Skip to content

Commit

Permalink
Do not create existing grants
Browse files Browse the repository at this point in the history
This is to avoid troubles when one grant is managed by 2+ resources. If
we don't do anything, it is allowed and results in persistent diff.

One may say it's acceptable - but I prefer actual error.
  • Loading branch information
petoju committed Feb 24, 2021
1 parent bce1b3d commit e0004d4
Show file tree
Hide file tree
Showing 2 changed files with 73 additions and 0 deletions.
14 changes: 14 additions & 0 deletions mysql/resource_grant.go
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,20 @@ func CreateGrant(d *schema.ResourceData, meta interface{}) error {
return err
}

grants, err := showGrants(db, userOrRole)
for _, grant := range grants {
if hasPrivs {
if grant.Database == d.Get("database").(string) && grant.Table == d.Get("table").(string) {
return fmt.Errorf("user/role %s already has unmanaged grant to %s.%s - import it first", userOrRole, grant.Database, grant.Table)
}
} else {
// Granting role is just role without DB & table.
if grant.Database == "" && grant.Table == "" {
return fmt.Errorf("user/role %s already has unmanaged grant for roles %v - import it first", userOrRole, grant.Roles)
}
}
}

database := formatDatabaseName(d.Get("database").(string))

table := formatTableName(d.Get("table").(string))
Expand Down
59 changes: 59 additions & 0 deletions mysql/resource_grant_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"fmt"
"log"
"math/rand"
"regexp"
"strings"
"testing"
"time"
Expand Down Expand Up @@ -46,6 +47,38 @@ func TestAccGrant(t *testing.T) {
})
}

func TestAccBroken(t *testing.T) {
dbName := fmt.Sprintf("tf-test-%d", rand.Intn(100))
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccGrantCheckDestroy,
Steps: []resource.TestStep{
{
Config: testAccGrantConfig_basic(dbName),
Check: resource.ComposeTestCheckFunc(
testAccPrivilege("mysql_grant.test", "SELECT", true),
resource.TestCheckResourceAttr("mysql_grant.test", "user", fmt.Sprintf("jdoe-%s", dbName)),
resource.TestCheckResourceAttr("mysql_grant.test", "host", "example.com"),
resource.TestCheckResourceAttr("mysql_grant.test", "database", dbName),
resource.TestCheckResourceAttr("mysql_grant.test", "table", "*"),
),
},
{
Config: testAccGrantConfig_broken(dbName),
ExpectError: regexp.MustCompile("already has"),
Check: resource.ComposeTestCheckFunc(
testAccPrivilege("mysql_grant.test", "SELECT", true),
resource.TestCheckResourceAttr("mysql_grant.test", "user", fmt.Sprintf("jdoe-%s", dbName)),
resource.TestCheckResourceAttr("mysql_grant.test", "host", "example.com"),
resource.TestCheckResourceAttr("mysql_grant.test", "database", dbName),
resource.TestCheckResourceAttr("mysql_grant.test", "table", "*"),
),
},
},
})
}

func TestAccGrantComplex(t *testing.T) {
dbName := fmt.Sprintf("tf-test-%d", rand.Intn(100))
resource.Test(t, resource.TestCase{
Expand Down Expand Up @@ -378,6 +411,32 @@ resource "mysql_grant" "test" {
`, dbName, dbName)
}

func testAccGrantConfig_broken(dbName string) string {
return fmt.Sprintf(`
resource "mysql_database" "test" {
name = "%s"
}
resource "mysql_user" "test" {
user = "jdoe-%s"
host = "example.com"
}
resource "mysql_grant" "test" {
user = "${mysql_user.test.user}"
host = "${mysql_user.test.host}"
database = "${mysql_database.test.name}"
privileges = ["UPDATE", "SELECT"]
}
resource "mysql_grant" "test2" {
user = "${mysql_user.test.user}"
host = "${mysql_user.test.host}"
database = "${mysql_database.test.name}"
privileges = ["UPDATE", "SELECT"]
}
`, dbName, dbName)
}
func testAccGrantConfig_ssl(dbName string) string {
return fmt.Sprintf(`
resource "mysql_database" "test" {
Expand Down

0 comments on commit e0004d4

Please sign in to comment.