You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have an azure entra id setup as an admin on an azure flex postgres server. This id is used as our deployer service principal. I use this to connect through azure_identity_auth in the postgresql provider without problem. When I create role_ro and role_owner as the entra id I expect the read_only_defaults to be successful.
Actual Behavior
Error: could not revoke default privileges: pg: permission denied to change default privileges
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform apply
Important Factoids
I believe this is an issue specific to Azure and using an admin entra id. When the entra id creates the two roles I can see that they are both granted to the entra id with admin_option = true. The grantor is azuresu. Even running an "alter default permissions for role" directly on the database logged in as the same id will fail. I need to explicitly do a grant role of role_owner to the entra id. I do not understand why the grant from azuresu seemingly does nothing.
I have tried using a postgresql_grant_role in the terraform like this:
resource"postgresql_grant_role""grant_sp" {
role=var.deployer_role# name of the entra idgrant_role=postgresql_role.owner.name
This works however it then creates two entries in pg_auth_members, one where the grantor is azuresu and admin_option true, another with the grantor as the entra id and admin_option false. If I run another apply directly after, the provider tries to recreate the postgresql_grant_role resource but with admin_option = true. It doesn't look like it actually creates anything new and further applies pickup no changes. I guess when doing the state comparison it picks the wrong row up, updates the state, and then is happy.
If I try to create the postgresql_grant_role with admin_option = true I get the following error:
Error: could not execute grant query: pg: ADMIN option cannot be granted back to your own grantor
So far the only solution I can think of to get this working in terraform is to add a lifecycle ignore_changes on with_admin_option so that subsequent applies don't needlessly run. My bigger concern is having multiple of the same grants just with different grantors and different admin_option values. I was hoping maybe someone here had further insight on the Azure side.
The text was updated successfully, but these errors were encountered:
Hi there,
Thank you for opening an issue. Please provide the following information:
Terraform Version
v1.5.7
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
I have an azure entra id setup as an admin on an azure flex postgres server. This id is used as our deployer service principal. I use this to connect through azure_identity_auth in the postgresql provider without problem. When I create role_ro and role_owner as the entra id I expect the read_only_defaults to be successful.
Actual Behavior
Error: could not revoke default privileges: pg: permission denied to change default privileges
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform applyImportant Factoids
I believe this is an issue specific to Azure and using an admin entra id. When the entra id creates the two roles I can see that they are both granted to the entra id with admin_option = true. The grantor is azuresu. Even running an "alter default permissions for role" directly on the database logged in as the same id will fail. I need to explicitly do a grant role of role_owner to the entra id. I do not understand why the grant from azuresu seemingly does nothing.
I have tried using a postgresql_grant_role in the terraform like this:
This works however it then creates two entries in pg_auth_members, one where the grantor is azuresu and admin_option true, another with the grantor as the entra id and admin_option false. If I run another apply directly after, the provider tries to recreate the postgresql_grant_role resource but with admin_option = true. It doesn't look like it actually creates anything new and further applies pickup no changes. I guess when doing the state comparison it picks the wrong row up, updates the state, and then is happy.
If I try to create the postgresql_grant_role with admin_option = true I get the following error:
Error: could not execute grant query: pg: ADMIN option cannot be granted back to your own grantor
So far the only solution I can think of to get this working in terraform is to add a lifecycle ignore_changes on with_admin_option so that subsequent applies don't needlessly run. My bigger concern is having multiple of the same grants just with different grantors and different admin_option values. I was hoping maybe someone here had further insight on the Azure side.
The text was updated successfully, but these errors were encountered: