GoogleCloudPlatform · ludoo · Jan 25, 2024 · Jan 23, 2024 · Jan 23, 2024 · Jan 23, 2024
diff --git a/modules/cloudsql-instance/README.md b/modules/cloudsql-instance/README.md
@@ -242,17 +242,67 @@ module "db" {
 }
 # tftest modules=1 resources=1 inventory=insights.yaml
 ```
+
+### Maintenance Config
+
+Provide `maintenance_config` (can be just empty `{}`) to enable [Maintenance](https://cloud.google.com/sql/docs/postgres/maintenance)
+
+```hcl
+module "db" {
+  source     = "./fabric/modules/cloudsql-instance"
+  project_id = var.project_id
+  network_config = {
+    connectivity = {
+      psa_config = {
+        private_network = var.vpc.self_link
+      }
+    }
+  }
+  name             = "db"
+  region           = "europe-west1"
+  database_version = "POSTGRES_13"
+  tier             = "db-g1-small"
+
+  maintenance_config = {}
+}
+# tftest modules=1 resources=1 
+```
+
+### SSL Config
+
+Provide `ssl` (can be just empty `{}`) to enable [SSL](https://cloud.google.com/sql/docs/postgres/configure-ssl-instance)
+
+```hcl
+module "db" {
+  source     = "./fabric/modules/cloudsql-instance"
+  project_id = var.project_id
+  network_config = {
+    connectivity = {
+      psa_config = {
+        private_network = var.vpc.self_link
+      }
+    }
+  }
+  name             = "db"
+  region           = "europe-west1"
+  database_version = "POSTGRES_13"
+  tier             = "db-g1-small"
+
+  ssl = {}
+}
+# tftest modules=1 resources=1 
+```
 <!-- BEGIN TFDOC -->
 ## Variables
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
 | [database_version](variables.tf#L68) | Database type and version to create. | <code>string</code> | ✓ |  |
 | [name](variables.tf#L179) | Name of primary instance. | <code>string</code> | ✓ |  |
-| [network_config](variables.tf#L184) | Network configuration for the instance. Only one between private_network and psc_config can be used. | <code title="object&#40;&#123;&#10;  authorized_networks &#61; optional&#40;map&#40;string&#41;&#41;&#10;  require_ssl         &#61; optional&#40;bool&#41;&#10;  connectivity &#61; object&#40;&#123;&#10;    public_ipv4 &#61; optional&#40;bool, false&#41;&#10;    psa_config &#61; optional&#40;object&#40;&#123;&#10;      private_network &#61; string&#10;      allocated_ip_ranges &#61; optional&#40;object&#40;&#123;&#10;        primary &#61; optional&#40;string&#41;&#10;        replica &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    psc_allowed_consumer_projects &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [project_id](variables.tf#L223) | The ID of the project where this instances will be created. | <code>string</code> | ✓ |  |
-| [region](variables.tf#L228) | Region of the primary instance. | <code>string</code> | ✓ |  |
-| [tier](variables.tf#L248) | The machine type to use for the instances. | <code>string</code> | ✓ |  |
+| [network_config](variables.tf#L184) | Network configuration for the instance. Only one between private_network and psc_config can be used. | <code title="object&#40;&#123;&#10;  authorized_networks &#61; optional&#40;map&#40;string&#41;&#41;&#10;  connectivity &#61; object&#40;&#123;&#10;    public_ipv4 &#61; optional&#40;bool, false&#41;&#10;    psa_config &#61; optional&#40;object&#40;&#123;&#10;      private_network &#61; string&#10;      allocated_ip_ranges &#61; optional&#40;object&#40;&#123;&#10;        primary &#61; optional&#40;string&#41;&#10;        replica &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    psc_allowed_consumer_projects &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
+| [project_id](variables.tf#L217) | The ID of the project where this instances will be created. | <code>string</code> | ✓ |  |
+| [region](variables.tf#L222) | Region of the primary instance. | <code>string</code> | ✓ |  |
+| [tier](variables.tf#L258) | The machine type to use for the instances. | <code>string</code> | ✓ |  |
 | [activation_policy](variables.tf#L16) | This variable specifies when the instance should be active. Can be either ALWAYS, NEVER or ON_DEMAND. Default is ALWAYS. | <code>string</code> |  | <code>&#34;ALWAYS&#34;</code> |
 | [availability_type](variables.tf#L27) | Availability type for the primary replica. Either `ZONAL` or `REGIONAL`. | <code>string</code> |  | <code>&#34;ZONAL&#34;</code> |
