Add option to exclude tables from postgresql_grant #570
Description
We want to grant our contributors "SELECT", "INSERT", "UPDATE", "DELETE" permission to every table except of one (as the table includes a "databasechangelog" which we don't want developers to add data outside of the pipeline). You can achieve this by first setting SELECT", "INSERT", "UPDATE", "DELETE" permission for every table and afterwards "SELECT" for the excluded tables:
resource "postgresql_grant" "contributors_read_write_saas_db" {
for_each = var.contributors
database = postgresql_database.saas_db.name
role = each.key
schema = "public"
object_type = "table"
privileges = ["SELECT", "INSERT", "UPDATE", "DELETE"]
}
resource "postgresql_grant" "contributors_saas_readonly_permissions" {
depends_on = [ postgresql_grant.contributors_read_write_saas_db ]
for_each = var.contributors
role = each.key
database = postgresql_database.saas_db.name
schema = "public"
object_type = "table"
objects = ["databasechangelog"]
privileges = ["SELECT"]
}But the problem with that workflow is that terraform/opentofu now shows a change everytime you run plan. You can again bypass this by adding a lifecycle ignore:
lifecycle {
ignore_changes = [ privileges ]
}
But then you run the risk that you don't get informed when a new table has been created without default privileges. Alternatively you can add all tables as list but that's a pain to maintain as you have to update the code immediately every time developers add a new table.
Therefore I think it would be useful, if there where an argument "object_excludes".