brainly/terraform-provider-redshift

All ACL access will be revoked in the future

olivermeyer opened this issue · 3 comments

olivermeyer commented

Hi,

I found out from AWS support that all access to ACLs will be revoked from Redshift, as they consider this to be internal information and don't want users to access it directly. This will break the provider, as it relies heavily on ACLs for grants and default privileges.

I asked them for alternatives, and they exist:

  • svv_relation_privileges, svv_schema_privileges, svv_database_privileges and so on for table/schema/database/etc privileges
  • svv_default_privileges for default privileges

They didn't tell me exactly when access will be revoked.

I'm not familiar with Go at all so I can't rewrite the whole thing, but I checked the readDatabaseGrants function to see what changes are required, and it seems doable with something like this:

func readDatabaseGrants(db *DBConnection, d *schema.ResourceData) error {
	var identityType, identityName, query string
	var databaseCreate, databaseTemp bool

	_, isUser := d.GetOk(grantUserAttr)

	if isUser {
		identityType = "user"
		identityName = d.Get(grantUserAttr).(string)
	} else {
		identityType = "group"
		identityName = d.Get(grantGroupAttr).(string)
	}

	query = `
SELECT privilege_type
FROM svv_database_privileges
WHERE
    database_name=$1
    AND identity_type=$2
    AND identity_name=$3
`

	queryArgs := []interface{}{db.client.databaseName, identityType, identityName}

...
}

Everything below that line would have to be updated, since the query now returns a list of privileges for that database and identity, and that's the part I can't do.

winglot commented

Hi,
thanks for the heads up. I will reach out to our AWS TAM to get the exact date and schedule the necessary work.

sworisbreathing commented

hi @winglot did you ever hear back from your TAM about this? This is the first I've heard of it.

@olivermeyer do you recall if AWS support pointed you to any documentation or announcement about it?

sworisbreathing commented

FWIW I've been working on a pretty significant rewrite of the provider codebase over the past few weeks. I've been looking into the grant stuff over the past couple days and I think I'm going to have to introduce a breaking change (which would trigger a major version bump) to grants. I was really hoping to avoid it and make everything transparent to the end user, but there've been so many changes to the permission model in Redshift over the past couple years (i.e. roles-which-are-not-postgres-roles, assume-role permission, model permissions, etc) that I don't think the existing redshift_grant resource can easily support.