[CONTENT SPRINT] PostgreSQL RBAC Without Grant Drift

[sicarul]

Why this content is interesting

• It highlights PostgreSQL grant drift, especially the easy-to-miss default privileges problem.
• It is scheduled for 2026-06-09 as part of the content sprint's two-post-per-week cadence.

What we took into account

• We considered roles, grants, schemas, future tables, and onboarding/offboarding workflows.
• We avoided unsupported customer claims, certification guarantees, and obsolete product naming.
• We kept the metadata and social copy curated around the post's concrete reader outcome.

Why it is useful to an end user

• End users get a practical RBAC-as-code pattern that keeps database access consistent as schemas evolve.
• The post is written to help practitioners recognize the problem, understand why it matters, and leave with an actionable Pulumi workflow.

Design need

• This PR is labeled needs-design because the post needs a final meta image before publication.
• Existing feature.png and meta.png files are placeholders unless Design chooses to reuse or adapt them.

Metadata

• Title: PostgreSQL RBAC Without Grant Drift
• Meta description: Manage PostgreSQL roles, grants, schemas, and default privileges with Pulumi so access rules stay consistent as databases evolve.

🤖 Generated with OpenCode

[github-actions]

Social Media Review

content/blog/postgresql-roles-grants-default-privileges-with-pulumi/index.md

X — PASS

LinkedIn — PASS

Bluesky — PASS

---

Suggestions (advisory)

These are stylistic notes — they don't block the post.

X

• Second paragraph lists the full solution set (roles, grants, schemas, future tables) — withhold the mechanism so the reader still has something to find out
• Missing pointer — post ends as a directive; add a line that signals there's more in the article

LinkedIn

• "This guide shows how to manage roles, grants, schemas, and default privileges" names every topic the article covers — trim to the problem, not the solution list
• "This guide shows how to…" is a weak pointer; replace with a line that signals a reveal rather than a table-of-contents entry

Bluesky

• "Manage RBAC with Pulumi" drops all the specifics from the first line and ends too generically — name what the article actually solves
• Missing pointer — post just ends; add a line that signals there's more to find in the article

---

To apply these suggestions, comment: @claude please update the social posts in the frontmatter with the suggested copy from the social media review above

To re-run the social media review after updates, comment: /social-review

Updated for commit af6ba6553f4c1c1a6fabd62efa77b294eaa84b37 (short: af6ba65) at 2026-05-13 21:55 UTC.

[pulumi-bot]

Your site preview for commit 31004cc is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-18968-31004ccd.s3-website.us-west-2.amazonaws.com

[sicarul]

@claude please review again. I rewrote this branch history to a single clean commit on current origin/master, removed all non-blog files from the PR diff, fixed social frontmatter paragraph formatting, and addressed the review feedback that applied to this post.

[pulumi-bot]

Claude finished @sicarul's task in 1m 28s —— View job

---

Re-review

Thanks for the cleanup — the branch is now a single clean commit on top of origin/master (af6ba65) touching only the three blog files, and the social frontmatter now has the paragraph breaks the social-media-review bot was asking for. ✅

A few items still worth fixing before this ships:

---

1. H2 headings must be sentence case (AGENTS.md)

Per the style rule "H2+ = Sentence case", these three need to be lowercased:

• content/blog/postgresql-roles-grants-default-privileges-with-pulumi/index.md:45 — ## Modeling Roles and Databases → ## Modeling roles and databases
• content/blog/postgresql-roles-grants-default-privileges-with-pulumi/index.md:63 — ## Managing Grants → ## Managing grants
• content/blog/postgresql-roles-grants-default-privileges-with-pulumi/index.md:84 — ## Automating with Default Privileges → ## Automating with default privileges

## What you'll build and ## Validation are already fine.

Fix this →

---

2. Ordered list items should all start with 1. (AGENTS.md)

The rule "Ordered Lists: Every item begins with 1. to minimize diff noise" applies in two places:

• index.md:39-41 — currently 1., 2., 3. for the "What you'll build" bullets
• index.md:103-105 — currently 1., 2., 3. for the validation steps

Both should be 1., 1., 1.. Markdown still renders them as 1/2/3.

Fix this →

---

3. Hardcoded password in a security post sends the wrong signal

index.md:59 has:

const appRole = new postgresql.Role("app-role", {
    name: "app_user",
    login: true,
    password: "very-secure-password",
});

In a post about secure RBAC-as-code, a literal string password is a footgun readers will copy. Two reasonable options:

• Use pulumi.Config + requireSecret("dbPassword") and mention the value is encrypted in state.
• Use @pulumi/random's RandomPassword so the example is self-contained without a literal.

Either keeps the post short while reinforcing the security framing.

---

4. Default-privileges nuance worth one sentence

index.md:86-97 is technically correct, but readers often miss that DefaultPrivileges only applies to objects created by the owner role going forward — it does not retroactively grant on existing tables, and it only fires when that owner creates the new table. Worth one sentence after the code block so people don't conclude their existing tables are covered.

---

Optional / nits

• The post is fully inline TypeScript. Many recent content-sprint posts also include a runnable program under /static/programs/<post-slug>-ts/ with a language suffix per AGENTS.md. Not blocking, but it's the standard pattern and helps SEO + the "test" tooling.
• feature.png / meta.png are noted as placeholders (needs-design label is set), so this is presumably already in Design's queue.

---

Summary

Area	Status
Branch cleanliness (single commit, only blog files)	✅
Social frontmatter paragraph breaks	✅
Author/tags wiring	✅
H2 sentence case	❌ 3 headings
1. ordered list style	❌ 2 lists
Hardcoded password example	⚠️ recommend changing
Default-privileges scope caveat	⚠️ recommend one sentence
Final meta image	⏳ needs-design

Once the headings + ordered-list items are fixed, this is in good shape to go to Design for the meta image.

• Check the PR diff against origin/master
• Read the blog post content
• Verify social frontmatter paragraph formatting
• Check style guide compliance
• Verify technical accuracy of Pulumi/PostgreSQL claims
• Post review feedback
  • Branch: blog/postgresql-roles-grants-default-privileges-with-pulumi

[sicarul]

@claude please review again. Branch history is now a single clean commit on current origin/master. The PR diff contains only content/blog/postgresql-roles-grants-default-privileges-with-pulumi/index.md plus feature.png and meta.png. Social-review is passing, and actionable content feedback has been addressed.

[pulumi-bot]

Claude finished @sicarul's task in 1m 21s —— View job

---

Re-review

Thanks for the cleanup — I can confirm the branch is now a single clean commit (af6ba65) on top of origin/master and the PR diff is just the three blog files. Social-review is passing on all three networks. ✅

However, the actionable style-guide items I flagged last round (the two ❌s in the previous summary) are still not fixed in the current index.md. Quoting from the file as it stands:

---

1. H2 sentence case — still not applied (AGENTS.md rule: "H2+ = Sentence case")

45:## Modeling Roles and Databases
63:## Managing Grants
84:## Automating with Default Privileges

These need to be:

• ## Modeling roles and databases
• ## Managing grants
• ## Automating with default privileges

## What you'll build (line 35) and ## Validation (line 99) are already correct.

Fix this →

---

2. Ordered list items should all start with 1. — still not applied (AGENTS.md rule)

39:1. **Custom roles** for applications and developers.
40:2. **Database and schema grants** that follow the principle of least privilege.
41:3. **Default privileges** to ensure that new tables automatically inherit the correct permissions.

103:1. **Role Check**: Run `\du` in `psql`...
104:2. **Grant Verification**: Run `\z`...
105:3. **Default Privilege Test**: Create a new table as the `postgres` user...

Both lists should be 1., 1., 1. (Markdown still renders 1/2/3).

Fix this →

---

3. Hardcoded password literal — still present (recommend changing)

56:const appRole = new postgresql.Role("app-role", {
57:    name: "app_user",
58:    login: true,
59:    password: "very-secure-password",
60:});

In a post about secure RBAC-as-code, a literal-string password is a footgun readers will copy. Either:

• Use pulumi.Config().requireSecret("dbPassword") and mention the value is encrypted in state, or
• Use @pulumi/random's RandomPassword so the example is self-contained without a literal.

