-
Notifications
You must be signed in to change notification settings - Fork 258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
digitalocean_database_cluster password is always empty #1165
Comments
Hi @razum90, Thanks for raising this issue! Though I haven't been able to reproduce it myself. I am able to create a Postrgres cluster PostgreSQL and retrieve the password for the
And Using your more complex example above failed with an error when the local-exec provisioner runs, but the password for the
There is one case where it is possible a PostgreSQL cluster will not return the password, when you use a read only API token. We should protect against overwriting a password if someone switches to a read-only token post-create. Are you using a read-only token? Any additional details that might help us get to the bottom of this? |
Hi @andrewsomething! I removed the terraform {
required_providers {
digitalocean = {
source = "digitalocean/digitalocean"
version = "~> 2.38.0"
}
null = {
source = "hashicorp/null"
version = "~> 3.1.0"
}
}
}
provider "digitalocean" {
token = var.do_token
}
variable "do_token" {}
variable "region" {
description = "DO region"
type = string
default = "fra1"
}
variable "services_names" {
description = "Name of the services you want to create"
type = object({
web = string
api = string
})
default = {
"web" = "web"
"api" = "api"
}
}
variable "app_name" {
description = "Name of the app"
type = string
default = "your-app-name"
}
variable "environments" {
description = "Map of environment names and their attributes"
type = map(any)
default = {
"prod" = {
"domain" : "your-domain.com",
"db" : {
"production" : true,
"size" : "db-s-1vcpu-1gb",
"node_count" : 1,
},
"api" : {
"instance_count" : 1,
"size_slug" : "apps-s-1vcpu-0.5gb",
"port" : 80
},
"web" : {
"instance_count" : 1,
"size_slug" : "basic-xxs",
"port" : 80
}
}
}
}
resource "digitalocean_database_cluster" "db-cluster" {
for_each = var.environments
name = "${each.key}-cluster"
engine = "pg"
version = "15"
size = var.environments[each.key].db.size
region = var.region
node_count = var.environments[each.key].db.node_count
}
resource "digitalocean_database_db" "api-db" {
for_each = var.environments
cluster_id = digitalocean_database_cluster.db-cluster[each.key].id
name = "${var.services_names.api}-db"
}
resource "digitalocean_database_firewall" "db-cluster-fw" {
for_each = var.environments
cluster_id = digitalocean_database_cluster.db-cluster[each.key].id
rule {
type = "app"
value = digitalocean_app.do-app[each.key].id
}
}
resource "digitalocean_app" "do-app" {
for_each = var.environments
lifecycle {
ignore_changes = [
spec.0.features,
spec.0.region,
spec.0.service.0.image,
spec.0.service.1.image
]
}
spec {
name = "${var.app_name}-${each.key}"
region = var.region
domain {
name = var.environments[each.key].domain
}
alert {
rule = "DEPLOYMENT_FAILED"
}
service {
name = var.services_names.api
instance_count = var.environments[each.key].api.instance_count
instance_size_slug = var.environments[each.key].api.size_slug
image {
registry_type = "DOCKER_HUB"
repository = "nginx"
tag = "latest"
}
http_port = var.environments[each.key].api.port
env {
key = "DB_PASSWORD"
value = digitalocean_database_cluster.db-cluster[each.key].password
}
env {
key = "DB_HOST"
value = digitalocean_database_cluster.db-cluster[each.key].private_host
}
env {
key = "DB_PORT"
value = digitalocean_database_cluster.db-cluster[each.key].port
}
env {
key = "DB_NAME"
value = digitalocean_database_db.api-db[each.key].name
}
env {
key = "DB_USER"
value = digitalocean_database_cluster.db-cluster[each.key].user
}
}
service {
name = var.services_names.web
instance_count = var.environments[each.key].web.instance_count
instance_size_slug = var.environments[each.key].web.size_slug
image {
registry_type = "DOCKER_HUB"
repository = "nginx"
tag = "latest"
}
http_port = var.environments[each.key].web.port
}
database {
name = digitalocean_database_db.api-db[each.key].name
db_name = digitalocean_database_db.api-db[each.key].name
cluster_name = digitalocean_database_cluster.db-cluster[each.key].name
production = var.environments[each.key].db.production
}
ingress {
rule {
component {
name = var.services_names.api
}
match {
path {
prefix = "/api"
}
}
}
rule {
component {
name = var.services_names.web
}
match {
path {
prefix = "/"
}
}
}
}
}
} And I am getting an empty value as the Are you sure that in your case the I don't switch any tokens, I use the same one for tf. And since that's able to create I guess it's not read-only. Attaching the permissions it has: ![]() BR |
I tried your simple example and I still get this issue. Full gist here: https://gist.github.com/razum90/ff4438ec7e50c7b0c0fe898d30e3e254 |
Thanks for the follow up @razum90! I can reproduce the issue now. The difference was using a custom scoped token vs a "full access" one. I've raised this internally as if that is the expected behavior, it needs to be documented. It also impacts other database engines, not just PostgreSQL. So my suggestion on you PR around removing the special casing for specific engines still stands. Let me know if you can make that change. If not, I can whip up a PR. |
Ah okay interesting. Sure I will do that this evening (I'm in the CEST timezone FYI) |
Bug Report
Describe the bug
When creating a digitalocean_database_cluster resource, the password attribute for the admin user (doadmin) is always returned as empty.
Affected Resource(s)
Expected Behavior
I expect the password attribute to return the actual value.
Actual Behavior
It is not returning the password.
Steps to Reproduce
terraform apply
Terraform Configuration Files
Terraform version
1.8.4
Debug Output
https://gist.github.com/razum90/780047c0f021b02832b8a67e6be84490
Additional context
I have also tried to save
digitalocean_database_cluster.db-cluster[each.key].password
as an env variable to my service, and it shows empty there too.Important Factoids
It seems like the initial call
POST /v2/databases
returns the password. But the subsequentGET /v2/databases/{id}
does not. I guess the GET calls is used for some sort of polling. I suppose it would be an issue in case the response of the GET request is used to build the output of thedigitalocean_database_cluster
resource.BR
The text was updated successfully, but these errors were encountered: