2015-10-27 11:04:19 +01:00
|
|
|
package postgresql
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"database/sql"
|
|
|
|
|
"fmt"
|
2016-11-06 22:16:12 +01:00
|
|
|
"log"
|
|
|
|
|
"strconv"
|
|
|
|
|
"strings"
|
2015-10-27 11:04:19 +01:00
|
|
|
|
2016-09-05 23:46:40 +02:00
|
|
|
"github.com/hashicorp/errwrap"
|
2015-10-27 11:04:19 +01:00
|
|
|
"github.com/hashicorp/terraform/helper/schema"
|
|
|
|
|
"github.com/lib/pq"
|
|
|
|
|
)
|
|
|
|
|
|
2016-11-06 22:16:12 +01:00
|
|
|
const (
|
|
|
|
|
roleBypassRLSAttr = "bypass_row_level_security"
|
|
|
|
|
roleConnLimitAttr = "connection_limit"
|
|
|
|
|
roleCreateDBAttr = "create_database"
|
|
|
|
|
roleCreateRoleAttr = "create_role"
|
|
|
|
|
roleEncryptedPassAttr = "encrypted_password"
|
|
|
|
|
roleInheritAttr = "inherit"
|
|
|
|
|
roleLoginAttr = "login"
|
|
|
|
|
roleNameAttr = "name"
|
|
|
|
|
rolePasswordAttr = "password"
|
|
|
|
|
roleReplicationAttr = "replication"
|
2016-12-12 10:07:26 +01:00
|
|
|
roleSuperuserAttr = "superuser"
|
2016-11-06 22:16:12 +01:00
|
|
|
roleValidUntilAttr = "valid_until"
|
|
|
|
|
|
|
|
|
|
// Deprecated options
|
|
|
|
|
roleDepEncryptedAttr = "encrypted"
|
|
|
|
|
)
|
|
|
|
|
|
2016-09-06 00:04:48 +02:00
|
|
|
func resourcePostgreSQLRole() *schema.Resource {
|
2015-10-27 11:04:19 +01:00
|
|
|
return &schema.Resource{
|
2016-09-06 00:04:48 +02:00
|
|
|
Create: resourcePostgreSQLRoleCreate,
|
|
|
|
|
Read: resourcePostgreSQLRoleRead,
|
|
|
|
|
Update: resourcePostgreSQLRoleUpdate,
|
|
|
|
|
Delete: resourcePostgreSQLRoleDelete,
|
2016-11-06 22:16:12 +01:00
|
|
|
Importer: &schema.ResourceImporter{
|
|
|
|
|
State: schema.ImportStatePassthrough,
|
|
|
|
|
},
|
2015-10-27 11:04:19 +01:00
|
|
|
|
|
|
|
|
Schema: map[string]*schema.Schema{
|
2016-11-06 22:16:12 +01:00
|
|
|
roleNameAttr: {
|
|
|
|
|
Type: schema.TypeString,
|
|
|
|
|
Required: true,
|
|
|
|
|
Description: "The name of the role",
|
|
|
|
|
},
|
|
|
|
|
rolePasswordAttr: {
|
|
|
|
|
Type: schema.TypeString,
|
|
|
|
|
Optional: true,
|
|
|
|
|
Computed: true,
|
|
|
|
|
Sensitive: true,
|
|
|
|
|
DefaultFunc: schema.EnvDefaultFunc("PGPASSWORD", nil),
|
|
|
|
|
Description: "Sets the role's password",
|
|
|
|
|
},
|
|
|
|
|
roleDepEncryptedAttr: {
|
|
|
|
|
Type: schema.TypeString,
|
|
|
|
|
Optional: true,
|
|
|
|
|
Deprecated: fmt.Sprintf("Rename PostgreSQL role resource attribute %q to %q", roleDepEncryptedAttr, roleEncryptedPassAttr),
|
|
|
|
|
},
|
|
|
|
|
roleEncryptedPassAttr: {
|
|
|
|
|
Type: schema.TypeBool,
|
|
|
|
|
Optional: true,
|
|
|
|
|
Default: true,
|
|
|
|
|
Description: "Control whether the password is stored encrypted in the system catalogs",
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
roleValidUntilAttr: {
|
|
|
|
|
Type: schema.TypeString,
|
|
|
|
|
Optional: true,
|
|
|
|
|
Description: "Sets a date and time after which the role's password is no longer valid",
|
|
|
|
|
},
|
|
|
|
|
roleConnLimitAttr: {
|
|
|
|
|
Type: schema.TypeInt,
|
|
|
|
|
Optional: true,
|
|
|
|
|
Computed: true,
|
|
|
|
|
Description: "How many concurrent connections can be made with this role",
|
|
|
|
|
ValidateFunc: validateConnLimit,
|
2015-10-27 11:04:19 +01:00
|
|
|
},
|
2016-12-12 10:07:26 +01:00
|
|
|
roleSuperuserAttr: {
|
2016-11-06 22:16:12 +01:00
|
|
|
Type: schema.TypeBool,
|
|
|
|
|
Optional: true,
|
|
|
|
|
Default: false,
|
|
|
|
|
Description: `Determine whether the new role is a "superuser"`,
|
2015-10-27 11:04:19 +01:00
|
|
|
},
|
2016-11-06 22:16:12 +01:00
|
|
|
roleCreateDBAttr: {
|
|
|
|
|
Type: schema.TypeBool,
|
|
|
|
|
Optional: true,
|
|
|
|
|
Default: false,
|
|
|
|
|
Description: "Define a role's ability to create databases",
|
2015-10-27 11:04:19 +01:00
|
|
|
},
|
2016-11-06 22:16:12 +01:00
|
|
|
roleCreateRoleAttr: {
|
|
|
|
|
Type: schema.TypeBool,
|
|
|
|
|
Optional: true,
|
|
|
|
|
Default: false,
|
|
|
|
|
Description: "Determine whether this role will be permitted to create new roles",
|
|
|
|
|
},
|
|
|
|
|
roleInheritAttr: {
|
|
|
|
|
Type: schema.TypeBool,
|
|
|
|
|
Optional: true,
|
|
|
|
|
Default: false,
|
|
|
|
|
Description: `Determine whether a role "inherits" the privileges of roles it is a member of`,
|
|
|
|
|
},
|
|
|
|
|
roleLoginAttr: {
|
|
|
|
|
Type: schema.TypeBool,
|
|
|
|
|
Optional: true,
|
|
|
|
|
Default: false,
|
|
|
|
|
Description: "Determine whether a role is allowed to log in",
|
|
|
|
|
},
|
|
|
|
|
roleReplicationAttr: {
|
|
|
|
|
Type: schema.TypeBool,
|
|
|
|
|
Optional: true,
|
|
|
|
|
Default: false,
|
|
|
|
|
Description: "Determine whether a role is allowed to initiate streaming replication or put the system in and out of backup mode",
|
|
|
|
|
},
|
|
|
|
|
roleBypassRLSAttr: {
|
|
|
|
|
Type: schema.TypeBool,
|
|
|
|
|
Optional: true,
|
|
|
|
|
Default: false,
|
|
|
|
|
Description: "Determine whether a role bypasses every row-level security (RLS) policy",
|
2015-10-27 11:04:19 +01:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-06 00:04:48 +02:00
|
|
|
func resourcePostgreSQLRoleCreate(d *schema.ResourceData, meta interface{}) error {
|
2016-11-06 22:16:12 +01:00
|
|
|
c := meta.(*Client)
|
|
|
|
|
conn, err := c.Connect()
|
2015-10-27 11:04:19 +01:00
|
|
|
if err != nil {
|
2016-11-06 22:16:12 +01:00
|
|
|
return errwrap.Wrapf("Error connecting to PostgreSQL: {{err}}", err)
|
2015-10-27 11:04:19 +01:00
|
|
|
}
|
|
|
|
|
defer conn.Close()
|
|
|
|
|
|
2016-11-06 22:16:12 +01:00
|
|
|
stringOpts := []struct {
|
|
|
|
|
hclKey string
|
|
|
|
|
sqlKey string
|
|
|
|
|
}{
|
|
|
|
|
{rolePasswordAttr, "PASSWORD"},
|
|
|
|
|
{roleValidUntilAttr, "VALID UNTIL"},
|
|
|
|
|
}
|
|
|
|
|
intOpts := []struct {
|
|
|
|
|
hclKey string
|
|
|
|
|
sqlKey string
|
|
|
|
|
}{
|
|
|
|
|
{roleConnLimitAttr, "CONNECTION LIMIT"},
|
|
|
|
|
}
|
|
|
|
|
boolOpts := []struct {
|
|
|
|
|
hclKey string
|
|
|
|
|
sqlKeyEnable string
|
|
|
|
|
sqlKeyDisable string
|
|
|
|
|
}{
|
2016-12-12 10:07:26 +01:00
|
|
|
{roleSuperuserAttr, "CREATEDB", "NOCREATEDB"},
|
2016-11-06 22:16:12 +01:00
|
|
|
{roleCreateRoleAttr, "CREATEROLE", "NOCREATEROLE"},
|
|
|
|
|
{roleInheritAttr, "INHERIT", "NOINHERIT"},
|
|
|
|
|
{roleLoginAttr, "LOGIN", "NOLOGIN"},
|
|
|
|
|
{roleReplicationAttr, "REPLICATION", "NOREPLICATION"},
|
|
|
|
|
{roleBypassRLSAttr, "BYPASSRLS", "NOBYPASSRLS"},
|
|
|
|
|
|
|
|
|
|
// roleEncryptedPassAttr is used only when rolePasswordAttr is set.
|
|
|
|
|
// {roleEncryptedPassAttr, "ENCRYPTED", "UNENCRYPTED"},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
createOpts := make([]string, 0, len(stringOpts)+len(intOpts)+len(boolOpts))
|
|
|
|
|
|
|
|
|
|
for _, opt := range stringOpts {
|
|
|
|
|
v, ok := d.GetOk(opt.hclKey)
|
|
|
|
|
if !ok {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
val := v.(string)
|
|
|
|
|
if val != "" {
|
|
|
|
|
switch {
|
|
|
|
|
case opt.hclKey == rolePasswordAttr:
|
|
|
|
|
if strings.ToUpper(v.(string)) == "NULL" {
|
|
|
|
|
createOpts = append(createOpts, "PASSWORD NULL")
|
|
|
|
|
} else {
|
|
|
|
|
if d.Get(roleEncryptedPassAttr).(bool) {
|
|
|
|
|
createOpts = append(createOpts, "ENCRYPTED")
|
|
|
|
|
} else {
|
|
|
|
|
createOpts = append(createOpts, "UNENCRYPTED")
|
|
|
|
|
}
|
|
|
|
|
escapedPassword := strconv.Quote(val)
|
|
|
|
|
escapedPassword = strings.TrimLeft(escapedPassword, `"`)
|
|
|
|
|
escapedPassword = strings.TrimRight(escapedPassword, `"`)
|
|
|
|
|
createOpts = append(createOpts, fmt.Sprintf("%s '%s'", opt.sqlKey, escapedPassword))
|
|
|
|
|
}
|
|
|
|
|
case opt.hclKey == roleValidUntilAttr:
|
|
|
|
|
switch {
|
|
|
|
|
case v.(string) == "", strings.ToUpper(v.(string)) == "NULL":
|
|
|
|
|
createOpts = append(createOpts, fmt.Sprintf("%s %s", opt.sqlKey, "'infinity'"))
|
|
|
|
|
default:
|
|
|
|
|
createOpts = append(createOpts, fmt.Sprintf("%s %s", opt.sqlKey, pq.QuoteIdentifier(val)))
|
|
|
|
|
}
|
|
|
|
|
default:
|
|
|
|
|
createOpts = append(createOpts, fmt.Sprintf("%s %s", opt.sqlKey, pq.QuoteIdentifier(val)))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, opt := range intOpts {
|
|
|
|
|
val := d.Get(opt.hclKey).(int)
|
|
|
|
|
createOpts = append(createOpts, fmt.Sprintf("%s %d", opt.sqlKey, val))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, opt := range boolOpts {
|
|
|
|
|
if opt.hclKey == roleEncryptedPassAttr {
|
|
|
|
|
// This attribute is handled above in the stringOpts
|
|
|
|
|
// loop.