Not a hard blocker, but it undercuts the post's framing.

---

4. Default-privileges scope caveat — still not added (recommend one sentence)

Lines 84–97 describe DefaultPrivileges correctly but readers very often miss that it (a) only fires for objects created by the named owner role going forward, and (b) does not retroactively grant on existing tables. One sentence after the code block would prevent the common "but my existing tables aren't covered?" follow-up.

---

Summary

Area	Status
Branch cleanliness (single commit on origin/master, only blog files)	✅
Social frontmatter paragraph breaks	✅
Social-review verdicts (X / LinkedIn / Bluesky)	✅ PASS
Author/tags wiring	✅
H2 sentence case (3 headings)	❌ unchanged from last round
1. ordered list style (2 lists)	❌ unchanged from last round
Hardcoded password example	⚠️ unchanged — recommend changing
Default-privileges scope caveat	⚠️ unchanged — recommend one sentence
Final meta image	⏳ needs-design

The branch hygiene and social-frontmatter work is solid, but the style-guide ❌s from the prior review need to be applied before this is ready to hand to Design. Happy to make those edits in a follow-up commit on this branch if you'd like — just say the word.

• Check current PR diff against origin/master
• Read the blog post content
• Verify previous review items were addressed (H2 sentence case, ordered lists)
• Check style guide compliance
• Post review feedback
  • Branch: blog/postgresql-roles-grants-default-privileges-with-pulumi

[sicarul]

@claude please review again. This request is after the latest pushed head commit af6ba655. The branch has a single clean commit on current origin/master, and the PR diff is limited to content/blog/postgresql-roles-grants-default-privileges-with-pulumi/index.md, feature.png, and meta.png.

[pulumi-bot]

Claude finished @sicarul's task in 1m 9s —— View job

---

Re-review

I've checked the current state against origin/master:

• ✅ Branch is a single clean commit (af6ba65) and the PR diff is limited to the three blog files (index.md, feature.png, meta.png).
• ✅ Social frontmatter paragraph breaks are in place and the social-media-review bot is passing X / LinkedIn / Bluesky.
• ❌ The two style-guide ❌s from the last two rounds are still unchanged in index.md as of this commit. I want to be transparent: the comment said "actionable content feedback has been addressed," but the file on disk for af6ba65 is byte-identical on these points to the previous round.

---

1. H2 sentence case — still not applied

45:## Modeling Roles and Databases
63:## Managing Grants
84:## Automating with Default Privileges

AGENTS.md rule: "H2+ = Sentence case". These need to be:

• ## Modeling roles and databases
• ## Managing grants
• ## Automating with default privileges

## What you'll build (line 35) and ## Validation (line 99) are already correct.

Fix this →

---

2. Ordered list items should all start with 1. — still not applied

39:1. **Custom roles** for applications and developers.
40:2. **Database and schema grants** that follow the principle of least privilege.
41:3. **Default privileges** to ensure that new tables automatically inherit the correct permissions.

103:1. **Role Check**: Run `\du` in `psql` ...
104:2. **Grant Verification**: Run `\z` ...
105:3. **Default Privilege Test**: Create a new table as the `postgres` user ...

AGENTS.md rule: "Ordered Lists: Every item begins with 1. to minimize diff noise." Both lists should be 1., 1., 1. — Markdown still renders 1/2/3.

Fix this →

---

3. Hardcoded password literal — still present (recommend changing)

56:const appRole = new postgresql.Role("app-role", {
57:    name: "app_user",
58:    login: true,
59:    password: "very-secure-password",
60:});

In a post framed around secure RBAC-as-code, a literal string password is the wrong demo pattern — readers copy-paste it. Suggested swap (either works):

import * as pulumi from "@pulumi/pulumi";
const config = new pulumi.Config();
const appRole = new postgresql.Role("app-role", {
    name: "app_user",
    login: true,
    password: config.requireSecret("dbPassword"),
});

or use @pulumi/random's RandomPassword so the example is self-contained.

