adding `objects` to `table` grant only adds new permissions

[rjtferreira]

What happened?

Hello,

I've noticed the other day after applying running pulumi up that a user we had on our database was left without the necessary permissions we had previously granted.

I'm using a resource like this

new postgresql.Grant('grant00', {
    database: 'db1',
    objectType: 'table',
    objects: ['t1'],
    privileges: ['SELECT'],
    role: role.name,
    schema: 'public'
}, { provider: pgProvider })

If we add an additional table like so objects: ['t1', 't2'] we notice that the user only has access to t2.
After this if we run pulumi refresh followed by pulumi up we get the desired permissions.

Expected Behavior

The expected behavior is that when adding a new table to the list of objects we get the correct permissions for all tables listed and not just the ones that were newly added while the previous ones are removed.

Steps to reproduce

Here's the code I used

import * as postgresql from '@pulumi/postgresql'

const pgProvider = new postgresql.Provider('provider', {
    host: '127.0.0.1',
    username: 'postgres',
    password: 'passwd',
    superuser: false,
    sslmode: 'disable'
})

const role = new postgresql.Role('user', {
    login: true,
    name: 'user',
    password: 'passwd'
}, {
    deleteBeforeReplace: true,
    provider: pgProvider
});

new postgresql.Grant('grant00', {
    database: 'db1',
    objectType: 'table',
    objects: ['t1'],
    privileges: ['SELECT'],
    role: role.name,
    schema: 'public'
}, { provider: pgProvider })

• Run pulumi up
• Edit the Grant to objects: ['t1', 't2'],
• Run pulumi up

User has now lost access to t1

Output of pulumi about

CLI          
Version      3.64.0
Go Version   go1.20.3
Go Compiler  gc

Plugins
NAME        VERSION
gcp         6.56.0
nodejs      unknown
postgresql  3.6.0

Host     
OS       linuxmint
Version  21
Arch     x86_64

This project is written in nodejs: executable='/home/rjf/.nvm/versions/node/v18.12.1/bin/node' version='v18.12.1'

Current Stack: organization/pulumi-test/test

TYPE                          URN
pulumi:pulumi:Stack           urn:pulumi:test::pulumi-test::pulumi:pulumi:Stack::pulumi-test-test
pulumi:providers:postgresql   urn:pulumi:test::pulumi-test::pulumi:providers:postgresql::provider
postgresql:index/role:Role    urn:pulumi:test::pulumi-test::postgresql:index/role:Role::user
postgresql:index/grant:Grant  urn:pulumi:test::pulumi-test::postgresql:index/grant:Grant::grant01
postgresql:index/grant:Grant  urn:pulumi:test::pulumi-test::postgresql:index/grant:Grant::grant00


Found no pending operations associated with test

Backend        
Name           rjf-laptop
URL            file://.pulumi
User           rjf
Organizations  

Dependencies:
NAME                VERSION
@pulumi/gcp         6.56.0
@pulumi/postgresql  3.6.0
@pulumi/pulumi      3.68.0
@types/node         16.18.32

Pulumi locates its logs in /tmp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[aq17]

Hi @rjtferreira , thanks for the issue. I'm having trouble repro'ing this – curious if you still get any changes/ diffs now if you run pulumi up, after the user correctly has both permissions?

Update: it looks like this non-determinism may be an upstream issue – we will track any fixes upstream.

[rjtferreira]

hey @aq17 , thanks for spending the time on this.

I've been testing this locally with a PSQL docker image like this:

docker run -ti --rm --network host --name psql-pulumi -e POSTGRES_PASSWORD=passwd -e POSTGRES_INITDB_ARGS='--auth=scram-sha-256' postgres:13-alpine

We've also ran into the same issue when trying to apply our changes on GCP Cloud SQL on PostgreSQL 13.

curious if you still get any changes/ diffs now if you run pulumi up, after the user correctly has both permissions?

Indeed after the user has the correct permissions again after a refresh and up then any subsequent up will show no changes 🙂