feat: add reassign_owned_to parameter to role ressource

Author: jBouyoud

postgresql/resource_postgresql_role.go

@@ -32,6 +32,7 @@ const (
 	roleReplicationAttr                     = "replication"
 	roleSkipDropRoleAttr                    = "skip_drop_role"
 	roleSkipReassignOwnedAttr               = "skip_reassign_owned"
+	roleReassignOwnedToAttr                 = "reassign_owned_to"
 	roleSuperuserAttr                       = "superuser"
 	roleValidUntilAttr                      = "valid_until"
 	roleRolesAttr                           = "roles"
@@ -182,6 +183,11 @@ func resourcePostgreSQLRole() *schema.Resource {
 				Default:     false,
 				Description: "Skip actually running the REASSIGN OWNED command when removing a role from PostgreSQL",
 			},
+			roleReassignOwnedToAttr: {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Role to reassign owned objects to when removing a role from PostgreSQL. If not specified, defaults to the current user",
+			},
 			roleStatementTimeoutAttr: {
 				Type:         schema.TypeInt,
 				Optional:     true,
@@ -394,9 +400,13 @@ func resourcePostgreSQLRoleDelete(db *DBConnection, d *schema.ResourceData) erro
 
 	if !d.Get(roleSkipReassignOwnedAttr).(bool) {
 		if err := withRolesGranted(txn, []string{roleName}, func() error {
-			currentUser := db.client.config.getDatabaseUsername()
-			if _, err := txn.Exec(fmt.Sprintf("REASSIGN OWNED BY %s TO %s", pq.QuoteIdentifier(roleName), pq.QuoteIdentifier(currentUser))); err != nil {
-				return fmt.Errorf("could not reassign owned by role %s to %s: %w", roleName, currentUser, err)
+			// Use the specified reassign_owned_to user, or fall back to current user
+			reassignTo := d.Get(roleReassignOwnedToAttr).(string)
+			if reassignTo == "" {
+				reassignTo = db.client.config.getDatabaseUsername()
+			}
+			if _, err := txn.Exec(fmt.Sprintf("REASSIGN OWNED BY %s TO %s", pq.QuoteIdentifier(roleName), pq.QuoteIdentifier(reassignTo))); err != nil {
+				return fmt.Errorf("could not reassign owned by role %s to %s: %w", roleName, reassignTo, err)
 			}
 
 			if _, err := txn.Exec(fmt.Sprintf("DROP OWNED BY %s", pq.QuoteIdentifier(roleName))); err != nil {
@@ -509,6 +519,7 @@ func resourcePostgreSQLRoleReadImpl(db *DBConnection, d *schema.ResourceData) er
 	d.Set(roleLoginAttr, roleCanLogin)
 	d.Set(roleSkipDropRoleAttr, d.Get(roleSkipDropRoleAttr).(bool))
 	d.Set(roleSkipReassignOwnedAttr, d.Get(roleSkipReassignOwnedAttr).(bool))
+	d.Set(roleReassignOwnedToAttr, d.Get(roleReassignOwnedToAttr).(string))
 	d.Set(roleSuperuserAttr, roleSuperuser)
 	d.Set(roleValidUntilAttr, roleValidUntil)
 	d.Set(roleReplicationAttr, roleReplication)

postgresql/resource_postgresql_role_test.go

@@ -45,6 +45,7 @@ func TestAccPostgresqlRole_Basic(t *testing.T) {
 					resource.TestCheckResourceAttr("postgresql_role.role_with_defaults", "valid_until", "infinity"),
 					resource.TestCheckResourceAttr("postgresql_role.role_with_defaults", "skip_drop_role", "false"),
 					resource.TestCheckResourceAttr("postgresql_role.role_with_defaults", "skip_reassign_owned", "false"),
+					resource.TestCheckResourceAttr("postgresql_role.role_with_defaults", "reassign_owned_to", ""),
 					resource.TestCheckResourceAttr("postgresql_role.role_with_defaults", "statement_timeout", "0"),
 					resource.TestCheckResourceAttr("postgresql_role.role_with_defaults", "idle_in_transaction_session_timeout", "0"),
 					resource.TestCheckResourceAttr("postgresql_role.role_with_defaults", "assume_role", ""),
@@ -238,6 +239,43 @@ resource "postgresql_role" "test_role" {
 	})
 }
 
+// Test reassign_owned_to parameter
+func TestAccPostgresqlRole_ReassignOwnedTo(t *testing.T) {
+	// Get the admin user (usually postgres) who will receive the reassigned objects
+	admin := os.Getenv("PGUSER")
+	if admin == "" {
+		admin = "postgres"
+	}
+
+	config := fmt.Sprintf(`
+resource "postgresql_role" "temp_role" {
+  name              = "temp_role"
+  login             = true
+  password          = "temppass"
+  reassign_owned_to = "%s"
+}
+`, admin)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			testCheckCompatibleVersion(t, featurePrivileges)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckPostgresqlRoleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckPostgresqlRoleExists("temp_role", nil, nil),
+					resource.TestCheckResourceAttr("postgresql_role.temp_role", "name", "temp_role"),
+					resource.TestCheckResourceAttr("postgresql_role.temp_role", "reassign_owned_to", admin),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckPostgresqlRoleDestroy(s *terraform.State) error {
 	client := testAccProvider.Meta().(*Client)
 

website/docs/r/postgresql_role.html.markdown

@@ -52,6 +52,14 @@ resource "postgresql_role" "secure_role" {
   password_wo         = "secure_password_123"
   password_wo_version = "1"
 }
+
+# Example with reassign_owned_to
+resource "postgresql_role" "temp_role" {
+  name              = "temp_role"
+  login             = true
+  password          = "temppass"
+  reassign_owned_to = "admin_role"  # Objects will be reassigned to admin_role when this role is dropped
+}
 ```
 
 ## Write-Only Password Management
@@ -166,6 +174,10 @@ resource "postgresql_role" "app_user" {
   an implicit
   [`DROP OWNED`](https://www.postgresql.org/docs/current/static/sql-drop-owned.html)).
 
+* `reassign_owned_to` - (Optional) Specifies the role to which objects owned by the role being
+  dropped should be reassigned. If not specified, defaults to the current database user
+  (the user configured in the provider). This is only used when `skip_reassign_owned` is `false`.
+
 * `statement_timeout` - (Optional) Defines [`statement_timeout`](https://www.postgresql.org/docs/current/runtime-config-client.html#RUNTIME-CONFIG-CLIENT-STATEMENT) setting for this role which allows to abort any statement that takes more than the specified amount of time.
 
 * `assume_role` - (Optional) Defines the role to switch to at login via [`SET ROLE`](https://www.postgresql.org/docs/current/sql-set-role.html).