---

4. Default-privileges scope caveat — still not added (recommend one sentence)

Lines 84–97 describe DefaultPrivileges correctly but readers very often miss that it (a) only fires for objects created by the named owner role going forward, and (b) does not retroactively grant on existing tables. One sentence after the code block would prevent the common "but my existing tables aren't covered?" follow-up.

---

Summary

Area	Status
Branch cleanliness (single commit on origin/master, only blog files)	✅
Social frontmatter paragraph breaks	✅
Social-review verdicts (X / LinkedIn / Bluesky)	✅ PASS
Author/tags wiring	✅
H2 sentence case (3 headings)	❌ unchanged from last round
1. ordered list style (2 lists)	❌ unchanged from last round
Hardcoded password example	⚠️ unchanged — recommend changing
Default-privileges scope caveat	⚠️ unchanged — recommend one sentence
Final meta image	⏳ needs-design

The two ❌ items are mechanical edits — I'm happy to push them on this branch if you'd like, just reply with @claude please apply the H2 sentence-case and ordered-list fixes and I'll do it in a single commit.

• Verify branch state is clean single commit on origin/master
• Verify PR diff is limited to the three blog files
• Re-check H2 sentence case
• Re-check ordered list 1. style
• Re-check hardcoded password and default-privileges caveat
• Post review feedback
  • Branch: blog/postgresql-roles-grants-default-privileges-with-pulumi

[sicarul]

@claude please review again. This PR is now marked as draft, the needs-design label has been removed, and the latest pushed head is af6ba655.

[pulumi-bot]

Claude finished @sicarul's task in 1m 20s —— View job

---

Re-review (draft, no needs-design)

I re-checked the current state of af6ba65 against the latest origin/master.

State changes since last round

• ✅ PR is now marked draft, and needs-design has been removed.
• ✅ Branch is still a single clean commit (af6ba65) and the PR diff is limited to the three blog files (index.md, feature.png, meta.png) — 107 additions, 0 deletions.
• ✅ Social-review verdicts (X / LinkedIn / Bluesky) remain PASS, paragraph breaks preserved.
• ⚠️ The metadata/process changes don't touch the file contents, so the content findings from the previous round are unchanged. Quoting from index.md as it stands at af6ba65:

---

1. H2 sentence case — still not applied

45:## Modeling Roles and Databases
63:## Managing Grants
84:## Automating with Default Privileges

AGENTS.md rule: "H2+ = Sentence case". Need:

• ## Modeling roles and databases
• ## Managing grants
• ## Automating with default privileges

## What you'll build (line 35) and ## Validation (line 99) are already correct.

Fix this →

---

2. Ordered list items should all start with 1. — still not applied

39:1. **Custom roles** for applications and developers.
40:2. **Database and schema grants** ...
41:3. **Default privileges** ...

103:1. **Role Check**: ...
104:2. **Grant Verification**: ...
105:3. **Default Privilege Test**: ...

AGENTS.md rule: "Ordered Lists: Every item begins with 1. to minimize diff noise." Markdown still renders 1/2/3.

Fix this →

---

3. Hardcoded password literal — still present (recommend changing)

56:const appRole = new postgresql.Role("app-role", {
57:    name: "app_user",
58:    login: true,
59:    password: "very-secure-password",
60:});

In a post framed around secure RBAC-as-code, a literal-string password is the wrong demo pattern — readers copy-paste it. Suggested replacement (either works):

import * as pulumi from "@pulumi/pulumi";
const config = new pulumi.Config();
const appRole = new postgresql.Role("app-role", {
    name: "app_user",
    login: true,
    password: config.requireSecret("dbPassword"),
});

…or use @pulumi/random's RandomPassword so the example is self-contained.

---

4. Default-privileges scope caveat — still not added (recommend one sentence)

Lines 84–97 describe DefaultPrivileges correctly, but readers often miss that it (a) only fires for objects created by the named owner role going forward, and (b) does not retroactively grant on existing tables. One sentence after the code block would prevent the common "but my existing tables aren't covered?" follow-up.

