Skip to content

Add password and superuser args to user role resource #736

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Add password and superuser args to user role resource #736

wants to merge 7 commits into from

Conversation

bobbyiliev
Copy link
Contributor

@bobbyiliev bobbyiliev commented Sep 2, 2025
edited
Loading

@bobbyiliev bobbyiliev requested a review from a team as a code owner September 2, 2025 14:42
@bobbyiliev bobbyiliev requested review from SangJunBak and removed request for a team September 2, 2025 14:42
@bobbyiliev bobbyiliev force-pushed the add-password-to-role-resource branch from a7d566b to 3c0cebd Compare September 2, 2025 14:43
@bobbyiliev bobbyiliev force-pushed the add-password-to-role-resource branch from 3c0cebd to 3f37ccd Compare September 24, 2025 15:39
@bobbyiliev bobbyiliev force-pushed the add-password-to-role-resource branch from 32ff85d to 6a7cce5 Compare October 6, 2025 15:27
bobbyiliev
bobbyiliev commented Oct 6, 2025
View reviewed changes
pkg/materialize/role.go Outdated
}

if b.password != "" {
p = append(p, fmt.Sprintf(` WITH LOGIN PASSWORD %s`, QuoteString(b.password)))
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Open to suggestions here if we should actually make the login a separate attribute, so instead of:

resource "materialize_role" "admin_user" {
  name      = "admin"
  password  = "adminpass"
  superuser = true
}

Users would need to explicitly set this, eg:

resource "materialize_role" "admin_user" {
  name      = "admin"
  password  = "adminpass"
  login     = true
  superuser = true
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I think so. We def have users who use non-login roles to manage grants, so lets make it explicit here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good! Will get this updated.

@bobbyiliev bobbyiliev requested review from DAlperin and jubrad October 6, 2025 15:31
@bobbyiliev
Copy link
Contributor Author

Tests will be failing until we get the new image with MaterializeInc/materialize#33697

jubrad
jubrad approved these changes Oct 7, 2025
View reviewed changes
Copy link
Contributor

@jubrad jubrad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving because the code seems solid, but I do have a few comments that might be nice to address first.

examples/resources/materialize_role/resource.tf
Comment on lines +5 to +9
resource "materialize_role" "admin_user" {
name = "admin_user"
password = var.admin_password
superuser = true
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this needs login set to true

pkg/materialize/role.go
Comment on lines +65 to +82
if b.password != "" {
if b.login {
p = append(p, fmt.Sprintf(` WITH LOGIN PASSWORD %s`, QuoteString(b.password)))
} else {
p = append(p, fmt.Sprintf(` WITH PASSWORD %s`, QuoteString(b.password)))
}
} else if b.login {
p = append(p, ` WITH LOGIN`)
}

if b.superuserSet {
if b.superuser {
p = append(p, ` SUPERUSER`)
} else {
p = append(p, ` NOSUPERUSER`)
}
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if we should just always provide all WIH options

append(p, ` WITH`)

if b.login {
   append(p, ` LOGIN`)
} else {
   append(p, ` NOLOGIN`)
}

if b.password {
  p = append(p, fmt.Sprintf(` PASSWORD %s`, QuoteString(b.password)))
} else {
  p = append(p, ` NOPASSWORD `)
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm yes I like this! Will update the PR now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jubrad Actually this might not work and I'm now remembering why I did it that way initially :/

Because in SaaS, where we don't have password enabled, it would make the role resource unusable I think?

image

@bobbyiliev bobbyiliev force-pushed the add-password-to-role-resource branch from 077bef1 to 2d67a14 Compare October 17, 2025 13:46
@bobbyiliev bobbyiliev force-pushed the add-password-to-role-resource branch from 2d67a14 to d54762f Compare October 17, 2025 18:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jubrad jubrad jubrad approved these changes

@SangJunBak SangJunBak Awaiting requested review from SangJunBak SangJunBak is a code owner automatically assigned from MaterializeInc/console

@DAlperin DAlperin Awaiting requested review from DAlperin

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add password and superuser Support to materialize_role Resource for Self-Hosted

3 participants

@bobbyiliev @jubrad @DAlperin