We have an ansible task that creates a postgres user (role) for vagrant:
- name: Create vagrant user sudo: true sudo_user: postgres postgresql_user: name=vagrant role_attr_flags=CREATEDB,CREATEUSER
which was working fine with ansible 1.9; but when we upgraded to 2.0, we started getting an error if the user already existed.
TASK [pg-vagrant : Create vagrant user] ****************************************
fatal: [default]: FAILED! => {"changed": false, "failed": true, "module_stderr": "", "module_stdout": "\r\nTraceback (most recent call last):\r\n File \"/tmp/ansible-tmp-1457016468.17-9802839733620/postgresql_user\", line 2722, in \r\n main()\r\n File \"/tmp/ansible-tmp-1457016468.17-9802839733620/postgresql_user\", line 621, in main\r\n changed = user_alter(cursor, module, user, password, role_attr_flags, encrypted, expires, no_password_changes)\r\n File \"/tmp/ansible-tmp-1457016468.17-9802839733620/postgresql_user\", line 274, in user_alter\r\n if current_role_attrs[PRIV_TO_AUTHID_COLUMN[role_attr_name]] != role_attr_value:\r\n File \"/usr/lib/python2.7/dist-packages/psycopg2/extras.py\", line 144, in __getitem__\r\n x = self._index[x]\r\nKeyError: 'rolcreateuser'\r\n", "msg": "MODULE FAILURE", "parsed": false}
When I checked that the user had been created successfully the first time I provisioned:
=# \dg
List of roles
Role name | Attributes | Member of
------------------+------------------------------------------------+-----------
postgres | Superuser, Create role, Create DB, Replication | {}
vagrant | Superuser, Create DB | {}
I noticed that the role actually had Superuser privileges, something the documentation confirmed:
CREATEUSER
NOCREATEUSER
These clauses are an obsolete, but still accepted, spelling of SUPERUSER and NOSUPERUSER. Note that they are not equivalent to CREATEROLE as one might naively expect!
So it looks like somewhere in the toolchain (ansible, psycopg2, postgres) this is no longer supported. Substituting SUPERUSER for CREATEUSER fixed the issue.
Look on my works, ye Mighty, and despair! 