Skip to content

Commit c0a3474

Browse files
tun0tun0
authored
Be explicit for all resources (#2)
1 parent 5020c4f commit c0a3474

File tree

1 file changed

+50
-16
lines changed

1 file changed

+50
-16
lines changed

roles.tf

Lines changed: 50 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -33,17 +33,32 @@ resource "postgresql_role" "role" {
3333
resource "postgresql_role" "role_ro" {
3434
for_each = local.databases
3535

36-
name = "${each.value}_role_ro"
37-
login = false
36+
name = each.key
37+
superuser = false
38+
create_database = false
39+
create_role = false
40+
inherit = false
41+
login = false
42+
replication = false
43+
bypass_row_level_security = false
44+
connection_limit = -1
45+
encrypted_password = true
46+
password = "not-used-as-login-is-false"
47+
roles = []
48+
search_path = ["$user", "public"]
49+
valid_until = "infinity"
50+
skip_drop_role = false
51+
skip_reassign_owned = false
52+
statement_timeout = 0
3853
}
3954

4055
resource "postgresql_default_privileges" "role_ro" {
4156
for_each = {
4257
for database_writer in local.databases_writers : "${database_writer.database}.${database_writer.role}" => database_writer
4358
}
4459

45-
database = each.value.database
4660
role = postgresql_role.role_ro[each.value.database].name
61+
database = each.value.database
4762
owner = each.value.role
4863
schema = "public"
4964
object_type = "table"
@@ -53,27 +68,44 @@ resource "postgresql_default_privileges" "role_ro" {
5368
resource "postgresql_grant" "role_ro" {
5469
for_each = local.databases
5570

56-
database = each.value
57-
role = postgresql_role.role_ro[each.value].name
58-
schema = "public"
59-
object_type = "table"
60-
privileges = local.privileges_ro
71+
role = postgresql_role.role_ro[each.value].name
72+
database = each.value
73+
schema = "public"
74+
object_type = "table"
75+
privileges = local.privileges_ro
76+
objects = []
77+
with_grant_option = false
6178
}
6279

6380
resource "postgresql_role" "role_rw" {
6481
for_each = local.databases
6582

66-
name = "${each.value}_role_rw"
67-
login = false
83+
name = each.key
84+
superuser = false
85+
create_database = false
86+
create_role = false
87+
inherit = false
88+
login = false
89+
replication = false
90+
bypass_row_level_security = false
91+
connection_limit = -1
92+
encrypted_password = true
93+
password = "not-used-as-login-is-false"
94+
roles = []
95+
search_path = ["$user", "public"]
96+
valid_until = "infinity"
97+
skip_drop_role = false
98+
skip_reassign_owned = false
99+
statement_timeout = 0
68100
}
69101

70102
resource "postgresql_default_privileges" "role_rw" {
71103
for_each = {
72104
for database_writer in local.databases_writers : "${database_writer.database}.${database_writer.role}" => database_writer
73105
}
74106

75-
database = each.value.database
76107
role = postgresql_role.role_rw[each.value.database].name
108+
database = each.value.database
77109
owner = each.value.role
78110
schema = "public"
79111
object_type = "table"
@@ -83,10 +115,12 @@ resource "postgresql_default_privileges" "role_rw" {
83115
resource "postgresql_grant" "role_rw" {
84116
for_each = local.databases
85117

86-
database = each.value
87-
role = postgresql_role.role_rw[each.value].name
88-
schema = "public"
89-
object_type = "table"
90-
privileges = local.privileges_rw
118+
role = postgresql_role.role_rw[each.value].name
119+
database = each.value
120+
schema = "public"
121+
object_type = "table"
122+
privileges = local.privileges_rw
123+
objects = []
124+
with_grant_option = false
91125
}
92126

0 commit comments

Comments
 (0)