MySQL - Error when setting global privileges
damascenorakuten opened this issue · 5 comments
Hello, we're having issues when we try to change the grant of a user. We're able to create it but the following error is shown when we try to update it:
* mysql_grant.global-leonardo: error revoking ALL (REVOKE ALL ON *.* FROM 'leonardo'@'%'): Error 1045: Access denied for user 'wuakibbdd'@'%' (using password: YES)
Terraform Version
bash-4.4# terraform -v
Terraform v0.11.8
+ provider.external v1.0.0
+ provider.mysql v1.5.0
Affected Resource(s)
- mysql_grant
Terraform Configuration Files
resource "mysql_user" "leonardo" {
user = "leonardo"
plaintext_password = "test123"
host = "%"
}
resource "mysql_grant" "global-leonardo" {
depends_on = ["mysql_user.leonardo"]
user = "leonardo"
host = "%"
database = "*"
privileges = ["RELOAD", "PROCESS", "REFERENCES", "DROP", "SHOW DATABASES", "CREATE TEMPORARY TABLES", "LOCK TABLES", "EXECUTE", "REPLICATION SLAVE", "REPLICATION CLIENT", "CREATE VIEW", "SHOW VIEW", "CREATE ROUTINE", "ALTER ROUTINE"]
}
Expected Behavior
It should be able to change the grant.
Actual Behavior
It can't change the grant, it gives the error reported instead.
Steps to Reproduce
Copy the code above and execute plan and apply. It works fine when the database name is specified for simple permissions, such as UPDATE, CREATE, INSERT. Unfortunately, there are global privileges that need to be set and cannot be applied to one single database, and that's why we're using "*" as the database name.
When "*" is specified as the database name, it tries to revoke all the grants and that's why it fails.
We're using AWS RDS and we cannot change the permissions of the user used by terraform, the REVOKE ALL would work otherwise.
This is currently a big blocker for me as well and this repo seems abandoned, which is a shame.
@grubernaut @joestump @radeksimko @bflad @appilon can someone give us an update if we should keep trying to use this provider for terraform or not? I'd have one or two PRs to open as well.
Thank you!
This is a community maintained project and will be moved to indicate that in the near future. I know the name spacing is confusing. based on the internal doc I have it appears the following are potential maintainers and ought to be able to help. For those I am about to call out please let me know if we need to update our document. @bernerdschaefer @davidji99 @joestump @sheax0r @vanstee @wchrisjohnson
There are a lot of people listed so I'd imagine that list is not up to date. Please let me know if you should be dropped or know who should be added as maintainer so that I can updated our document.
Hi @bcornils,
I thought this was an official provider because its listed on your page for official providers: https://www.terraform.io/docs/providers/ but I guess that will change now, according to your message.
I believe this issue results due to the root user on RDS not having all grants itself.
A simple fix would be replacing "ALL" inside the resource_grant with the corresponding GRANTs:
whatToRevoke := fmt.Sprintf("ALL ON %s.%s", database, d.Get("table").(string))
whatToRevoke := fmt.Sprintf("SELECT, EXECUTE, INSERT, UPDATE, DELETE, DROP, CREATE, ALTER ON %s.%s", database, d.Get("table").(string))
Maybe adding a separate flag for this is suitable.
Hey @jabouchleih, maybe this fix could make the user experience a bit better?
wdyt?