github.com/simonswine/terraform@v0.9.0-beta2/website/source/docs/providers/postgresql/r/postgresql_role.html.markdown (about) 1 --- 2 layout: "postgresql" 3 page_title: "PostgreSQL: postgresql_role" 4 sidebar_current: "docs-postgresql-resource-postgresql_role" 5 description: |- 6 Creates and manages a role on a PostgreSQL server. 7 --- 8 9 # postgresql\_role 10 11 The ``postgresql_role`` resource creates and manages a role on a PostgreSQL 12 server. 13 14 When a ``postgresql_role`` resource is removed, the PostgreSQL ROLE will 15 automatically run a [`REASSIGN 16 OWNED`](https://www.postgresql.org/docs/current/static/sql-reassign-owned.html) 17 and [`DROP 18 OWNED`](https://www.postgresql.org/docs/current/static/sql-drop-owned.html) to 19 the `CURRENT_USER` (normally the connected user for the provider). If the 20 specified PostgreSQL ROLE owns objects in multiple PostgreSQL databases in the 21 same PostgreSQL Cluster, one PostgreSQL provider per database must be created 22 and all but the final ``postgresql_role`` must specify a `skip_drop_role`. 23 24 ## Usage 25 26 ``` 27 resource "postgresql_role" "my_role" { 28 name = "my_role" 29 login = true 30 password = "mypass" 31 } 32 33 resource "postgresql_role" "my_replication_role" { 34 name = "replication_role" 35 replication = true 36 login = true 37 connection_limit = 5 38 password = "md5c98cbfeb6a347a47eb8e96cfb4c4b890" 39 } 40 ``` 41 42 ## Argument Reference 43 44 * `name` - (Required) The name of the role. Must be unique on the PostgreSQL 45 server instance where it is configured. 46 47 * `superuser` - (Optional) Defines whether the role is a "superuser", and 48 therefore can override all access restrictions within the database. Default 49 value is `false`. 50 51 * `create_database` - (Optional) Defines a role's ability to execute `CREATE 52 DATABASE`. Default value is `false`. 53 54 * `create_role` - (Optional) Defines a role's ability to execute `CREATE ROLE`. 55 A role with this privilege can also alter and drop other roles. Default value 56 is `false`. 57 58 * `inherit` - (Optional) Defines whether a role "inherits" the privileges of 59 roles it is a member of. Default value is `true`. 60 61 * `login` - (Optional) Defines whether role is allowed to log in. Roles without 62 this attribute are useful for managing database privileges, but are not users 63 in the usual sense of the word. Default value is `false`. 64 65 * `replication` - (Optional) Defines whether a role is allowed to initiate 66 streaming replication or put the system in and out of backup mode. Default 67 value is `false` 68 69 * `bypass_row_level_security` - (Optional) Defines whether a role bypasses every 70 row-level security (RLS) policy. Default value is `false`. 71 72 * `connection_limit` - (Optional) If this role can log in, this specifies how 73 many concurrent connections the role can establish. `-1` (the default) means no 74 limit. 75 76 * `encrypted_password` - (Optional) Defines whether the password is stored 77 encrypted in the system catalogs. Default value is `true`. NOTE: this value 78 is always set (to the conservative and safe value), but may interfere with the 79 behavior of 80 [PostgreSQL's `password_encryption` setting](https://www.postgresql.org/docs/current/static/runtime-config-connection.html#GUC-PASSWORD-ENCRYPTION). 81 82 * `password` - (Optional) Sets the role's password. (A password is only of use 83 for roles having the `login` attribute set to true, but you can nonetheless 84 define one for roles without it.) Roles without a password explicitly set are 85 left alone. If the password is set to the magic value `NULL`, the password 86 will be always be cleared. 87 88 * `valid_until` - (Optional) Defines the date and time after which the role's 89 password is no longer valid. Established connections past this `valid_time` 90 will have to be manually terminated. This value corresponds to a PostgreSQL 91 datetime. If omitted or the magic value `NULL` is used, `valid_until` will be 92 set to `infinity`. Default is `NULL`, therefore `infinity`. 93 94 * `skip_drop_role` - (Optional) When a PostgreSQL ROLE exists in multiple 95 databases and the ROLE is dropped, the 96 [cleanup of ownership of objects](https://www.postgresql.org/docs/current/static/role-removal.html) 97 in each of the respective databases must occur before the ROLE can be dropped 98 from the catalog. Set this option to true when there are multiple databases 99 in a PostgreSQL cluster using the same PostgreSQL ROLE for object ownership. 100 This is the third and final step taken when removing a ROLE from a database. 101 102 * `skip_reassign_owned` - (Optional) When a PostgreSQL ROLE exists in multiple 103 databases and the ROLE is dropped, a 104 [`REASSIGN OWNED`](https://www.postgresql.org/docs/current/static/sql-reassign-owned.html) in 105 must be executed on each of the respective databases before the `DROP ROLE` 106 can be executed to dropped the ROLE from the catalog. This is the first and 107 second steps taken when removing a ROLE from a database (the second step being 108 an implicit 109 [`DROP OWNED`](https://www.postgresql.org/docs/current/static/sql-drop-owned.html)). 110 111 ## Import Example 112 113 `postgresql_role` supports importing resources. Supposing the following 114 Terraform: 115 116 ``` 117 provider "postgresql" { 118 alias = "admindb" 119 } 120 121 resource "postgresql_role" "replication_role" { 122 provider = "postgresql.admindb" 123 124 name = "replication_name" 125 } 126 ``` 127 128 It is possible to import a `postgresql_role` resource with the following 129 command: 130 131 ``` 132 $ terraform import postgresql_role.replication_role replication_name 133 ``` 134 135 Where `replication_name` is the name of the role to import and 136 `postgresql_role.replication_role` is the name of the resource whose state will 137 be populated as a result of the command.