community.postgresql.postgresql_privs puzzling behaviour on state: absent

[dmorel]

SUMMARY

Puzzling behaviour when revoking default_privs: using state: absent disregards both objs and privs, and just revokes all on TABLES, SEQUENCES and TYPES

ISSUE TYPE

• Bug Report

COMPONENT NAME

community.postgresql.postgresql_privs

ANSIBLE VERSION

ansible [core 2.15.4]
  config file = /Users/dmorel/git/seenons-x-infra/ansible/ansible.cfg
  configured module search path = ['/Users/dmorel/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/dmorel/git/seenons-x-infra/.venv/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/dmorel/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/dmorel/git/seenons-x-infra/.venv/bin/ansible
  python version = 3.10.12 (main, Jun 20 2023, 08:52:58) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/Users/dmorel/git/seenons-x-infra/.venv/bin/python)
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

# /Users/dmorel/.ansible/collections/ansible_collections
Collection           Version
-------------------- -------
community.postgresql 3.2.0

# /Users/dmorel/.pyenv/versions/3.10.12/lib/python3.10/site-packages/ansible_collections
Collection           Version
-------------------- -------
community.postgresql 2.4.2

CONFIGURATION

CONFIG_FILE() = /Users/dmorel/git/seenons-x-infra/ansible/ansible.cfg
DEFAULT_HOST_LIST(/Users/dmorel/git/seenons-x-infra/ansible/ansible.cfg) = ['/Users/dmorel/git/seenons-x-infra/ansible/hosts']
DEFAULT_REMOTE_USER(/Users/dmorel/git/seenons-x-infra/ansible/ansible.cfg) = ec2-user
DEFAULT_ROLES_PATH(/Users/dmorel/git/seenons-x-infra/ansible/ansible.cfg) = ['/Users/dmorel/git/seenons-x-infra/ansible/roles']
EDITOR(env: EDITOR) = vim
HOST_KEY_CHECKING(/Users/dmorel/git/seenons-x-infra/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/Users/dmorel/git/seenons-x-infra/ansible/ansible.cfg) = auto_silent
PAGER(env: PAGER) = less

OS / ENVIRONMENT

STEPS TO REPRODUCE

- name: Grant default privileges
  community.postgresql.postgresql_privs:
    database: coredb_dev
    schema: public
    objs: TABLES
    type: default_privs
    target_roles: writers
    roles: developers
    privs: TRUNCATE,TRIGGER
    login_user: "{{ login_user }}"
    login_password: "{{ login_password }}"
    login_host: "{{ login_host }}"
    login_db: "{{ login_db }}"
    state: absent

EXPECTED RESULTS

I expect this to run: ALTER DEFAULT PRIVILEGES FOR ROLE writers IN SCHEMA public REVOKE TRUNCATE,TRIGGER ON TABLES FROM developers

ACTUAL RESULTS

What it runs (as indicated by ansible-playbook -vvv):

    "queries": [
        "ALTER DEFAULT PRIVILEGES FOR ROLE \"writers\" IN SCHEMA \"public\" REVOKE ALL ON TABLES FROM \"developers\";\nALTER DEFAULT PRIVILEGES FOR ROLE \"writers\" IN SCHEMA \"public\" REVOKE ALL ON SEQUENCES FROM \"developers\";\nALTER DEFAULT PRIVILEGES FOR ROLE \"writers\" IN SCHEMA \"public\" REVOKE ALL ON TYPES FROM \"developers\";"
    ]

my assumption is "state: absent" triggers a default behaviour that removes all permissions for a hardcoded list of object types, and that's it.