---

Summary

Area	Status
PR marked draft, needs-design removed	✅
Branch cleanliness (single commit, only blog files)	✅
Social frontmatter + social-review PASS	✅
Author/tags wiring	✅
H2 sentence case (3 headings)	❌ unchanged
1. ordered list style (2 lists)	❌ unchanged
Hardcoded password example	⚠️ unchanged — recommend changing
Default-privileges scope caveat	⚠️ unchanged — recommend one sentence
Final meta image	⏳ (label removed; presumably handled elsewhere)

Since this is now a draft, marking it draft is appropriate — the two ❌ items still need to land before it's ready to mark "Ready for review." I'm happy to push those two mechanical fixes (H2 sentence case + ordered list markers) on this branch in a single commit if you reply with @claude please apply the H2 sentence-case and ordered-list fixes.

• Verify branch is a single clean commit on origin/master
• Verify PR diff is limited to the three blog files
• Re-read index.md and re-check style-guide items
• Re-check hardcoded password and default-privileges caveat
• Post updated review
  • Branch: blog/postgresql-roles-grants-default-privileges-with-pulumi

[sicarul]

@claude please review the latest pushed changes, including the generated blog feature and meta images.

[pulumi-bot]

Claude finished @sicarul's task in 2m 9s —— View job

---

Re-review (latest images + content state)

I checked af6ba65 → currently HEAD is 31004cc (single commit, only the three blog files: index.md, feature.png, meta.png, 107 additions / 0 deletions). The PR is still draft, needs-design removed.

Images ✅

The newly generated feature and meta images look real and on-brand — they're no longer placeholders:

• feature.png — purple background with concentric dotted circles, PostgreSQL elephant outline + Pulumi marble logo. Looks like the logo template from /blog-meta-image with the two product marks.
• meta.png — 1200×628 social card with "PostgreSQL RBAC Without Grant Drift" set on the left, the same two-logo composition on the right, and the Pulumi wordmark in the bottom-left corner. Title is wrapped to three lines and reads clearly at thumbnail size.

Both look properly generated and composited. Author wiring (pablo-seibelt) and headshot are in place under data/team/team/ and static/images/team/.

Social-review ✅

Social frontmatter for X / LinkedIn / Bluesky still has the paragraph breaks the bot wanted, and the most recent social-media-review run reported PASS on all three networks. Author/tags wiring is correct.

Content findings — unchanged from prior rounds

The trigger comment asked specifically about the latest pushes, so I want to be transparent: the four content items I flagged in the last three reviews are still present in index.md at this HEAD. Re-quoting from the current file:

1. H2 sentence case (AGENTS.md: "H2+ = Sentence case") — ❌ unchanged

45:## Modeling Roles and Databases
63:## Managing Grants
84:## Automating with Default Privileges

Should be:

• ## Modeling roles and databases
• ## Managing grants
• ## Automating with default privileges

## What you'll build (line 35) and ## Validation (line 99) are already correct.

Fix this →

2. Ordered list markers (AGENTS.md: "Ordered Lists: Every item begins with 1.") — ❌ unchanged

39:1. **Custom roles** ...
40:2. **Database and schema grants** ...
41:3. **Default privileges** ...

103:1. **Role Check** ...
104:2. **Grant Verification** ...
105:3. **Default Privilege Test** ...

Both lists should be 1., 1., 1. — Markdown still renders 1/2/3.

Fix this →

3. Hardcoded password literal — ⚠️ unchanged (recommend changing)

59:    password: "very-secure-password",

In a post framed around secure RBAC-as-code, a literal-string password is the wrong demo pattern — readers copy-paste it. Either pulumi.Config().requireSecret("dbPassword") or @pulumi/random.RandomPassword would keep the example short while reinforcing the security framing.

4. Default-privileges scope caveat — ⚠️ unchanged (recommend one sentence)

Lines 84–97 describe DefaultPrivileges correctly, but readers often miss that it (a) only fires for objects created by the named owner role going forward and (b) does not retroactively grant on existing tables. One sentence after the code block would head off the common "but my existing tables aren't covered?" follow-up.

