ignore_changes on roles attribute of postgresql_role resource is incorrectly processed when changing password_wo attribute #601
Description
We have the following resource:
resource "postgresql_role" "rotation_operator" {
for_each = var.databases
name = "${each.key}-rotation_user"
login = true
create_role = true
password_wo = random_password.rotation_user_password[each.key].result
password_wo_version = time_rotating.daily.id
# Avoid unnecessary privileges
superuser = false
create_database = false
inherit = true
lifecycle {
# Roles are managed by postgresql_grant_role.rotation_admin_memberships and should thus be ignored on this resource
ignore_changes = [roles]
}
}However, when updating the password, it seems the resource tries to revoke some roles, which fails in our case:
# module.postgres_database.postgresql_role.rotation_operator["xxx"] will be updated in-place
~ resource "postgresql_role" "rotation_operator" {
id = "xxx-rotation_user"
name = "xxx-rotation_user"
~ password_wo_version = "1" -> "2"
# (19 unchanged attributes hidden)
}
...
╷
│ Error: could not revoke role yyy from xxx-rotation_user: pq: no possible grantors
│
│ with module.postgres_database.postgresql_role.rotation_operator["xxx"],
│ on ../postgres_database/main.tf line 151, in resource "postgresql_role" "rotation_operator":
│ 151: resource "postgresql_role" "rotation_operator" {
│
╵
Even before this error, we noticed that some other roles granted by other terraform resources would disappear when rotating the user password, even though the terraform plan would not state any such change.