 | [backup_configuration](variables.tf#L33) | Backup settings for primary instance. Will be automatically enabled if using MySQL with one or more replicas. | <code title="object&#40;&#123;&#10;  enabled                        &#61; optional&#40;bool, false&#41;&#10;  binary_log_enabled             &#61; optional&#40;bool, false&#41;&#10;  start_time                     &#61; optional&#40;string, &#34;23:00&#34;&#41;&#10;  location                       &#61; optional&#40;string&#41;&#10;  log_retention_days             &#61; optional&#40;number, 7&#41;&#10;  point_in_time_recovery_enabled &#61; optional&#40;bool&#41;&#10;  retention_count                &#61; optional&#40;number, 7&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  enabled                        &#61; false&#10;  binary_log_enabled             &#61; false&#10;  start_time                     &#61; &#34;23:00&#34;&#10;  location                       &#61; null&#10;  log_retention_days             &#61; 7&#10;  point_in_time_recovery_enabled &#61; null&#10;  retention_count                &#61; 7&#10;&#125;">&#123;&#8230;&#125;</code> |
@@ -270,28 +320,28 @@ module "db" {
 | [insights_config](variables.tf#L129) | Query Insights configuration. Defaults to null which disables Query Insights. | <code title="object&#40;&#123;&#10;  query_string_length     &#61; optional&#40;number, 1024&#41;&#10;  record_application_tags &#61; optional&#40;bool, false&#41;&#10;  record_client_address   &#61; optional&#40;bool, false&#41;&#10;  query_plans_per_minute  &#61; optional&#40;number, 5&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [labels](variables.tf#L140) | Labels to be attached to all instances. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
 | [maintenance_config](variables.tf#L146) | Set maintenance window configuration and maintenance deny period (up to 90 days). Date format: 'yyyy-mm-dd'. | <code title="object&#40;&#123;&#10;  maintenance_window &#61; optional&#40;object&#40;&#123;&#10;    day          &#61; number&#10;    hour         &#61; number&#10;    update_track &#61; optional&#40;string, null&#41;&#10;  &#125;&#41;, null&#41;&#10;  deny_maintenance_period &#61; optional&#40;object&#40;&#123;&#10;    start_date &#61; string&#10;    end_date   &#61; string&#10;    start_time &#61; optional&#40;string, &#34;00:00:00&#34;&#41;&#10;  &#125;&#41;, null&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [postgres_client_certificates](variables.tf#L207) | Map of cert keys connect to the application(s) using public IP. | <code>list&#40;string&#41;</code> |  | <code>null</code> |
-| [prefix](variables.tf#L213) | Optional prefix used to generate instance names. | <code>string</code> |  | <code>null</code> |
-| [replicas](variables.tf#L233) | Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation. | <code title="map&#40;object&#40;&#123;&#10;  region              &#61; string&#10;  encryption_key_name &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [root_password](variables.tf#L242) | Root password of the Cloud SQL instance. Required for MS SQL Server. | <code>string</code> |  | <code>null</code> |
-| [users](variables.tf#L253) | Map of users to create in the primary instance (and replicated to other replicas). For MySQL, anything after the first `@` (if present) will be used as the user's host. Set PASSWORD to null if you want to get an autogenerated password. The user types available are: 'BUILT_IN', 'CLOUD_IAM_USER' or 'CLOUD_IAM_SERVICE_ACCOUNT'. | <code title="map&#40;object&#40;&#123;&#10;  password &#61; optional&#40;string&#41;&#10;  type     &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>null</code> |
+| [prefix](variables.tf#L207) | Optional prefix used to generate instance names. | <code>string</code> |  | <code>null</code> |
+| [replicas](variables.tf#L227) | Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation. | <code title="map&#40;object&#40;&#123;&#10;  region              &#61; string&#10;  encryption_key_name &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [root_password](variables.tf#L236) | Root password of the Cloud SQL instance. Required for MS SQL Server. | <code>string</code> |  | <code>null</code> |
