Add schema permissions (#7)

tun0 · web-flow · commit 1da090e845b0 · 2022-01-04T22:50:20.000+01:00
diff --git a/roles.tf b/roles.tf
@@ -88,7 +88,7 @@ resource "postgresql_default_privileges" "role_ro" {
   privileges  = local.privileges_ro
 }
 
-resource "postgresql_grant" "role_ro" {
+resource "postgresql_grant" "role_ro_table" {
   for_each = local.databases
 
   role              = postgresql_role.role_ro[each.value].name
@@ -100,6 +100,17 @@ resource "postgresql_grant" "role_ro" {
   with_grant_option = false
 }
 
+resource "postgresql_grant" "role_ro_schema" {
+  for_each = local.databases
+
+  role              = postgresql_role.role_ro[each.value].name
+  database          = each.value
+  schema            = "public"
+  object_type       = "schema"
+  privileges        = ["USAGE"]
+  with_grant_option = false
+}
+
 resource "postgresql_role" "role_rw" {
   for_each = local.databases
 
@@ -135,7 +146,7 @@ resource "postgresql_default_privileges" "role_rw" {
   privileges  = local.privileges_rw
 }
 
-resource "postgresql_grant" "role_rw" {
+resource "postgresql_grant" "role_rw_table" {
   for_each = local.databases
 
   role              = postgresql_role.role_rw[each.value].name
@@ -146,3 +157,14 @@ resource "postgresql_grant" "role_rw" {
   objects           = []
   with_grant_option = false
 }
+
+resource "postgresql_grant" "role_rw_schema" {
+  for_each = local.databases
+
+  role              = postgresql_role.role_rw[each.value].name
+  database          = each.value
+  schema            = "public"
+  object_type       = "schema"
+  privileges        = ["CREATE", "USAGE"]
+  with_grant_option = false
+}
