO post https://stackoverflow.com/questions/22684255/grant-privileges-on-future-tables-in-postgresql

Basically, existing privileges granted by postgresql_grant resource work but if a new table is added, then the role has no privileges on that new table. As suggested by that SO post, you need to change the default privileges to pick those up automatically, and the postgresql_default_privileges seems to handle that. However, have both seems a little redundant and confusing because depending on when the resource was applied, that role will get it's privileges from postgresql_grant instead of postgresql_default_privileges. It also seems that postgresql_grant needs to exist regardless.

Is there a technique to manage these privileges with a single resource? Are we using these correctly or am I missing something?

[cyrilgdn]

Hello,

postgresql_grant needs to exist only if you want to be always sure that existing tables has the right privileges.

If you define the postgresql_default_privileges at database creation, all the created tables after that will have the required permissions, as soon as nobody can/will manually change them. If some tables exist when defining postgresql_default_privileges but you want to avoid having postgresql_grant resource, you could also manually fixed permissions of existing tables.

However, in my team we defined both in a Terraform module (that manages a whole database) so we are sure that potential manual modifications will be fixed in next Terraform apply and that all the tables have expected permissions.

The provider could technically provide a resource to do both but I feel like it will be too much code complexity for a little reward
(it's not that painful to defined both resource, especially with a module).