如何使用 Terraform 销毁 RDS 中其他用户拥有的 Postgres 数据库?
How to destroy Postgres databases owned by other users in RDS using Terraform?
我设法很好地让 Terraform 在 RDS Postgres 数据库中创建数据库和角色,但由于 rds_superuser 的权限被剥离,我看不到销毁拥有的已创建数据库的简单方法由另一个用户。
使用以下配置:
resource "postgresql_role" "app" {
name = "app"
login = true
password = "foo"
skip_reassign_owned = true
}
resource "postgresql_database" "database" {
name = "app_database"
owner = "${postgresql_role.app.name}"
}
(作为参考,skip_reassign_owned 是必需的,因为 rds_superuser 组没有获得重新分配所有权的必要权限)
导致此错误:
Error applying plan:
1 error(s) occurred:
* postgresql_database.database (destroy): 1 error(s) occurred:
* postgresql_database.database: Error dropping database: pq: must be owner of database debug_db1
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
使用 local-exec provisioner 我能够将拥有数据库的角色授予管理员用户和应用程序用户:
resource "aws_db_instance" "database" {
...
}
provider "postgresql" {
host = "${aws_db_instance.database.address}"
port = 5432
username = "myadminuser"
password = "adminpassword"
sslmode = "require"
connect_timeout = 15
}
resource "postgresql_role" "app" {
name = "app"
login = true
password = "apppassword"
skip_reassign_owned = true
}
resource "postgresql_role" "group" {
name = "${postgresql_role.app.name}_group"
skip_reassign_owned = true
provisioner "local-exec" {
command = "PGPASSWORD=adminpassword psql -h ${aws_db_instance.database.address} -U myadminuser postgres -c 'GRANT ${self.name} TO myadminuser, ${postgresql_role.app.name};'"
}
}
resource "postgresql_database" "database" {
name = "mydatabase"
owner = "${postgresql_role.group.name}"
}
与仅为应用用户设置所有权相比,这似乎更有效。我确实想知道是否有更好的方法可以做到这一点而不必 shell 在本地执行中?
提出这个问题后,我设法提出了一个 pull request with the fix that was released in in version 0.1.1 of the Postgresql provider,所以现在在最新版本的提供程序中工作正常。
我设法很好地让 Terraform 在 RDS Postgres 数据库中创建数据库和角色,但由于 rds_superuser 的权限被剥离,我看不到销毁拥有的已创建数据库的简单方法由另一个用户。
使用以下配置:
resource "postgresql_role" "app" {
name = "app"
login = true
password = "foo"
skip_reassign_owned = true
}
resource "postgresql_database" "database" {
name = "app_database"
owner = "${postgresql_role.app.name}"
}
(作为参考,skip_reassign_owned 是必需的,因为 rds_superuser 组没有获得重新分配所有权的必要权限)
导致此错误:
Error applying plan:
1 error(s) occurred:
* postgresql_database.database (destroy): 1 error(s) occurred:
* postgresql_database.database: Error dropping database: pq: must be owner of database debug_db1
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
使用 local-exec provisioner 我能够将拥有数据库的角色授予管理员用户和应用程序用户:
resource "aws_db_instance" "database" {
...
}
provider "postgresql" {
host = "${aws_db_instance.database.address}"
port = 5432
username = "myadminuser"
password = "adminpassword"
sslmode = "require"
connect_timeout = 15
}
resource "postgresql_role" "app" {
name = "app"
login = true
password = "apppassword"
skip_reassign_owned = true
}
resource "postgresql_role" "group" {
name = "${postgresql_role.app.name}_group"
skip_reassign_owned = true
provisioner "local-exec" {
command = "PGPASSWORD=adminpassword psql -h ${aws_db_instance.database.address} -U myadminuser postgres -c 'GRANT ${self.name} TO myadminuser, ${postgresql_role.app.name};'"
}
}
resource "postgresql_database" "database" {
name = "mydatabase"
owner = "${postgresql_role.group.name}"
}
与仅为应用用户设置所有权相比,这似乎更有效。我确实想知道是否有更好的方法可以做到这一点而不必 shell 在本地执行中?
提出这个问题后,我设法提出了一个 pull request with the fix that was released in in version 0.1.1 of the Postgresql provider,所以现在在最新版本的提供程序中工作正常。