+| [ssl](variables.tf#L242) | Setting to enable SSL, set config and certificates. | <code title="object&#40;&#123;&#10;  client_certificates &#61; optional&#40;list&#40;string&#41;&#41;&#10;  require_ssl         &#61; optional&#40;bool&#41;&#10;  ssl_mode &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [users](variables.tf#L263) | Map of users to create in the primary instance (and replicated to other replicas). For MySQL, anything after the first `@` (if present) will be used as the user's host. Set PASSWORD to null if you want to get an autogenerated password. The user types available are: 'BUILT_IN', 'CLOUD_IAM_USER' or 'CLOUD_IAM_SERVICE_ACCOUNT'. | <code title="map&#40;object&#40;&#123;&#10;  password &#61; optional&#40;string&#41;&#10;  type     &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
 | name | description | sensitive |
 |---|---|:---:|
-| [connection_name](outputs.tf#L24) | Connection name of the primary instance. |  |
-| [connection_names](outputs.tf#L29) | Connection names of all instances. |  |
-| [dns_name](outputs.tf#L37) | The dns name of the instance. |  |
-| [dns_names](outputs.tf#L42) | Dns names of all instances. |  |
-| [id](outputs.tf#L50) | Fully qualified primary instance id. |  |
-| [ids](outputs.tf#L55) | Fully qualified ids of all instances. |  |
-| [instances](outputs.tf#L63) | Cloud SQL instance resources. | ✓ |
-| [ip](outputs.tf#L69) | IP address of the primary instance. |  |
-| [ips](outputs.tf#L74) | IP addresses of all instances. |  |
-| [name](outputs.tf#L82) | Name of the primary instance. |  |
-| [names](outputs.tf#L87) | Names of all instances. |  |
-| [postgres_client_certificates](outputs.tf#L95) | The CA Certificate used to connect to the SQL Instance via SSL. | ✓ |
+| [client_certificates](outputs.tf#L24) | The CA Certificate used to connect to the SQL Instance via SSL. | ✓ |
+| [connection_name](outputs.tf#L30) | Connection name of the primary instance. |  |
+| [connection_names](outputs.tf#L35) | Connection names of all instances. |  |
+| [dns_name](outputs.tf#L43) | The dns name of the instance. |  |
+| [dns_names](outputs.tf#L48) | Dns names of all instances. |  |
+| [id](outputs.tf#L56) | Fully qualified primary instance id. |  |
+| [ids](outputs.tf#L61) | Fully qualified ids of all instances. |  |
+| [instances](outputs.tf#L69) | Cloud SQL instance resources. | ✓ |
+| [ip](outputs.tf#L75) | IP address of the primary instance. |  |
+| [ips](outputs.tf#L80) | IP addresses of all instances. |  |
+| [name](outputs.tf#L88) | Name of the primary instance. |  |
+| [names](outputs.tf#L93) | Names of all instances. |  |
 | [psc_service_attachment_link](outputs.tf#L101) | The link to service attachment of PSC instance. |  |
 | [psc_service_attachment_links](outputs.tf#L106) | Links to service attachment of PSC instances. |  |
 | [self_link](outputs.tf#L114) | Self link of the primary instance. |  |

diff --git a/modules/cloudsql-instance/main.tf b/modules/cloudsql-instance/main.tf
@@ -71,7 +71,8 @@ resource "google_sql_database_instance" "primary" {
       ipv4_enabled       = var.network_config.connectivity.public_ipv4
       private_network    = try(var.network_config.connectivity.psa_config.private_network, null)
       allocated_ip_range = try(var.network_config.connectivity.psa_config.allocated_ip_ranges.primary, null)
-      require_ssl        = var.network_config.require_ssl
+      require_ssl        = var.ssl.require_ssl
+      ssl_mode           = var.ssl.ssl_mode
       dynamic "authorized_networks" {
         for_each = var.network_config.authorized_networks != null ? var.network_config.authorized_networks : {}
         iterator = network
@@ -223,7 +224,6 @@ resource "random_password" "passwords" {
   special = true
 }
 
-
 resource "google_sql_user" "users" {
   for_each = local.users
   project  = var.project_id
@@ -234,8 +234,13 @@ resource "google_sql_user" "users" {
   type     = each.value.type
 }
 
-resource "google_sql_ssl_cert" "postgres_client_certificates" {
-  for_each    = var.postgres_client_certificates != null ? toset(var.postgres_client_certificates) : toset([])
+moved {
+  from = google_sql_ssl_cert.postgres_client_certificates
+  to   = google_sql_ssl_cert.client_certificates
+}
+
+resource "google_sql_ssl_cert" "client_certificates" {
+  for_each    = var.ssl.client_certificates != null ? toset(var.ssl.client_certificates) : toset([])
   provider    = google-beta
   project     = var.project_id
   instance    = google_sql_database_instance.primary.name

diff --git a/modules/cloudsql-instance/outputs.tf b/modules/cloudsql-instance/outputs.tf
@@ -21,6 +21,12 @@ locals {
   )
 }
 
+output "client_certificates" {
+  description = "The CA Certificate used to connect to the SQL Instance via SSL."
