CLOUD_IAM_GROUP mysql_grant not working

[jcasal-ixl]

Steps I want:

1. Create read_only role with SELECT, SHOW VIEW permission
2. Create CLOUD_IAM_GROUP from email. read_only_users@domain.com
3. GRANT read_only role to the group created above.

The problem happens on step 3, cloudsql automatically grants cloudiamgroup to any role created with type CLOUD_IAM_GROUP
but terraform gives this error when just adding a new role.

Error: user/role mysql.UserOrRole{Name:"read_only_users", Host:"domain.com"} already has grant &{[cloudiamgroup] false {read_only_users domain.com} NONE} - 

Seems like for accounts that are cloud_iam_groups, it should ignore the cloudiamgroup grant, as it is something that it is managed by google and therefore we cant revoke / grant and should not be a grant managed by terraform.
GRANT USAGE is also automatically added to these users.

This is the desired sql to be executed

CREATE ROLE IF NOT EXISTS read_only;
GRANT SELECT, SHOW VIEW ON *.* TO read_only;

GRANT read_only TO 'read_only_users'@'domain.com';

terraform script

resource "google_sql_user" "iam_groups" {
  depends_on = [ module.mysql ]

  for_each = toset(["read_only_users@domain.com"])
  name     = each.value
  type     = "CLOUD_IAM_GROUP"
  project  = local.effective_project
  instance = module.mysql.primary_name
}

# Create the Role
resource "mysql_role" "read_only_role" {
  depends_on = [ module.mysql ]
  name = "read_only"
}

# Grant Permissions to the Role
resource "mysql_grant" "read_only_role_grant" {
  depends_on = [ mysql_role.read_only_role ]
  role      = mysql_role.read_only_role.name
  privileges = ["SELECT", "SHOW VIEW"]
  database   = "*"
  table      = "*"
}

# Grant role to IAM AUTH read only users
resource "mysql_grant" "iam_user_role_grants" {
  depends_on = [ google_sql_user.iam_groups, mysql_grant.read_only_role_grant ]

  for_each = google_sql_user.iam_groups
  user       = split("@", each.key)[0]
  host       = split("@", each.key)[1]
  roles      = [mysql_role.read_only_role.name]
}

[petoju]

@jcasal-ixl that makes sense - will you send a pull request?

[jcasal-ixl]

Hi @petoju I tried my best here :). Thank you for the quick response

#256

[mfinelli]

Hi @petoju we have the same problem... Since the other PR was closed I wanted to ask what approach we would need to take for you to accept a PR? Cheers

[petoju]

@mfinelli that's a good question.

This is almost non-negotiable: checking extra resources must still work in the remaining cases. That means your change cannot break that.

Besides that it's really useful if one doesn't have to specify all other roles. That's error-prone.

Maybe we should ignore privileges "cloudiamgroup" and remove users without any privilege? Could this work from your point of view?

[mfinelli]

Sorry do you mean that there should be a provider-global ignore list of hardcoded roles to ignore? Or maybe it could be configurable on the provider?

[petoju]

@mfinelli why would we want to configure that? It only asks for issues. Based on my understanding of "show grants" from logs (feel free to do it youself, I haven't seen it myself), the permissions here are like

GRANT 'cloudiamgroup' TO 'yourgroup'@'yourhost'

So if we specifically exclude grant of cloudiamgroup permission / role like this (verbatim), then we could be safe. If we override it and anyone says "SELECT", then it will break them. And we don't know about other usages yet.

[mfinelli]

Sorry I guess I mean that if we hardcode cloudiamgroup then wouldn't that prevent people not using GCP from creating and managing a role with that name outside of GCP? I admit it's a strange name to use elsewhere, but I guess it just seems strange to me to disallow it everywhere even if it only affects cloud sql.

[jcasal-ixl]

I think at this point, I'm not too particular on what approach is used as long as it is possible, its a shame that I've had to go around this issue, given the potential to manage this is available in this provider.

[mfinelli]

Hi @petoju should I go ahead and implement this using a hardcoded ignore list of cloudiamgroup? Cheers

[petoju]

@mfinelli yes, it would prevent them - you are right. That said, it's pretty unlikely role name... So it could be ignored just for GCP (ideally) or everywhere (worse, but I believe good enough given the limitations).
Yes, it's suboptimal, but we don't know how to do much better.