feat(postgresql): support WITH INHERIT FALSE on role membership grants (PostgreSQL 16+) by matthewgreenwaldagility · Pull Request #361 · crossplane-contrib/provider-sql

matthewgreenwaldagility · 2026-04-24T22:21:50Z

Closes #359

What this does

Adds a withInherit boolean field to spec.forProvider on the PostgreSQL Grant resource, enabling WITH INHERIT FALSE on role membership grants — a feature introduced in PostgreSQL 16.

apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: Grant
spec:
  forProvider:
    withInherit: false   # emits: GRANT admin TO master_user WITH INHERIT FALSE
    roleRef:
      name: master-user
    memberOfRef:
      name: admin-role

When withInherit is omitted, behaviour is unchanged. When combined with withOption: ADMIN, the emitted SQL is WITH ADMIN OPTION, INHERIT FALSE.

The field is only valid on memberOf grants — setting it on a privilege grant (privileges field) returns a validation error.

Motivation

The primary use case is RDS PostgreSQL with IAM database authentication. Without this field, granting a master user membership in an admin role that holds rds_iam creates a transitive chain (master_user → admin → rds_iam), which causes RDS to route all connections for that user through PAM/IAM token verification, breaking password authentication. WITH INHERIT FALSE grants membership (satisfying ALTER DEFAULT PRIVILEGES FOR ROLE admin) without inheriting rds_iam.

Changes

File	Change
`apis/cluster/postgresql/v1alpha1/grant_types.go`	Add `WithInherit *bool` field to `GrantParameters`
`apis/cluster/postgresql/v1alpha1/zz_generated.deepcopy.go`	Regenerated
`package/crds/postgresql.sql.crossplane.io_grants.yaml`	Regenerated — CRD schema updated
`pkg/controller/cluster/postgresql/grant/reconciler.go`	New `membershipWithClauses` helper; `selectGrantQuery` filters `pg_auth_members.inherit_option` when set; `createGrantQueries` uses new helper; validation rejects `withInherit` on privilege grants
`pkg/controller/cluster/postgresql/grant/reconciler_test.go`	7 new test cases covering `WithInherit` nil/true/false for both `Observe` and `Create`
`examples/cluster/postgresql/grant-with-inherit-false.yaml`	New example illustrating the RDS IAM pattern
`Makefile`	Bump `GOLANGCILINT_VERSION` from `2.1.2` → `2.10.1` to match CI and support Go 1.26
`README.md`	Fix stale Go version (1.18→1.26.1), add mise recommendation, fix copy-paste "Developing locally" section (was provider-helm content), add `Schema` to PostgreSQL resource list, fix example paths

Testing

make reviewable passes (generate + lint + all 26 test packages).

The inherit_option column on pg_auth_members was added in PostgreSQL 16. Setting withInherit on an older cluster will result in a SQL error, which is the expected and documented behaviour.

matthewgreenwaldagility · 2026-04-29T19:00:17Z

@Duologic @jdotw @jvrplmlmn @iainlane Can I get a review on this please? Or at least trigger CI?

chlunde

@matthewgreenwaldagility thanks for your contribution, please take a look at the comments!

chlunde · 2026-05-15T08:39:26Z

@matthewgreenwaldagility could you rebase or merge master into this?

fernandezcuesta · 2026-05-18T20:30:17Z

Also, can you wire this to the PG version? I mean, just to make sure this runs only for Postgres>16 as you mention

Signed-off-by: Matthew Greenwald <matthew.greenwald@agilityrobotics.com>

matthewgreenwaldagility · 2026-05-28T14:51:05Z

@chlunde @fernandezcuesta Comments have been addressed and the changes have been rebased on master. Thanks!