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
val := d.Get(opt.hclKey).(bool)
|
2015-10-27 11:04:19 +01:00
|
|
|
|
2016-11-06 22:16:12 +01:00
|
|
|
valStr := opt.sqlKeyDisable
|
|
|
|
|
if val {
|
|
|
|
|
valStr = opt.sqlKeyEnable
|
|
|
|
|
}
|
|
|
|
|
createOpts = append(createOpts, valStr)
|
|
|
|
|
}
|
2015-10-27 11:04:19 +01:00
|
|
|
|
2016-11-06 22:16:12 +01:00
|
|
|
roleName := d.Get(roleNameAttr).(string)
|
|
|
|
|
createStr := strings.Join(createOpts, " ")
|
|
|
|
|
if len(createOpts) > 0 {
|
|
|
|
|
createStr = " WITH " + createStr
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
query := fmt.Sprintf("CREATE ROLE %s%s", pq.QuoteIdentifier(roleName), createStr)
|
2015-10-27 11:04:19 +01:00
|
|
|
_, err = conn.Query(query)
|
|
|
|
|
if err != nil {
|
2016-11-06 22:16:12 +01:00
|
|
|
return errwrap.Wrapf(fmt.Sprintf("Error creating role %s: {{err}}", roleName), err)
|
2015-10-27 11:04:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
d.SetId(roleName)
|
|
|
|
|
|
2016-09-06 00:04:48 +02:00
|
|
|
return resourcePostgreSQLRoleRead(d, meta)
|
2015-10-27 11:04:19 +01:00
|
|
|
}
|
|
|
|
|
|
2016-09-06 00:04:48 +02:00
|
|
|
func resourcePostgreSQLRoleDelete(d *schema.ResourceData, meta interface{}) error {
|
2015-10-27 11:04:19 +01:00
|
|
|
client := meta.(*Client)
|
|
|
|
|
conn, err := client.Connect()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
defer conn.Close()
|
|
|
|
|
|
2016-11-06 22:16:12 +01:00
|
|
|
roleName := d.Get(roleNameAttr).(string)
|
2015-10-27 11:04:19 +01:00
|
|
|
|
|
|
|
|
query := fmt.Sprintf("DROP ROLE %s", pq.QuoteIdentifier(roleName))
|
|
|
|
|
_, err = conn.Query(query)
|
|
|
|
|
if err != nil {
|
2016-09-05 23:46:40 +02:00
|
|
|
return errwrap.Wrapf("Error deleting role: {{err}}", err)
|
2015-10-27 11:04:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
d.SetId("")
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-06 00:04:48 +02:00
|
|
|
func resourcePostgreSQLRoleRead(d *schema.ResourceData, meta interface{}) error {
|
2016-11-06 22:16:12 +01:00
|
|
|
c := meta.(*Client)
|
|
|
|
|
conn, err := c.Connect()
|
2015-10-27 11:04:19 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
defer conn.Close()
|
|
|
|
|
|
2016-11-06 22:16:12 +01:00
|
|
|
roleName := d.Get(roleNameAttr).(string)
|
|
|
|
|
if roleName == "" {
|
|
|
|
|
roleName = d.Id()
|
|
|
|
|
}
|
2015-10-27 11:04:19 +01:00
|
|
|
|
2016-11-06 22:16:12 +01:00
|
|
|
var roleCanLogin bool
|
|
|
|
|
err = conn.QueryRow("SELECT rolcanlogin FROM pg_roles WHERE rolname=$1", roleName).Scan(&roleCanLogin)
|
2015-10-27 11:04:19 +01:00
|
|
|
switch {
|
|
|
|
|
case err == sql.ErrNoRows:
|
2016-11-06 22:16:12 +01:00
|
|
|
log.Printf("[WARN] PostgreSQL database (%s) not found", d.Id())
|
2015-10-27 11:04:19 +01:00
|
|
|
d.SetId("")
|
|
|
|
|
return nil
|
|
|
|
|
case err != nil:
|
2016-09-05 23:46:40 +02:00
|
|
|
return errwrap.Wrapf("Error reading role: {{err}}", err)
|
2015-10-27 11:04:19 +01:00
|
|
|
default:
|
2016-11-06 22:16:12 +01:00
|
|
|
d.Set(roleNameAttr, roleName)
