Skip to content
This repository has been archived by the owner on Jan 17, 2025. It is now read-only.

can not import redshift_users that is a superuser with self-managed password #56

Open
mtesch-um opened this issue Feb 28, 2022 · 2 comments
Open

can not import redshift_users that is a superuser with self-managed password #56

mtesch-um opened this issue Feb 28, 2022 · 2 comments

Comments

@mtesch-um
Copy link
Contributor

mtesch-um commented Feb 28, 2022
edited
Loading

For users who do not want to manage their passwords via the terraform module, but DO want to manage super users, the check I (dumbly) requested for super user passwords prevents that -- superusers only need to have their password set at the time that they are created on redshift, not when they are imported.

Currently I get the following when trying to upgrade from 0.5.0 to 0.6.0:

│ Error: Users that are superusers must define a password.
│ 
│   with module.main.redshift_user.users["foo_super"],
│   on ../modules/redshift/main.tf line 40, in resource "redshift_user" "users":
│  40: resource "redshift_user" "users" {
│ 
│ Error: Users that are superusers must define a password.
│ 
│   with module.main.redshift_user.users["bar_super"],
│   on ../modules/redshift/main.tf line 40, in resource "redshift_user" "users":
│  40: resource "redshift_user" "users" {
│

The check to make sure a super user resource has a password shoudl only occur if the user doesn't exist in redshift. Anyway, I think my original feature request was misguided and pointless, apologies!
@mtesch-um mtesch-um mentioned this issue Mar 4, 2022
Merged
@winglot
Copy link
Member

winglot commented Apr 22, 2022
edited
Loading

I think you can workaround that and have superusers imported and managed by terraform while having their passwords managed externally.

When you do an import of redshift_user, it leaves the password attribute in the state set to null (since it cannot read password from Redshift) and this is why this error is triggered in the first place. What you can do is modify the state directly and set the password attribute to some dummy value, eg. SELF MANAGED and ignore changes on it. The resource for that would look like this:

resource "redshift_user" "superuser" {
  name      = "super_user"
  superuser = true

  password = "SELF MANAGED"
  lifecycle {
    ignore_changes = [password]
  }
}

Would that work for you?

@mtesch-um
Copy link
Contributor Author

mtesch-um commented Apr 22, 2022
edited
Loading

@winglot here's my suggestion: #70 - it will just delay the error until the apply (passing through the error from redshift on the attempt to create a super user with no password.)

regarding the workaround - I tried it and it still creates the error. Also, wouldn't that overwrite the password with the dummy value the next time anything non-ignored changed on the resource? (actually it works)

StevenKGER pushed a commit to dbsystel/terraform-provider-redshift that referenced this issue Oct 25, 2024
@mmichaelb
Merge pull request brainly#56 from mmichaelb/renovate/github.com-hash…
31d3bef 
…icorp-terraform-plugin-sdk-v2-2.x

Update module github.com/hashicorp/terraform-plugin-sdk/v2 to v2.30.0
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@winglot @mtesch-um