Updating provider version

main.tf

@@ -24,18 +24,16 @@ locals {
 # Datasources
 #############################################################
 
+data "aws_partition" "current" {}
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
 data "aws_db_instance" "default" {
   count = var.enabled ? 1 : 0
 
   db_instance_identifier = var.db_instance_id
 }
 
-data "aws_ssm_parameter" "master_password" {
-  count = var.enabled && local.master_password_in_ssm_param ? 1 : 0
-
-  name = var.db_master_password_ssm_param
-}
-
 data "aws_secretsmanager_secret" "master_password" {
   count = var.enabled && local.master_password_in_secretsmanager ? 1 : 0
 
@@ -48,12 +46,6 @@ data "aws_kms_key" "master_password" {
   key_id = var.db_master_password_ssm_param_kms_key
 }
 
-data "aws_ssm_parameter" "user_password" {
-  count = var.enabled && local.user_password_in_ssm_param ? 1 : 0
-
-  name = var.db_user_password_ssm_param
-}
-
 data "aws_secretsmanager_secret" "user_password" {
   count = var.enabled && local.user_password_in_secretsmanager ? 1 : 0
 
@@ -78,8 +70,8 @@ data "aws_kms_key" "lambda" {
 
 module "default_label" {
   enabled = var.enabled
-
-  source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.16.0"
+  source     = "cloudposse/label/null"
+  version    = "0.25.0"
   attributes = compact(concat(var.attributes, ["db", "provisioner"]))
   delimiter  = var.delimiter
   name       = var.name
@@ -117,7 +109,7 @@ resource "aws_lambda_function" "default" {
 
   role        = join("", aws_iam_role.lambda.*.arn)
   handler     = "main.lambda_handler"
-  runtime     = "python3.7"
+  runtime     = "python3.12"
   timeout     = var.timeout
   memory_size = var.memory
   kms_key_arn = var.kms_key
@@ -136,6 +128,7 @@ resource "aws_lambda_function" "default" {
       PROVISION_USER                    = var.db_user
       PROVISION_USER_PASSWORD           = var.db_user_password
       PROVISION_USER_PASSWORD_SSM_PARAM = var.db_user_password_ssm_param
+      GRANT_ALL_PRIVILEGES              = var.grant_all_privileges
     }
   }
 
@@ -267,7 +260,7 @@ data "aws_iam_policy_document" "master_password_ssm_permissions" {
     actions = [
       "ssm:GetParameter",
     ]
-    resources = [join("", data.aws_ssm_parameter.master_password.*.arn)]
+    resources = ["arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter${var.db_master_password_ssm_param}"]
   }
 }
 
@@ -303,7 +296,7 @@ data "aws_iam_policy_document" "user_password_ssm_permissions" {
     actions = [
       "ssm:GetParameter",
     ]
-    resources = [join("", data.aws_ssm_parameter.user_password.*.arn)]
+    resources = ["arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter${var.db_user_password_ssm_param}"]
   }
 }
 
@@ -331,21 +324,23 @@ data "aws_iam_policy_document" "user_password_kms_permissions" {
   }
 }
 
-module "aggregated_policy" {
-  source = "git::https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator.git?ref=tags/0.2.0"
+########################################################
+locals  {
 