|
|
|
|
|
d.Set(roleLoginAttr, roleCanLogin)
|
|
|
|
|
d.Set("encrypted", true)
|
|
|
|
|
d.SetId(roleName)
|
2015-10-27 11:04:19 +01:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-06 00:04:48 +02:00
|
|
|
func resourcePostgreSQLRoleUpdate(d *schema.ResourceData, meta interface{}) error {
|
2015-10-27 11:04:19 +01:00
|
|
|
client := meta.(*Client)
|
|
|
|
|
conn, err := client.Connect()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
defer conn.Close()
|
|
|
|
|
|
|
|
|
|
d.Partial(true)
|
|
|
|
|
|
2016-11-06 22:16:12 +01:00
|
|
|
roleName := d.Get(roleNameAttr).(string)
|
2015-10-27 11:04:19 +01:00
|
|
|
|
2016-11-06 22:16:12 +01:00
|
|
|
if d.HasChange(roleLoginAttr) {
|
|
|
|
|
loginAttr := getLoginStr(d.Get(roleLoginAttr).(bool))
|
2015-10-27 11:04:19 +01:00
|
|
|
query := fmt.Sprintf("ALTER ROLE %s %s", pq.QuoteIdentifier(roleName), pq.QuoteIdentifier(loginAttr))
|
|
|
|
|
_, err := conn.Query(query)
|
|
|
|
|
if err != nil {
|
2016-09-05 23:46:40 +02:00
|
|
|
return errwrap.Wrapf("Error updating login attribute for role: {{err}}", err)
|
2015-10-27 11:04:19 +01:00
|
|
|
}
|
|
|
|
|
|
2016-11-06 22:16:12 +01:00
|
|
|
d.SetPartial(roleLoginAttr)
|
2015-10-27 11:04:19 +01:00
|
|
|
}
|
|
|
|
|
|
2016-11-06 22:16:12 +01:00
|
|
|
password := d.Get(rolePasswordAttr).(string)
|
|
|
|
|
if d.HasChange(rolePasswordAttr) {
|
2015-10-27 11:04:19 +01:00
|
|
|
encryptedCfg := getEncryptedStr(d.Get("encrypted").(bool))
|
|
|
|
|
|
|
|
|
|
query := fmt.Sprintf("ALTER ROLE %s %s PASSWORD '%s'", pq.QuoteIdentifier(roleName), encryptedCfg, password)
|
|
|
|
|
_, err := conn.Query(query)
|
|
|
|
|
if err != nil {
|
2016-09-05 23:46:40 +02:00
|
|
|
return errwrap.Wrapf("Error updating password attribute for role: {{err}}", err)
|
2015-10-27 11:04:19 +01:00
|
|
|
}
|
|
|
|
|
|
2016-11-06 22:16:12 +01:00
|
|
|
d.SetPartial(rolePasswordAttr)
|
2015-10-27 11:04:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if d.HasChange("encrypted") {
|
|
|
|
|
encryptedCfg := getEncryptedStr(d.Get("encrypted").(bool))
|
|
|
|
|
|
|
|
|
|
query := fmt.Sprintf("ALTER ROLE %s %s PASSWORD '%s'", pq.QuoteIdentifier(roleName), encryptedCfg, password)
|
|
|
|
|
_, err := conn.Query(query)
|
|
|
|
|
if err != nil {
|
2016-09-05 23:46:40 +02:00
|
|
|
return errwrap.Wrapf("Error updating encrypted attribute for role: {{err}}", err)
|
2015-10-27 11:04:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
d.SetPartial("encrypted")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
d.Partial(false)
|
2016-09-06 00:04:48 +02:00
|
|
|
return resourcePostgreSQLRoleRead(d, meta)
|
2015-10-27 11:04:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func getLoginStr(canLogin bool) string {
|
|
|
|
|
if canLogin {
|
|
|
|
|
return "login"
|
|
|
|
|
}
|
|
|
|
|
return "nologin"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func getEncryptedStr(isEncrypted bool) string {
|
|
|
|
|
if isEncrypted {
|
|
|
|
|
return "encrypted"
|
|
|
|
|
}
|
|
|
|
|
return "unencrypted"
|
|
|
|
|
}
|
