An explicit test of correct and incorrect grant addition, and dynamic privilege on * to coexist with database-specific grants

maximmasiutin · maximmasiutin · commit 3cb5ce047b6e · 2025-04-20T20:41:06.000+03:00
diff --git a/GNUmakefile b/GNUmakefile
@@ -2,7 +2,7 @@ TEST?=$$(go list ./... |grep -v 'vendor')
 GOFMT_FILES?=$$(find . -name '*.go' |grep -v vendor)
 WEBSITE_REPO=github.com/hashicorp/terraform-website
 PKG_NAME=mysql
-TERRAFORM_VERSION=0.14.7
+TERRAFORM_VERSION=1.11.4
 TERRAFORM_OS=$(shell uname -s | tr A-Z a-z)
 TEST_USER=root
 TEST_PASSWORD=my-secret-pw
@@ -22,7 +22,7 @@ bin/terraform:
 testacc: fmtcheck bin/terraform
 	PATH="$(CURDIR)/bin:${PATH}" TF_ACC=1 go test $(TEST) -v $(TESTARGS) -timeout=120s
 
-acceptance: testversion5.6 testversion5.7 testversion8.0 testpercona5.7 testpercona8.0 testmariadb10.3 testmariadb10.8 testmariadb10.10 testtidb6.1.0 testtidb7.5.2
+acceptance: testversion5.6 testversion5.7 testversion8.0 testversion8.4.5 testpercona5.7 testpercona8.0 testmariadb10.3 testmariadb10.8 testmariadb10.10 testtidb6.1.0 testtidb7.5.2
 
 testversion%:
 	$(MAKE) MYSQL_VERSION=$* MYSQL_PORT=33$(shell echo "$*" | tr -d '.') testversion
@@ -76,6 +76,7 @@ testmariadb:
 	MYSQL_USERNAME="$(TEST_USER)" MYSQL_PASSWORD="$(TEST_PASSWORD)" MYSQL_ENDPOINT=127.0.0.1:$(MYSQL_PORT) $(MAKE) testacc
 	-docker rm -f test-mariadb$(MYSQL_VERSION)
 
+
 vet:
 	@echo "go vet ."
 	@go vet $$(go list ./... | grep -v vendor/) ; if [ $$? -eq 1 ]; then \
diff --git a/mysql/resource_grant_test.go b/mysql/resource_grant_test.go
@@ -1033,7 +1033,7 @@ resource "mysql_grant" "test_procedure" {
     host       = "%s"
     privileges = ["EXECUTE"]
     database   = "PROCEDURE %s"
-	table 	   = "%s"
+    table      = "%s"
 }
 `, dbName, dbName, dbName, dbName, hostName, dbName, procedureName)
 }
@@ -1150,7 +1150,7 @@ func TestAllowDuplicateUsersDifferentTables(t *testing.T) {
 	  user       = "${mysql_user.test.user}"
 	  host       = "${mysql_user.test.host}"
 	  database   = "${mysql_database.test.name}"
-      table      = "table1"
+          table      = "table1"
 	  privileges = ["UPDATE", "SELECT"]
 	}
 
@@ -1215,7 +1215,7 @@ func TestDisallowDuplicateUsersSameTable(t *testing.T) {
 	  user       = "${mysql_user.test.user}"
 	  host       = "${mysql_user.test.host}"
 	  database   = "${mysql_database.test.name}"
-      table      = "table1"
+          table      = "table1"
 	  privileges = ["UPDATE", "SELECT"]
 	}
 
