feat: Add postgresql_security_label resource

stanleyz · stanleyz · commit 84ad98483e16 · 2024-10-22T23:01:40.000+13:00
diff --git a/postgresql/resource_postgresql_security_label.go b/postgresql/resource_postgresql_security_label.go
@@ -5,6 +5,7 @@ import (
 	"database/sql"
 	"fmt"
 	"log"
+	"regexp"
 	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -24,6 +25,7 @@ func resourcePostgreSQLSecurityLabel() *schema.Resource {
 		Read:   PGResourceFunc(resourcePostgreSQLSecurityLabelRead),
 		Update: PGResourceFunc(resourcePostgreSQLSecurityLabelUpdate),
 		Delete: PGResourceFunc(resourcePostgreSQLSecurityLabelDelete),
+		// Exists: PGResourceExistsFunc(resourcePostgreSQLSecurityLabelExists),
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
 		},
@@ -60,7 +62,7 @@ func resourcePostgreSQLSecurityLabel() *schema.Resource {
 func resourcePostgreSQLSecurityLabelCreate(db *DBConnection, d *schema.ResourceData) error {
 	if !db.featureSupported(featureSecurityLabel) {
 		return fmt.Errorf(
-			"Security Label is not supported for this Postgres version (%s)",
+			"security Label is not supported for this Postgres version (%s)",
 			db.version,
 		)
 	}
@@ -75,6 +77,38 @@ func resourcePostgreSQLSecurityLabelCreate(db *DBConnection, d *schema.ResourceD
 	return resourcePostgreSQLSecurityLabelReadImpl(db, d)
 }
 
+// func resourcePostgreSQLSecurityLabelExists(db *DBConnection, d *schema.ResourceData) (bool, error) {
+// 	if !db.featureSupported(featureSecurityLabel) {
+// 		return false, fmt.Errorf(
+// 			"Security Label is not supported for this Postgres version (%s)",
+// 			db.version,
+// 		)
+// 	}
+// 	log.Printf("[WARN] PostgreSQL security label Exists")
+
+// 	id := strings.Split(d.Id(), ".")
+// 	if len(id) != 3 {
+// 		return false, fmt.Errorf(
+// 			"Invalid ID: %s. ID should be in the format of %s.%s.%s",
+// 			d.Id(),
+// 			securityLabelProviderAttr,
+// 			securityLabelObjectTypeAttr,
+// 			securityLabelObjectNameAttr,
+// 		)
+// 	}
+
+// 	provider := id[0]
+// 	objectType := id[1]
+// 	objectName := id[2]
+// 	query := "SELECT objtype FROM pg_seclabels WHERE objtype = $1 and objname = $2 and provider = $3"
+// 	err := db.QueryRow(query, objectType, quoteIdentifier(objectName), quoteIdentifier(provider)).Scan(&objectType)
+// 	if err == sql.ErrNoRows || err != nil {
+// 		return false, err
+// 	}
+
+// 	return true, nil
+// }
+
 func resourcePostgreSQLSecurityLabelUpdateImpl(db *DBConnection, d *schema.ResourceData, label string) error {
 	b := bytes.NewBufferString("SECURITY LABEL ")
 
@@ -115,11 +149,11 @@ func resourcePostgreSQLSecurityLabelReadImpl(db *DBConnection, d *schema.Resourc
 	}
 	defer deferredRollback(txn)
 
