Expand description
Apply configuration to database - the core GitOps engine.
This module handles the synchronization of database state with YAML configuration files. It provides a declarative, idempotent approach to managing PostgreSQL/Redshift users and privileges.
§Safety Features
- Dry-run mode: Preview changes before applying
- Superuser protection: Never automatically deletes superusers
- Opt-in deletion: User deletion requires explicit
--delete-usersflag - SQL injection prevention: All identifiers properly escaped
- Transaction safety: Errors are reported without failing entire operation
§Behavior
§User Management
- Creates users defined in config but missing from database
- Updates passwords when
update_password: trueis set - Optionally deletes users in DB but not in config (with
--delete-users) - Never deletes superusers (safety measure)
§Privilege Management
- Grants all privileges defined in configuration
- Idempotent: safe to run multiple times
- Does NOT automatically revoke privileges removed from config
- This is intentional to prevent accidental privilege loss
- Use
--delete-usersfor full reset, or manually revoke
§Example
# Preview changes
grant apply -f config.yaml --dryrun
# Apply changes
grant apply -f config.yaml
# Apply with user cleanup (destructive!)
grant apply -f config.yaml --delete-usersFunctions§
- apply
- Read the config from the given path and apply it to the database. If the dryrun flag is set, the changes will not be applied. If delete_users is true, users in DB but not in config will be deleted.
- apply_
all - Apply all config files from the given directory. If delete_users is true, users in DB but not in config will be deleted.