+  value       = google_sql_ssl_cert.client_certificates
+  sensitive   = true
+}
+
 output "connection_name" {
   description = "Connection name of the primary instance."
   value       = google_sql_database_instance.primary.connection_name
@@ -92,12 +98,6 @@ output "names" {
   }
 }
 
-output "postgres_client_certificates" {
-  description = "The CA Certificate used to connect to the SQL Instance via SSL."
-  value       = google_sql_ssl_cert.postgres_client_certificates
-  sensitive   = true
-}
-
 output "psc_service_attachment_link" {
   description = "The link to service attachment of PSC instance."
   value       = google_sql_database_instance.primary.psc_service_attachment_link

diff --git a/modules/cloudsql-instance/variables.tf b/modules/cloudsql-instance/variables.tf
@@ -160,15 +160,15 @@ variable "maintenance_config" {
   default = {}
   validation {
     condition = (
-      var.maintenance_config.maintenance_window == null ? true : (
+      try(var.maintenance_config.maintenance_window, null) == null ? true : (
         # Maintenance window day validation below
         var.maintenance_config.maintenance_window.day >= 1 &&
         var.maintenance_config.maintenance_window.day <= 7 &&
         # Maintenance window hour validation below
         var.maintenance_config.maintenance_window.hour >= 0 &&
         var.maintenance_config.maintenance_window.hour <= 23 &&
         # Maintenance window update_track validation below
-        var.maintenance_config.maintenance_window.update_track == null ? true :
+        try(var.maintenance_config.maintenance_window.update_track, null) == null ? true :
         contains(["canary", "stable"], var.maintenance_config.maintenance_window.update_track)
       )
     )
@@ -185,7 +185,6 @@ variable "network_config" {
   description = "Network configuration for the instance. Only one between private_network and psc_config can be used."
   type = object({
     authorized_networks = optional(map(string))
-    require_ssl         = optional(bool)
     connectivity = object({
       public_ipv4 = optional(bool, false)
       psa_config = optional(object({
@@ -204,11 +203,6 @@ variable "network_config" {
   }
 }
 
-variable "postgres_client_certificates" {
-  description = "Map of cert keys connect to the application(s) using public IP."
-  type        = list(string)
-  default     = null
-}
 
 variable "prefix" {
   description = "Optional prefix used to generate instance names."
@@ -245,6 +239,22 @@ variable "root_password" {
   default     = null
 }
 
+variable "ssl" {
+  description = "Setting to enable SSL, set config and certificates."
+  type = object({
+    client_certificates = optional(list(string))
+    require_ssl         = optional(bool)
+    # More details @ https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#ssl_mode
+    ssl_mode = optional(string)
+  })
+  default  = {}
+  nullable = false
+  validation {
+    condition     = var.ssl.ssl_mode == null || var.ssl.ssl_mode == "ALLOW_UNENCRYPTED_AND_ENCRYPTED" || var.ssl.ssl_mode == "ENCRYPTED_ONLY" || var.ssl.ssl_mode == "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+    error_message = "The variable ssl_mode can be ALLOW_UNENCRYPTED_AND_ENCRYPTED, ENCRYPTED_ONLY for all, or TRUSTED_CLIENT_CERTIFICATE_REQUIRED for PostgreSQL or MySQL."
+  }
+}
+
 variable "tier" {
   description = "The machine type to use for the instances."
   type        = string