-	query := "SELECT objtype, objname, provider, label FROM pg_seclabels WHERE objtype = $1 and objname = $2 and provider = $3"
-	row := db.QueryRow(query, objectType, objectName, provider)
+	query := "SELECT objtype, provider, label FROM pg_seclabels WHERE objtype = $1 and objname = $2 and provider = $3"
+	row := db.QueryRow(query, objectType, quoteIdentifier(objectName), quoteIdentifier(provider))
 
 	var label string
-	err = row.Scan(&objectType, &objectName, &provider, &label)
+	err = row.Scan(&objectType, &provider, &label)
 	switch {
 	case err == sql.ErrNoRows:
 		log.Printf("[WARN] PostgreSQL security label for (%s '%s') with provider %s not found", objectType, objectName, provider)
@@ -180,3 +214,12 @@ func generateSecurityLabelID(d *schema.ResourceData) string {
 		d.Get(securityLabelObjectNameAttr).(string),
 	}, ".")
 }
+
+func quoteIdentifier(s string) string {
+	var result = s
+	re := regexp.MustCompile(`^[a-zA-Z_][a-zA-Z0-9_]*$`)
+	if !re.MatchString(s) || s != strings.ToLower(s) {
+		result = pq.QuoteIdentifier(s)
+	}
+	return result
+}
diff --git a/postgresql/resource_postgresql_security_label_test.go b/postgresql/resource_postgresql_security_label_test.go
@@ -75,7 +75,7 @@ func TestAccPostgresqlSecurityLabel_Update(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckPostgresqlSecurityLabelExists("postgresql_security_label.test_label"),
 					resource.TestCheckResourceAttr(
-						"postgresql_security_label.test_label", "object_name", "security_label_test_role2"),
+						"postgresql_security_label.test_label", "object_name", "security_label_test-role2"),
 				),
 			},
 		},
@@ -84,7 +84,7 @@ func TestAccPostgresqlSecurityLabel_Update(t *testing.T) {
 
 func checkSecurityLabelExists(txn *sql.Tx, objectType string, objectName string, provider string) (bool, error) {
 	var _rez bool
-	err := txn.QueryRow("SELECT TRUE FROM pg_seclabels WHERE objtype = $1 AND objname = $2 AND provider = $3", objectType, objectName, provider).Scan(&_rez)
+	err := txn.QueryRow("SELECT TRUE FROM pg_seclabels WHERE objtype = $1 AND objname = $2 AND provider = $3", objectType, quoteIdentifier(objectName), provider).Scan(&_rez)
 	switch {
 	case err == sql.ErrNoRows:
 		return false, nil
@@ -175,10 +175,10 @@ resource "postgresql_role" "test_role" {
   create_database = true
 }
 resource "postgresql_security_label" "test_label" {
-  object_type = "role"
-  object_name = postgresql_role.test_role.name
+  object_type    = "role"
+  object_name    = postgresql_role.test_role.name
   label_provider = "dummy"
-  label      = "secret"
+  label          = "secret"
 }
 `
 
@@ -189,23 +189,23 @@ resource "postgresql_role" "test_role" {
   create_database = true
 }
 resource "postgresql_security_label" "test_label" {
-  object_type = "role"
-  object_name = postgresql_role.test_role.name
+  object_type    = "role"
+  object_name    = postgresql_role.test_role.name
   label_provider = "dummy"
-  label      = "top secret"
+  label          = "top secret"
 }
 `
 
 var testAccPostgresqlSecurityLabelChanges3 = `
 resource "postgresql_role" "test_role" {
-  name            = "security_label_test_role2"
+  name            = "security_label_test-role2"
   login           = true
   create_database = true
 }
 resource "postgresql_security_label" "test_label" {
-  object_type = "role"
-  object_name = postgresql_role.test_role.name
+  object_type    = "role"
+  object_name    = postgresql_role.test_role.name
   label_provider = "dummy"
-  label      = "top secret"
+  label          = "top secret"
 }
 `
diff --git a/website/docs/r/postgresql_security_label.html.markdown b/website/docs/r/postgresql_security_label.html.markdown
@@ -36,3 +36,7 @@ resource "postgresql_security_label" "workload" {
 * `object_name` - (Required) The name of the object to be labeled. Names of objects that reside in schemas (tables, functions, etc.) can be schema-qualified.
 * `label_provider` - (Required) The name of the provider with which this label is to be associated.
 * `label` - (Required) The value of the security label.
+
+## Import
+
+Security label is an attribute that can be added multiple times, so no import is needed, simply apply again.