-  source_documents = compact([
-    join("", data.aws_iam_policy_document.default_permissions.*.json),
-    join("", data.aws_iam_policy_document.lambda_kms_permissions.*.json),
-    join("", data.aws_iam_policy_document.master_password_ssm_permissions.*.json),
-    join("", data.aws_iam_policy_document.master_password_kms_permissions.*.json),
-    join("", data.aws_iam_policy_document.master_password_secretsmanager_permissions.*.json),
-    join("", data.aws_iam_policy_document.user_password_ssm_permissions.*.json),
-    join("", data.aws_iam_policy_document.user_password_kms_permissions.*.json),
-    join("", data.aws_iam_policy_document.user_password_secretsmanager_permissions.*.json),
-  ])
+    policy_statement = concat(
+      length(data.aws_iam_policy_document.default_permissions[*].json) > 0 ? jsondecode(data.aws_iam_policy_document.default_permissions[0].json)["Statement"] : [],
+      length(data.aws_iam_policy_document.master_password_ssm_permissions[*].json) > 0 ? jsondecode(data.aws_iam_policy_document.master_password_ssm_permissions[0].json)["Statement"] : [],
+      length(data.aws_iam_policy_document.master_password_kms_permissions[*].json) > 0 ? jsondecode(data.aws_iam_policy_document.master_password_kms_permissions[0].json)["Statement"] : [],
+      length(data.aws_iam_policy_document.master_password_secretsmanager_permissions[*].json) > 0 ? jsondecode(data.aws_iam_policy_document.master_password_secretsmanager_permissions[0].json)["Statement"] : [],
+      length(data.aws_iam_policy_document.lambda_kms_permissions[*].json) > 0 ? jsondecode(data.aws_iam_policy_document.lambda_kms_permissions[0].json)["Statement"] : [],
+      length(data.aws_iam_policy_document.user_password_ssm_permissions[*].json) > 0 ? jsondecode(data.aws_iam_policy_document.user_password_ssm_permissions[0].json)["Statement"] : [],
+      length(data.aws_iam_policy_document.user_password_secretsmanager_permissions[*].json) > 0 ? jsondecode(data.aws_iam_policy_document.user_password_secretsmanager_permissions[0].json)["Statement"] : [],
+      length(data.aws_iam_policy_document.user_password_kms_permissions[*].json) > 0 ? jsondecode(data.aws_iam_policy_document.user_password_kms_permissions[0].json)["Statement"] : [],
+    )
 }
 
+data "aws_iam_policy_document" "empty" {}
+
 resource "aws_iam_role" "lambda" {
   count = var.enabled ? 1 : 0
 
@@ -362,7 +357,10 @@ resource "aws_iam_policy" "default" {
   path        = "/"
   description = "IAM policy to control access of Lambda function to AWS resources"
 
-  policy = module.aggregated_policy.result_document
+  policy = jsonencode({
+    Version   = "2012-10-17",
+    Statement = local.policy_statement
+  }) 
 }
 
 resource "aws_iam_role_policy_attachment" "default_permissions" {

outputs.tf

@@ -38,3 +38,11 @@ output "lambda_function_name" {
   value       = join("", aws_lambda_function.default.*.function_name)
 }
 
+output "result_document" {
+  # value       = data.aws_iam_policy_document.default[*].json
+  # description = "Aggregated IAM policy"
+  value = jsonencode({
+    Version   = "2012-10-17",
+    Statement = local.policy_statement
+  })
+}

source-code/main.py

@@ -36,6 +36,7 @@ class DBInfo:
     provision_db_name: str
     provision_user: str
     provision_user_password: str
+    grant_all_privileges: str
 
 
 class DBProvisioner(object):
@@ -208,8 +209,10 @@ def provision_mysql_db(self, info: DBInfo):
 
             query = "CREATE DATABASE {};".format(info.provision_db_name)
             cursor.execute(query)
+            self.logger.info("Database '{}' successfully created".format(info.provision_db_name))
 
-            if info.provision_user:
+        if info.provision_user:
+            if info.grant_all_privileges == "true":
                 self.logger.info("Granting all privileges on database '{}' to '{}'".format(
                     info.provision_db_name,
                     info.provision_user,
@@ -232,8 +235,30 @@ def provision_mysql_db(self, info: DBInfo):
                     info.provision_db_name,
                     info.provision_user,
                 ))
+            else:
+                self.logger.info("Granting read-only privileges on database '{}' to '{}'".format(
+                    info.provision_db_name,
+                    info.provision_user,
+                ))
+
+                query = "GRANT SELECT PRIVILEGES ON {} . * TO '{}'@'localhost';".format(
+                    info.provision_db_name,
+                    info.provision_user,
+                )
+                cursor.execute(query)
+                query = "GRANT SELECT PRIVILEGES ON {} . * TO '{}'@'%';".format(
+                    info.provision_db_name,
+                    info.provision_user,
+                )
+                cursor.execute(query)
+                query = "FLUSH PRIVILEGES;"
+                cursor.execute(query)
+
+                self.logger.info("Read-only privileges on database '{}' granted to '{}'.".format(
+                    info.provision_db_name,
+                    info.provision_user,
+                ))
 
