Terraform Redshift Provider
Manage Redshift users, groups, privileges, databases and schemas. It runs the SQL queries necessary to manage these (CREATE USER, DELETE DATABASE etc) in transactions, and also reads the state from the tables that store this state, eg pg_user_info, pg_group etc. The underlying tables are more or less equivalent to the postgres tables, but some tables are not accessible in Redshift.
Currently supports users, groups, schemas and databases. You can set privileges for groups on schemas. Per user schema privileges will be added at a later date.
Note that schemas are the lowest level of granularity here, tables should be created by some other tool, for instance flyway.
Get it:
- Download for amd64 (for other architectures and OSes you can build from source as descibed below) from release page
- Add to terraform plugins directory: https://www.terraform.io/docs/configuration/providers.html#third-party-plugins
Examples:
Provider configuration
provider redshift {
url = "localhost"
user = "username"
password = "password"
database = "database"
}
Creating an admin user who is in a group and who owns a new database, with a password that expires
# Create a user
resource "redshift_user" "user" {
username = "username"
password = "password"
valid_until = "2018-10-30"
connection_limit = 4
createdb = true
syslog_access = "UNRESTRICTED"
superuser = true
}
# Add the user to a new group
resource "redshift_group" "group" {
group_name = "group"
users = [redshift_user.user.id]
}
# Create a schema
resource "redshift_schema" "schema" {
schema_name = "schema"
owner = redshift_user.user.id
cascade_on_delete = true
}
# Give that group select, insert and references privileges on that schema
resource "redshift_group_schema_privilege" "privileges" {
schema_id = redshift_schema.schema.id
group_id = redshift_group.group.id
select = true
insert = true
update = false
references = true
delete = false
}
Creating a user who can only connect using IAM Credentials as described here
resource "redshift_user" "user" {
username = "username"
password_disabled = true
connection_limit = 1
}
Things to note
Limitations
For authoritative limitations, please see the Redshift documentations.
- You cannot delete the database you are currently connected to.
- You cannot set table specific privileges since this provider is table agnostic (for now, if you think it would be feasible to manage tables let me know)
- On importing a user, it is impossible to read the password (or even the md hash of the password, since Redshift restricts access to pg_shadow)
Prequisites to development
- Go installed
- Terraform installed locally
Building:
- Run
go build -o terraform-provider-redshift
. You will need to tweak this with GOOS and GOARCH if you are planning to build it for different OSes and architectures - Add to terraform plugins directory: https://www.terraform.io/docs/configuration/providers.html#third-party-plugins
You can debug crudely by setting the TF_LOG env variable to DEBUG:
$ TF_LOG=DEBUG terraform apply
ToDo
- Database property for Schema
- Schema privileges on a per user basis
- Add privileges for languages and functions