Add postgresql_grant_role resource

CHANGELOG.md

@@ -1,4 +1,8 @@
 ## 1.8.0 (Unreleased)
+
+FEATURES:
+* `postgresql_grant_role`: Non-authoritative. Grant role to another role.
+
 ## 1.7.1 (July 30, 2020)
 
 BUG FIXES:

go.mod

@@ -4,6 +4,7 @@ go 1.14
 
 require (
 	github.com/blang/semver v3.5.1+incompatible
+	github.com/hashicorp/errwrap v1.0.0
 	github.com/hashicorp/terraform-plugin-sdk v1.0.0
 	github.com/lib/pq v1.3.0
 	github.com/sean-/postgresql-acl v0.0.0-20161225120419-d10489e5d217

postgresql/provider.go

@@ -130,6 +130,7 @@ func Provider() terraform.ResourceProvider {
 			"postgresql_default_privileges": resourcePostgreSQLDefaultPrivileges(),
 			"postgresql_extension":          resourcePostgreSQLExtension(),
 			"postgresql_grant":              resourcePostgreSQLGrant(),
+			"postgresql_grant_role":         resourcePostgreSQLGrantRole(),
 			"postgresql_schema":             resourcePostgreSQLSchema(),
 			"postgresql_role":               resourcePostgreSQLRole(),
 		},

postgresql/resource_postgresql_grant_role.go

@@ -0,0 +1,222 @@
+package postgresql
+
+import (
+	"database/sql"
+	"fmt"
+	"log"
+	"strconv"
+	"strings"
+
+	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+
+	"github.com/lib/pq"
+)
+
+const (
+	// This returns the role membership for role, grant_role
+	getGrantRoleQuery = `
+SELECT pg_get_userbyid(member) as role, pg_get_userbyid(roleid) as grant_role, admin_option
+FROM pg_auth_members
+WHERE pg_get_userbyid(member) = $1
+AND pg_get_userbyid(roleid) = $2;
+`
+)
+
+func resourcePostgreSQLGrantRole() *schema.Resource {
+	return &schema.Resource{
+		Create: resourcePostgreSQLGrantRoleCreate,
+		Read:   resourcePostgreSQLGrantRoleRead,
+		Delete: resourcePostgreSQLGrantRoleDelete,
+
+		Schema: map[string]*schema.Schema{
+			"role": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "The name of the role to grant grant_role",
+			},
+			"grant_role": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "The name of the role to is granted to role",
+			},
+			"with_admin_option": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				ForceNew:    true,
+				Default:     false,
+				Description: "Permit the grant recipient to grant it to others",
+			},
+		},
+	}
+}
+
+func resourcePostgreSQLGrantRoleRead(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*Client)
+
+	if !client.featureSupported(featurePrivileges) {
+		return fmt.Errorf(
+			"postgresql_grant_role resource is not supported for this Postgres version (%s)",
+			client.version,
+		)
+	}
+
+	client.catalogLock.RLock()
+	defer client.catalogLock.RUnlock()
+
+	txn, err := startTransaction(client, "")
+	if err != nil {
+		return err
+	}
+	defer deferredRollback(txn)
+
+	return readGrantRole(txn, d)
+}
+
+func resourcePostgreSQLGrantRoleCreate(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*Client)
+
+	if !client.featureSupported(featurePrivileges) {
+		return fmt.Errorf(
+			"postgresql_grant_role resource is not supported for this Postgres version (%s)",
+			client.version,
+		)
+	}
+
+	client.catalogLock.Lock()
+	defer client.catalogLock.Unlock()
+
+	txn, err := startTransaction(client, "")
+	if err != nil {
+		return err
+	}
+	defer deferredRollback(txn)
+
+	// Revoke the granted roles before granting them again.
+	if err = revokeRole(txn, d); err != nil {
+		return err
+	}
+
+	if err = grantRole(txn, d); err != nil {
+		return err
+	}
+
+	if err = txn.Commit(); err != nil {
+		return errwrap.Wrapf("could not commit transaction: {{err}}", err)
+	}
+
+	d.SetId(generateGrantRoleID(d))
+
+	txn, err = startTransaction(client, "")
+	if err != nil {
+		return err
+	}
+	defer deferredRollback(txn)
+
+	return readGrantRole(txn, d)
+}
+
+func resourcePostgreSQLGrantRoleDelete(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*Client)
+
+	if !client.featureSupported(featurePrivileges) {
+		return fmt.Errorf(
+			"postgresql_grant_role resource is not supported for this Postgres version (%s)",
+			client.version,
+		)
+	}
+
+	client.catalogLock.Lock()
+	defer client.catalogLock.Unlock()
+
+	txn, err := startTransaction(client, "")
+	if err != nil {
+		return err
+	}
+	defer deferredRollback(txn)
+
+	if err = revokeRole(txn, d); err != nil {
+		return err
+	}
+
+	if err = txn.Commit(); err != nil {
+		return errwrap.Wrapf("could not commit transaction: {{err}}", err)
+	}
+
+	return nil
+}
+
+func readGrantRole(txn *sql.Tx, d *schema.ResourceData) error {
+	var roleName, grantRoleName string
+	var withAdminOption bool
+
+	grantRoleId := d.Id()
+
+	values := []interface{}{
+		&roleName,
+		&grantRoleName,
+		&withAdminOption,
+	}
+
+	err := txn.QueryRow(getGrantRoleQuery, d.Get("role"), d.Get("grant_role")).Scan(values...)
+	switch {
+	case err == sql.ErrNoRows:
+		log.Printf("[WARN] PostgreSQL grant role (%q) not found", grantRoleId)
+		d.SetId("")
+		return nil
+	case err != nil:
+		return errwrap.Wrapf("Error reading grant role: {{err}}", err)
+	}
+
+	d.Set("role", roleName)
+	d.Set("grant_role", grantRoleName)
+	d.Set("with_admin_option", withAdminOption)
+
+	d.SetId(generateGrantRoleID(d))
+
+	return nil
+}
+
+func createGrantRoleQuery(d *schema.ResourceData) string {
+	var query string
+	query = fmt.Sprintf(
+		"GRANT %s TO %s",
+		pq.QuoteIdentifier(d.Get("grant_role").(string)),
+		pq.QuoteIdentifier(d.Get("role").(string)),
+	)
+	if d.Get("with_admin_option").(bool) == true {
+		query = query + " WITH ADMIN OPTION"
+	}
+
+	return query
+}
+
+func createRevokeRoleQuery(d *schema.ResourceData) string {
+	return fmt.Sprintf(
+		"REVOKE %s FROM %s",
+		pq.QuoteIdentifier(d.Get("grant_role").(string)),
+		pq.QuoteIdentifier(d.Get("role").(string)),
+	)
+}
+
+func grantRole(txn *sql.Tx, d *schema.ResourceData) error {
+	query := createGrantRoleQuery(d)
+	if _, err := txn.Exec(query); err != nil {
+		return errwrap.Wrapf("could not execute grant query: {{err}}", err)
+	}
+	return nil
+}
+
+func revokeRole(txn *sql.Tx, d *schema.ResourceData) error {
+	query := createRevokeRoleQuery(d)
+	if _, err := txn.Exec(query); err != nil {
+		return errwrap.Wrapf("could not execute revoke query: {{err}}", err)
+	}
+	return nil
+}
+
+func generateGrantRoleID(d *schema.ResourceData) string {
+	return strings.Join([]string{d.Get("role").(string), d.Get("grant_role").(string), strconv.FormatBool(d.Get("with_admin_option").(bool))}, "_")
+}