-            self.logger.info("Database '{}' successfully created".format(info.provision_db_name))
 
         cursor.close()
         connection.close()
@@ -257,7 +282,8 @@ def provision(self):
             connect_db_name=os.environ.get('CONNECT_DB_NAME', instance.get('DBName')),
             provision_db_name=os.environ.get('PROVISION_DB_NAME'),
             provision_user=os.environ.get('PROVISION_USER'),
-            provision_user_password=user_password
+            provision_user_password=user_password,
+            grant_all_privileges=os.environ.get('GRANT_ALL_PRIVILEGES')
         )
 
         engine: str = instance.get('Engine')

source-code/psycopg2/__init__.py → source-code/psycopg2/lib/__init__.py

@@ -6,10 +6,10 @@
 candies. Like the original, psycopg 2 was written with the aim of being very
 small and fast, and stable as a rock.
 
-Homepage: http://initd.org/projects/psycopg2
+Homepage: https://psycopg.org/
 
-.. _PostgreSQL: http://www.postgresql.org/
-.. _Python: http://www.python.org/
+.. _PostgreSQL: https://www.postgresql.org/
+.. _Python: https://www.python.org/
 
 :Groups:
   * `Connections creation`: connect
@@ -18,7 +18,8 @@
 """
 # psycopg/__init__.py - initialization of the psycopg module
 #
-# Copyright (C) 2003-2010 Federico Di Gregorio  <fog@debian.org>
+# Copyright (C) 2003-2019 Federico Di Gregorio  <fog@debian.org>
+# Copyright (C) 2020-2021 The Psycopg Team
 #
 # psycopg2 is free software: you can redistribute it and/or modify it
 # under the terms of the GNU Lesser General Public License as published
@@ -43,7 +44,7 @@
 
 # Note: the first internal import should be _psycopg, otherwise the real cause
 # of a failed loading of the C module may get hidden, see
-# http://archives.postgresql.org/psycopg/2011-02/msg00044.php
+# https://archives.postgresql.org/psycopg/2011-02/msg00044.php
 
 # Import the DBAPI-2.0 stuff into top-level module.
 
@@ -60,26 +61,20 @@
     __version__, __libpq_version__,
 )
 
-from psycopg2 import tz                             # noqa
-
 
 # Register default adapters.
 
-import psycopg2.extensions as _ext
+from psycopg2 import extensions as _ext
 _ext.register_adapter(tuple, _ext.SQL_IN)
 _ext.register_adapter(type(None), _ext.NoneAdapter)
 
 # Register the Decimal adapter here instead of in the C layer.
 # This way a new class is registered for each sub-interpreter.
 # See ticket #52
-try:
-    from decimal import Decimal
-except ImportError:
-    pass
-else:
-    from psycopg2._psycopg import Decimal as Adapter
-    _ext.register_adapter(Decimal, Adapter)
-    del Decimal, Adapter
+from decimal import Decimal                         # noqa
+from psycopg2._psycopg import Decimal as Adapter    # noqa
+_ext.register_adapter(Decimal, Adapter)
+del Decimal, Adapter
 
 
 def connect(dsn=None, connection_factory=None, cursor_factory=None, **kwargs):
@@ -123,9 +118,6 @@ def connect(dsn=None, connection_factory=None, cursor_factory=None, **kwargs):
     if 'async_' in kwargs:
         kwasync['async_'] = kwargs.pop('async_')
 
-    if dsn is None and not kwargs:
-        raise TypeError('missing dsn and no parameters')
-
     dsn = _ext.make_dsn(dsn, **kwargs)
     conn = _connect(dsn, connection_factory=connection_factory, **kwasync)
     if cursor_factory is not None:

source-code/psycopg2/_ipaddress.py → source-code/psycopg2/lib/_ipaddress.py

@@ -3,7 +3,8 @@
 
 # psycopg/_ipaddress.py - Ipaddres-based network types adaptation
 #
-# Copyright (C) 2016 Daniele Varrazzo  <daniele.varrazzo@gmail.com>
+# Copyright (C) 2016-2019 Daniele Varrazzo  <daniele.varrazzo@gmail.com>
+# Copyright (C) 2020-2021 The Psycopg Team
 #
 # psycopg2 is free software: you can redistribute it and/or modify it
 # under the terms of the GNU Lesser General Public License as published