add ephemeral password option #551
Conversation
haydn-j-evans
force-pushed
the
feature/ephremal-resources
branch
3 times, most recently
from
0b8c9eb to
a8a4a3a
Compare
|
Yes please! @cyrilgdn |
|
I've given it a go, but updating You can work around this by giving the role name a random salt, |
|
@hylje thanks for checking it, I can't actually remember now why I added Edit. Removed it without issues, so you can check it again :) |
haydn-j-evans
force-pushed
the
feature/ephremal-resources
branch
2 times, most recently
from
9696f36 to
deda5a9
Compare
jobs are failing due to some account payment/info issues here: Works fine running them in my account btw https://github.com/haydn-j-evans/terraform-provider-postgresql/actions/runs/16862855508 |
haydn-j-evans
force-pushed
the
feature/ephremal-resources
branch
from
deda5a9 to
f17160c
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR introduces write-only password management for PostgreSQL roles, allowing passwords to be managed without storing them in the Terraform state file. The feature improves security by preventing password exposure in state files while maintaining full password management capabilities through version-controlled updates.
Key Changes:
- Added
password_woandpassword_wo_versionattributes for write-only password management - Enhanced role creation/update logic to handle write-only passwords with version-based change detection
- Updated documentation with comprehensive write-only password usage examples
Reviewed Changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
postgresql/resource_postgresql_role.go |
Core implementation of write-only password functionality with version-based updates |
postgresql/resource_postgresql_role_test.go |
Comprehensive test coverage for write-only password scenarios including versioning |
website/docs/r/postgresql_role.html.markdown |
Documentation updates with usage examples and security guidance |
go.mod |
Updated Go version and dependency versions |
Comments suppressed due to low confidence (1)
postgresql/resource_postgresql_role.go:1019
- Removing the debug log statement
log.Printf("[DEBUG] revoking role %s from %s", grantedRole, role)reduces debugging capability. This change appears unrelated to the write-only password feature and should be kept or moved to a separate commit.
if _, err := txn.Exec(query); err != nil {
| Description: "Sets the role's password without storing it in the state file.", | ||
| }, | ||
| rolePasswordWOVersionAttr: { | ||
| Type: schema.TypeString, |
There was a problem hiding this comment.
Should we use an integer like in Terraform example ?
There was a problem hiding this comment.
functionally it doesn't matter, my reasoning was that it allows a user to use things like githash variables as a trigger.
example: for my rds databases I update the master password on every pipeline run, I would prefer to use my githash variable I inject from the pipeline this, but as its not an integer I have to do this instead
resource "time_static" "trigger" {
triggers = {
# The timestamp() function is re-evaluated on every run,
# ensuring this trigger value always changes.
always_run = timestamp()
}
}
master_password_wo_version = time_static.trigger.unix
Though there is also value in keeping the pattern the same as other projects that use a wo_version
Up to you, its your project :)
There was a problem hiding this comment.
@cyrilgdn I'm leaning towards changing it to a integer to keep it in line with other resources doing the same thing. Happy with that?
There was a problem hiding this comment.
@haydn-j-evans No it's ok, it's a good reasoning for me 👍
This commit introduces a `password_wo` attribute to the `postgresql_role` resource. This attribute allows setting a role's password without storing it in the Terraform state, providing improved security by preventing sensitive credentials from being persisted. The password can also be set without encryption.
overlord ai MR suggestions Co-authored-by: Copilot <[email protected]>
haydn-j-evans
force-pushed
the
feature/ephremal-resources
branch
from
01a4d44 to
0873102
Compare
|
@haydn-j-evans This has been released in https://github.com/cyrilgdn/terraform-provider-postgresql/releases/tag/v1.26.0 |
|
Really appreciate the work on this one 🙏🏽 |
4 participants
This PR introduces the ability to use a write_only password, which does not save the password in the state.
See https://developer.hashicorp.com/terraform/language/resources/ephemeral/write-only for more infomation.
We have two new fields for this feature
password_wo- conflicts withpassword, when set this will be used to update the password of the role during apply, and will clear thepasswordstate.password_wo_version- an optional field that controls when the role password is updated when password_wo is set. When unset, the role password is updated on every apply regardless on the stored value.Will close issues #532 & #519