From 1c2f1c7b0d565db3b3f56bdcb2dfbfac80351975 Mon Sep 17 00:00:00 2001 From: Francesco Spinelli <90899331+Francesco-cloud24@users.noreply.github.com> Date: Mon, 13 Nov 2023 10:27:14 +0100 Subject: [PATCH] Sql user features (#1856) * added user type feature * fix readme * fix comment * fix blueprint cloudsql users value + minor fix * readme fix * variables fix * local var fix * fix for in local var * fix on readme * fix intentations var in readme * fix blueprint user quote --------- Co-authored-by: Francesco Spinelli --- .../cloudsql-multiregion/cloudsql.tf | 4 +- .../third-party-solutions/phpipam/cloudsql.tf | 4 +- .../wordpress/cloudrun/cloudsql.tf | 4 +- modules/cloudsql-instance/README.md | 10 +++-- modules/cloudsql-instance/main.tf | 39 ++++++++++--------- modules/cloudsql-instance/variables.tf | 9 +++-- 6 files changed, 43 insertions(+), 27 deletions(-) diff --git a/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf b/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf index e25812df..5dab5d6b 100644 --- a/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf +++ b/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf @@ -34,7 +34,9 @@ module "db" { } databases = [var.postgres_database] users = { - postgres = var.postgres_user_password + postgres = { + password = var.postgres_user_password + } } } diff --git a/blueprints/third-party-solutions/phpipam/cloudsql.tf b/blueprints/third-party-solutions/phpipam/cloudsql.tf index 24a47b66..f3b7a786 100644 --- a/blueprints/third-party-solutions/phpipam/cloudsql.tf +++ b/blueprints/third-party-solutions/phpipam/cloudsql.tf @@ -27,6 +27,8 @@ module "cloudsql" { region = var.region tier = local.cloudsql_conf.tier users = { - "${local.cloudsql_conf.user}" = var.cloudsql_password + "${local.cloudsql_conf.user}" = { + password = var.cloudsql_password + } } } diff --git a/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf b/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf index 4ed2ed19..2ebe9e14 100644 --- a/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf +++ b/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf @@ -61,7 +61,9 @@ module "cloudsql" { tier = local.cloudsql_conf.tier databases = [local.cloudsql_conf.db] users = { - "${local.cloudsql_conf.user}" = var.cloudsql_password + "${local.cloudsql_conf.user}" = { + password = var.cloudsql_password + } } deletion_protection = false } diff --git a/modules/cloudsql-instance/README.md b/modules/cloudsql-instance/README.md index c0f72cae..1a934769 100644 --- a/modules/cloudsql-instance/README.md +++ b/modules/cloudsql-instance/README.md @@ -86,9 +86,13 @@ module "db" { users = { # generatea password for user1 - user1 = null + user1 = { + password = null + } # assign a password to user2 - user2 = "mypassword" + user2 = { + password = "mypassword" + } } } # tftest modules=1 resources=6 inventory=custom.yaml @@ -212,7 +216,7 @@ module "db" { | [replicas](variables.tf#L179) | Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation. | map(object({…})) | | {} | | [require_ssl](variables.tf#L188) | Enable SSL connections only. | bool | | null | | [root_password](variables.tf#L194) | Root password of the Cloud SQL instance. Required for MS SQL Server. | string | | null | -| [users](variables.tf#L205) | Map of users to create in the primary instance (and replicated to other replicas) in the format USER=>PASSWORD. For MySQL, anything afterr the first `@` (if persent) will be used as the user's host. Set PASSWORD to null if you want to get an autogenerated password. | map(string) | | null | +| [users](variables.tf#L205) | Map of users to create in the primary instance (and replicated to other replicas). For MySQL, anything afterr the first `@` (if persent) will be used as the user's host. Set PASSWORD to null if you want to get an autogenerated password. The user types available are: 'BUILT_IN', 'CLOUD_IAM_USER' or 'CLOUD_IAM_SERVICE_ACCOUNT'. | map(object({…})) | | null | ## Outputs diff --git a/modules/cloudsql-instance/main.tf b/modules/cloudsql-instance/main.tf index fd3d9abd..cc6e62af 100644 --- a/modules/cloudsql-instance/main.tf +++ b/modules/cloudsql-instance/main.tf @@ -1,4 +1,4 @@ -/** +/** TO MOD * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -17,6 +17,7 @@ locals { prefix = var.prefix == null ? "" : "${var.prefix}-" is_mysql = can(regex("^MYSQL", var.database_version)) + is_postgres = can(regex("^POSTGRES", var.database_version)) has_replicas = try(length(var.replicas) > 0, false) is_regional = var.availability_type == "REGIONAL" ? true : false @@ -25,20 +26,20 @@ locals { enable_backup = var.backup_configuration.enabled || (local.is_mysql && local.has_replicas) || (local.is_mysql && local.is_regional) users = { - for user, password in coalesce(var.users, {}) : - (user) => ( - local.is_mysql - ? { - name = split("@", user)[0] - host = try(split("@", user)[1], null) - password = try(random_password.passwords[user].result, password) - } - : { - name = user - host = null - password = try(random_password.passwords[user].result, password) - } - ) + for k, v in coalesce(var.users, {}) : + k => + local.is_mysql ? + { + name = try(v.type, "BUILT_IN") == "BUILT_IN" ? split("@", k)[0] : k + host = try(v.type, "BUILT_IN") == "BUILT_IN" ? try(split("@", k)[1], null) : null + password = try(v.type, "BUILT_IN") == "BUILT_IN" ? try(random_password.passwords[k].result, v.password) : null + type = try(v.type, "BUILT_IN") + } : { + name = local.is_postgres ? try(trimsuffix(k, ".gserviceaccount.com"), k) : k + host = null + password = try(v.type, "BUILT_IN") == "BUILT_IN" ? try(random_password.passwords[k].result, v.password) : null + type = try(v.type, "BUILT_IN") + } } } @@ -178,14 +179,15 @@ resource "google_sql_database" "databases" { resource "random_password" "passwords" { for_each = toset([ - for user, password in coalesce(var.users, {}) : - user - if password == null + for k, v in coalesce(var.users, {}) : + k + if v.password == null ]) length = 16 special = true } + resource "google_sql_user" "users" { for_each = local.users project = var.project_id @@ -193,6 +195,7 @@ resource "google_sql_user" "users" { name = each.value.name host = each.value.host password = each.value.password + type = each.value.type } resource "google_sql_ssl_cert" "postgres_client_certificates" { diff --git a/modules/cloudsql-instance/variables.tf b/modules/cloudsql-instance/variables.tf index d13889b0..7fda3e9b 100644 --- a/modules/cloudsql-instance/variables.tf +++ b/modules/cloudsql-instance/variables.tf @@ -203,8 +203,11 @@ variable "tier" { } variable "users" { - description = "Map of users to create in the primary instance (and replicated to other replicas) in the format USER=>PASSWORD. For MySQL, anything afterr the first `@` (if persent) will be used as the user's host. Set PASSWORD to null if you want to get an autogenerated password." - type = map(string) - default = null + description = "Map of users to create in the primary instance (and replicated to other replicas). For MySQL, anything afterr the first `@` (if persent) will be used as the user's host. Set PASSWORD to null if you want to get an autogenerated password. The user types available are: 'BUILT_IN', 'CLOUD_IAM_USER' or 'CLOUD_IAM_SERVICE_ACCOUNT'." + type = map(object({ + password = optional(string) + type = optional(string) + })) + default = null }