@@ -1246,3 +1246,115 @@ func TestDisallowDuplicateUsersSameTable(t *testing.T) {
 		},
 	})
 }
+
+// TestModifyPrivileges explicitly verifies the correct and incorrect ways of modifying privileges.
+// It tests adding privileges by augmenting the existing grant (correct way).
+// It also tests that dynamic privileges configured on the global (`*`) database can coexist with grants on specific databases.
+func TestModifyPrivileges(t *testing.T) {
+	dbName := fmt.Sprintf("tf-test-modify-%d", rand.Intn(100))
+	roleName := fmt.Sprintf("TFRole-modify-%d", rand.Intn(100))
+
+	onePrivilegeConfig := getGrantsSampleWithPrivileges(roleName, dbName, `"SELECT"`)
+	twoPrivilegesConfig := getGrantsSampleWithPrivileges(roleName, dbName, `"SELECT", "UPDATE"`)
+	additionalStaticPrivilegeConfig := twoPrivilegesConfig + getAdditionalGrantSample(dbName, `"INSERT"`)
+	threePrivilegesConfig := getGrantsSampleWithPrivileges(roleName, dbName, `"SELECT", "UPDATE", "INSERT"`)
+	// Configuring dynamic privilege on global (`*`) database alongside specific database grants
+	additionalDynamicPrivilegeConfigFlushTables := threePrivilegesConfig + getAdditionalGrantSample("*", `"FLUSH_TABLES"`)
+	additionalDynamicPrivilegeConfigShowRoutine := threePrivilegesConfig + getAdditionalGrantSample("*", `"SHOW_ROUTINE"`)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			testAccPreCheckSkipMariaDB(t)
+			testAccPreCheckSkipNotMySQLVersionMin(t, "8.0.0")
+			testAccPreCheckSkipTiDB(t)
+		},
+		ProviderFactories: testAccProviderFactories,
+		CheckDestroy:      testAccGrantCheckDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccGrantConfigNoGrant(dbName),
+			},
+			{
+				Config: onePrivilegeConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccPrivilege("mysql_grant.grant", "SELECT", true, false),
+					testAccPrivilege("mysql_grant.grant", "UPDATE", false, false),
+					testAccPrivilege("mysql_grant.grant", "INSERT", false, false),
+				),
+			},
+			{
+				// Correct way: augment existing grant with additional privileges
+				Config: twoPrivilegesConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccPrivilege("mysql_grant.grant", "SELECT", true, false),
+					testAccPrivilege("mysql_grant.grant", "UPDATE", true, false),
+					testAccPrivilege("mysql_grant.grant", "INSERT", false, false),
+				),
+			},
+			{
+				// Incorrect way: create a new conflicting grant (expected to fail)
+				Config:      additionalStaticPrivilegeConfig,
+				ExpectError: regexp.MustCompile("already has"),
+			},
+			{
+				// Correct way: augment existing grant with additional privileges
+				Config: threePrivilegesConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccPrivilege("mysql_grant.grant", "SELECT", true, false),
+					testAccPrivilege("mysql_grant.grant", "UPDATE", true, false),
+					testAccPrivilege("mysql_grant.grant", "INSERT", true, false),
+				),
+			},
+
+			// Testing coexistence of dynamic privilege on global (`*`) database with specific database grants
+
+			{
+				Config: additionalDynamicPrivilegeConfigFlushTables,
+				Check: resource.ComposeTestCheckFunc(
+					testAccPrivilege("mysql_grant.grant", "SELECT", true, false),
+					testAccPrivilege("mysql_grant.grant", "UPDATE", true, false),
+					testAccPrivilege("mysql_grant.grant", "INSERT", true, false),
+					testAccPrivilege("mysql_grant.additional_grant", "FLUSH_TABLES", true, false),
+					testAccPrivilege("mysql_grant.additional_grant", "SHOW_ROUTINE", false, false),
+				),
+			},
+			{
+				Config: additionalDynamicPrivilegeConfigShowRoutine,
+				Check: resource.ComposeTestCheckFunc(
+					testAccPrivilege("mysql_grant.grant", "SELECT", true, false),
+					testAccPrivilege("mysql_grant.grant", "UPDATE", true, false),
+					testAccPrivilege("mysql_grant.grant", "INSERT", true, false),
+					testAccPrivilege("mysql_grant.additional_grant", "FLUSH_TABLES", false, false),
+					testAccPrivilege("mysql_grant.additional_grant", "SHOW_ROUTINE", true, false),
+				),
+			},
+		},
+	})
+}
+
+func getGrantsSampleWithPrivileges(roleName string, dbName string, privileges string) string {
+	return fmt.Sprintf(`
+
+	resource "mysql_role" "role" {
+	  name     = "%s"
+	}
+
+	resource "mysql_grant" "grant" {
+	  role       = "${mysql_role.role.name}"
+	  database   = "%s"
+	  privileges = [%s]
+	}
+	`, roleName, dbName, privileges)
+}
+
+func getAdditionalGrantSample(dbName string, privileges string) string {
+	return fmt.Sprintf(`
+
+    resource "mysql_grant" "additional_grant" {
+      role       = "${mysql_role.role.name}"
+      database   = "%s"
+      privileges = [%s]
+    }
+    `, dbName, privileges)
+}
