Set Computed: true for roles attribute on postgresql_role

[lawliet89]

Hi there,

Thank you for opening an issue. Please provide the following information:

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.

Terraform v0.14.10
+ provider registry.terraform.io/cyrilgdn/postgresql v1.12.1
+ provider registry.terraform.io/hashicorp/aws v3.39.0

Affected Resource(s)

Please list the resources as a list, for example:

• postgresql_role
• postgresql_grant_role

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "postgresql_role" "db" {
  name = var.db_role

  lifecycle {
    ignore_changes = [
      roles,
    ]
  }
}

# Elsewhere
resource "postgresql_grant_role" iam_auth" {
  role = var.db_role
  grant_role = "rds_iam"
}

I would like to be able to manage the role and the grants together in Terraform. The documentation for postgresql_grant_role says that it should not be used with postgresql_role because it will lead to a perpetual diff. I believe this can be resolved if you set the roles attribute in postgresql_role to have Computed: true. If the attribute is not set, it will simply read whatever is returned from the database, and I can do away with the ignore_changes.

[cyrilgdn]

Hi,

Thanks for opening this issue, I get your point but I need to think about it as it will change the postgresql_role behavior.
Currently if roles is not provided, it means no granted roles. With computed set to true, it'd mean granted roles are not managed.

[lawliet89]

That's true. I wonder if we can look to resources like aws_security_group and aws_security_group_rule and see how they handle this kind of situation.

[cyrilgdn]

I wonder if we can look to resources like aws_security_group and aws_security_group_rule and see how they handle this kind of situation.

@lawliet89 Like most of the time when 2 resources can modify the same underlying objects, it's marked as conflicting resources:

Terraform currently provides both a standalone Security Group Rule resource (a single ingress or egress rule), and a Security Group resource with ingress and egress rules defined in-line. At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group

I'd be in favor of keeping it like this. It makes it more clear that with the ignore_changes that this postgresql_role resource does not manage the roles.

[lawliet89]

Sure. I guess the difference with the security group rule resources is that having no rules in aws_security_group does not mean no rules (because most of the time you want rules with a security group) whereas in this case, [] has an actual meaning.

Maybe the solution is to just do nothing and get the user to use ignore_changes.

[cyrilgdn]

Maybe the solution is to just do nothing and get the user to use ignore_changes.

I think so yes, I'll just explain this ignore_changes possibility in the postgresql_grant_role documentation and close this issue when it's done if you're ok.

[lawliet89]

Sure. Thanks for the expalnation.