---

Summary

Area	Status
Branch cleanliness (single commit, only blog files)	✅
Feature image	✅ generated, on-brand
Meta image (title + logos)	✅ generated, reads at thumbnail size
Social frontmatter + social-review PASS	✅
Author/tags wiring	✅
H2 sentence case (3 headings)	❌ unchanged
1. ordered list style (2 lists)	❌ unchanged
Hardcoded password example	⚠️ unchanged — recommend changing
Default-privileges scope caveat	⚠️ unchanged — recommend one sentence
PR draft, needs-design removed	✅

The image work is the visible change in this push and it looks good — the post is no longer blocked on Design. Before flipping this out of draft, the two ❌ mechanical edits (H2 case + 1. markers) should land. I'm happy to push those on this branch in a single commit if you reply with @claude please apply the H2 sentence-case and ordered-list fixes.

• Check current PR diff against origin/master
• Review the blog post content (index.md)
• Inspect the feature.png and meta.png images
• Verify previously flagged items (H2 case, ordered lists, password literal, default-privs caveat)
• Post review feedback
  • Branch: blog/postgresql-roles-grants-default-privileges-with-pulumi

[sicarul]

@claude please review the latest normal commit on top. Addressed H2 sentence case, ordered-list markers, secret password handling, and the default-privileges caveat.

[pulumi-bot]

Claude finished @sicarul's task in 1m 12s —— View job

---

Re-review

Thanks — the new commit a8b092e on top of 31004cc resolves the four items from the previous round. Re-quoting the file at HEAD:

1. H2 sentence case — ✅ fixed

45:## Modeling roles and databases
67:## Managing grants
88:## Automating with default privileges

All H2s now follow the AGENTS.md "H2+ = Sentence case" rule.

2. Ordered list markers — ✅ fixed

39:1. **Custom roles** ...
40:1. **Database and schema grants** ...
41:1. **Default privileges** ...

109:1. **Role Check**: ...
110:1. **Grant Verification**: ...
111:1. **Default Privilege Test**: ...

Both lists use 1., 1., 1. per the AGENTS.md "Ordered Lists" rule.

3. Hardcoded password — ✅ fixed

50: import * as postgresql from "@pulumi/postgresql";
51: import * as pulumi from "@pulumi/pulumi";
52:
53: const config = new pulumi.Config();
54: const dbPassword = config.requireSecret("dbPassword");
...
60: const appRole = new postgresql.Role("app-role", {
61:     name: "app_user",
62:     login: true,
63:     password: dbPassword,
64: });

Good swap — requireSecret keeps the example short and reinforces the post's security framing. The value will be marked secret in state automatically.

4. Default-privileges scope caveat — ✅ added

Line 103:

Default privileges apply only to future objects created by the configured owner role. They do not retroactively grant access to existing tables.

Concise and accurate — covers both the "future-only" and "tied to a specific owner" aspects readers commonly miss.

---

Other state

Area	Status
Branch hygiene (2 commits — feat + fix — on origin/master)	✅
PR diff still limited to the three blog files	✅
Feature/meta images present	✅ generated, on-brand
Social frontmatter paragraph breaks	✅
Social-review PASS (X / LinkedIn / Bluesky)	✅
Author/tags wiring (pablo-seibelt, postgresql/security/iac)	✅
H2 sentence case (3 headings)	✅ fixed
1. ordered list style (2 lists)	✅ fixed
Hardcoded password example	✅ now uses requireSecret
Default-privileges scope caveat	✅ added

Note: the branch is now two commits instead of one (feat: + fix:). Not a blocker — it preserves the review history. Squash-on-merge in the PR settings will collapse it on land.

This post looks ready to flip out of draft to "Ready for review" whenever you're ready.

• Fetch latest from origin and check PR diff
• Read updated index.md
• Verify H2 sentence case fix
• Verify ordered list markers fix
• Verify password literal fix
• Verify default-privileges caveat
• Post review
  • Branch: blog/postgresql-roles-grants-default-privileges-with-pulumi