Managing Postgres users & roles with Terraform Cloud


I’m looking for a way to manage Postgres users, roles and their permissions with Terraform Cloud.

In my use case, the database is used by more than one application. The first application needs read/write access, while the second one only read access to certain tables. I would like to configure this with Terraform Cloud.

The database is an AWS RDS instance deployed in a private VPC – without external access.

There are Terraform providers that help manage a Postgres server, e.g. cyrilgdn/postgresql, however they need direct access to the server, which would be difficult and not secure, especially when used with Terraform Cloud.

I’ve also read about Atlas. It’s close to my needs, but still does not fit my needs – it is assumed that Terraform will be run from a server in the AWS VPC, which doesn’t fit my needs.

Yet another possibility could be Terraform Vault, but I’m not sure if it’s designed for this kind of setup and I’m not eager to set up another tool solely for this purpose.

I’m wondering about using a Lambda with Terraform Postgres provider. The Lambda could run the SQL statements on RDS. I’m aware that it’s not a trivial solution, but that’s the only possible approach that I can think of.

I’d be grateful for any other solutions, experiences to share or comments :slight_smile:

Hi @bartosz,

The HashiCorp-managed execution environment in Terraform Cloud is designed primarily for interacting with public cloud APIs over the internet. As you’ve found, this environment is not really appropriate for interacting with internal services that would require Terraform to run on a specific private network.

For running Terraform inside a private network, you’d need to use Terraform Cloud Agents. This additional piece of software communicates with Terraform Cloud to find out when a Terraform operation needs to take place, and then runs Terraform Core on the same computer where the agent is installed, thereby giving it access to everything reachable over the network from that computer.

However, you also mentioned that the third-party Atlas solution is not appropriate because it requires running additional software in the same VPC as your Postgres server. Running Terraform Cloud Agent in that VPC would therefore presumably also not be appropriate, in which case I’m afraid I don’t have anything else to suggest: if the Postgres server is only accessible via a private IP address then you will need to run something in the same network as that private IP address to act as a bridge for external requests.

Hi @apparentlymart,

Thank you for confirmation from the Terraform Cloud side. I agree that the only way is to have some sort of agent in the private network.

I’ve thought that maybe someone has already tried the AWS Lambda approach that I’m thinking of or has the same problem and would be interested in having this kind of provider.