fix/msp/postgresqlroles: wait for databases to be provisioned

[bobheadxi]

Wait for databases to be provisioned before granting database-specific roles to the operator access user.

Test plan

Re-apply fixed https://sourcegraph.slack.com/archives/C05E2LHPQLX/p1718850688397579, indicating a race condition on database creation. Diff looks good:

@@ -1447,10 +1472,15 @@
             "path": "cloudrun/cloudrun-postgresqlroles-msp_iam-operator_access_service_account_table_grant",
             "uniqueId": "cloudrun-postgresqlroles-msp_iam-operator_access_service_account_table_grant"
           }
         },
         "database": "msp_iam",
+        "depends_on": [
+          "google_sql_database.postgresql-database-enterprise-portal",
+          "google_sql_database.postgresql-database-enterprise_portal",
+          "google_sql_database.postgresql-database-msp_iam"
+        ],
         "object_type": "table",
         "objects": [
         ],
         "privileges": [
           "SELECT"

Changelog

• MSP Cloud SQL: Fix race condition between database creation and role grants for the read-only operator access user

[jac]

Kinda a weird one because there is already an implicit dependency.
The grants use the Operator SqlUser which explicitly depends on the databases.

Looking at the terraform apply for the run which didn't work the ordering already looks correct. I wouldn't be surprised if this PR doesn't actually fix the issue (I could be wrong though)

[unknwon]

🚀

[bobheadxi]

The grants use the Operator SqlUser which explicitly depends on the databases.

@jac For the second+ database, if added later, the operator SqlUser will already be available, so while that dependency is there, it is fulfilled right away I think.

But, we'll find out for sure when @unknwon adds a second DB for Cody Analytics 😛

[unknwon]

But, we'll find out for sure when @unknwon adds a second DB for Cody Analytics

Is Cody Analytics going to have a database at all? 😂 (it has 0 right now, a stateless service haha)

[bobheadxi]

Doh, you're right. Well, guess we'll find out... another time

[jac]

For the second+ database, if added later, the operator SqlUser will already be available, so while that dependency is there, it is fulfilled right away I think.

Terraform should still respect the ordering of the dependency graph for changes meaning database creation should still happen first