I am using Pulumi GO SDK: When I try to destroy stack where I provisioned a new SQL DatabaseInstance, Database, password and user I get this error message:
21:00:33 [2022-07-05T18:00:33.872Z] Diagnostics:
21:00:33 [2022-07-05T18:00:33.874Z] gcp:sql:User (gcp-test02-user:myuser):
21:00:33 [2022-07-05T18:00:33.875Z] error: deleting urn:pulumi:us-east4-gcp-test02::cluster::gcp:myuser/sql:Database$gcp:sql/user:User::gcp-test02-user:myuser: 1 error occurred:
21:00:33 [2022-07-05T18:00:33.876Z] * Error, failed to deleteuser myuser in instance gcp-test02-1b95d9a: googleapi: Error 400: Invalid request: failed to delete user myuser: . role "myuser" cannot be dropped because some objects depend on it Details: 640 objects in database mydatabases., invalid
21:00:33 [2022-07-05T18:00:33.877Z]
21:00:33 [2022-07-05T18:00:33.877Z] gcp:sql:Database (gcp-test02-db:mydatabases):
21:00:33 [2022-07-05T18:00:33.879Z] error: deleting urn:pulumi:us-east4-auto-mgmt-console-gcp-test02::cluster::gcp:myuser/sql:Database$gcp:sql/database:Database::gcp-test02-db:mydatabases: 1 error occurred:
21:00:33 [2022-07-05T18:00:33.880Z] * Error when reading or editing Database: googleapi: Error 400: Invalid request: failed to delete database "sentinellabs". Detail: pq: database "sentinellabs" is being accessed by other users. (Please use psql client to delete database that is not owned by "cloudsqlsuperuser")., invalid
21:00:33 [2022-07-05T18:00:33.881Z]
21:00:33 [2022-07-05T18:00:33.881Z] pulumi:pulumi:Stack (cluster-us-east4-auto-mgmt-console-gcp-test02):
21:00:33 [2022-07-05T18:00:33.882Z] error: update failed
CodePudding user response:
It looks like there might be an additional database added to that sql instance that is being accessed and locked. You might have to login to the sql instance and drop that db first, then run pulumi refresh
, and pulumi destroy
. The 400 error is being returned from Google.
CodePudding user response:
[...] failed to delete user myuser: . role "myuser" cannot be dropped because some objects depend on it [...]
DROP USER
(or DROP ROLE
) cannot proceed while the role still owns anything or has any granted privileges on other objects.
In the GCP Console, in your Cloud SQL instance, you should get rid of all privileges with DROP OWNED
(which isn't obvious). The manual:
[...] Any privileges granted to the given roles on objects in the current database and on shared objects (databases, tablespaces) will also be revoked.
So the sequence of commands to drop a role should be:
REASSIGN OWNED BY myuser TO postgres;
DROP OWNED BY myuser;
Run both commands in every database of the same cluster where the role owns anything or has any privileges. And then:
DROP USER myuser;
REASSIGN OWNED
changes ownership for all objects currently owned by the role.DROP OWNED
then only revokes privileges (ownerships out of the way).
Try again pulumi destroy
.
Finally, you should run ‘pulumi refresh’, and then the CLI should detect that it was deleted and remove it from the stack.
Recommended:
- Drop a role with privileges (with a function to generate commands for all relevant DBs)
- Find objects linked to a PostgreSQL role