GoogleCloudPlatform · slevenick · Sep 28, 2022 · Aug 23, 2022 · Aug 23, 2022 · Aug 24, 2022
diff --git a/mmv1/templates/terraform/examples/sql_database_instance_my_sql.tf.erb b/mmv1/templates/terraform/examples/sql_database_instance_my_sql.tf.erb
@@ -20,5 +20,15 @@ resource "google_sql_user" "user" {
     name = "user"
     instance = google_sql_database_instance.instance.name
     password = random_password.pwd.result
+    password_policy {
+      allowed_failed_attempts  = 6
+      password_expiration_duration  =  "30s"
+      enable_failed_attempts_check = true
+      status {
+        locked = true
+        password_expiration_time = "2023-07-23T04:06:22.114-07:00"
+      }
+      enable_password_verification = true
+  }
 }
 # [END cloud_sql_mysql_instance_user]
diff --git a/mmv1/third_party/terraform/resources/resource_sql_user.go b/mmv1/third_party/terraform/resources/resource_sql_user.go
@@ -105,6 +105,55 @@ func resourceSqlUser() *schema.Resource {
 				},
 			},
 
+			"password_policy": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"allowed_failed_attempts": {
+							Type:        schema.TypeInt,
+							Optional:    true,
+							Description: `Number of failed attempts allowed before the user get locked.`,
+						},
+						"password_expiration_duration": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: `Password expiration duration with one week grace period.`,
+						},
+						"enable_failed_attempts_check": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Description: `If true, the check that will lock user after too many failed login attempts will be enabled.`,
+						},
+						"status": {
+							Type:     schema.TypeList,
+							Optional: true,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"locked": {
+										Type:        schema.TypeBool,
+										Optional:    true,
+										Description: `If true, user does not have login privileges.`,
+									},
+									"password_expiration_time": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Description: `Password expiration duration with one week grace period.`,
+									},
+								},
+							},
+						},
+						"enable_password_verification": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Description: `If true, the user must specify the current password before changing the password. This flag is supported only for MySQL.`,
+						},
+					},
+				},
+			},
+
 			"project": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -142,6 +191,44 @@ func expandSqlServerUserDetails(cfg interface{}) (*sqladmin.SqlServerUserDetails
 
 }
 
+func expandPasswordPolicy(cfg interface{}) (*sqladmin.UserPasswordValidationPolicy, error) {
+	raw := cfg.([]interface{})[0].(map[string]interface{})
+
+	pp := &sqladmin.UserPasswordValidationPolicy{}
+
+	if v, ok := raw["allowed_failed_attempts"]; ok {
+		pp.AllowedFailedAttempts = int64(v.(int))
+	}
+	if v, ok := raw["password_expiration_duration"]; ok {
+		pp.PasswordExpirationDuration = v.(string)
+	}
+	if v, ok := raw["enable_failed_attempts_check"]; ok {
+		pp.EnableFailedAttemptsCheck = v.(bool)
+	}
+	if v, ok := raw["enable_password_verification"]; ok {
+		pp.EnablePasswordVerification = v.(bool)
+	}
+	if v, ok := raw["status"]; ok {
+		pp.Status = expandStatus(v)
+	}
+
+	return pp, nil
+
+}
+
+func expandStatus(cfg interface{}) *sqladmin.PasswordStatus {
+	raw := cfg.([]interface{})[0].(map[string]interface{})
+
+	status := &sqladmin.PasswordStatus{}
+	if v, ok := raw["locked"]; ok {
+		status.Locked = v.(bool)
+	}
+	if v, ok := raw["password_expiration_time"]; ok {
+		status.PasswordExpirationTime = v.(string)
+	}
+	return status
+}
+
 func resourceSqlUserCreate(d *schema.ResourceData, meta interface{}) error {
 	config := meta.(*Config)
 	userAgent, err := generateUserAgentString(d, config.userAgent)
@@ -176,6 +263,14 @@ func resourceSqlUserCreate(d *schema.ResourceData, meta interface{}) error {
 		user.SqlserverUserDetails = ssud
 	}
 
+	if v, ok := d.GetOk("password_policy"); ok {
+		pp, err := expandPasswordPolicy(v)
+		if err != nil {
+			return err
+		}
+		user.PasswordPolicy = pp
+	}
+
 	mutexKV.Lock(instanceMutexKey(project, instance))
 	defer mutexKV.Unlock(instanceMutexKey(project, instance))
 	var op *sqladmin.Operation

diff --git a/mmv1/third_party/terraform/tests/resource_sql_user_test.go b/mmv1/third_party/terraform/tests/resource_sql_user_test.go
@@ -279,6 +279,43 @@ func testAccSqlUserDestroyProducer(t *testing.T) func(s *terraform.State) error
 	}
 }
 
+func TestAccSqlUser_mysqlPasswordPolicy(t *testing.T) {
+	// Multiple fine-grained resources
+	skipIfVcr(t)
+	t.Parallel()
+
+	instance := fmt.Sprintf("i-%d", randInt(t))
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccSqlUserDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testGoogleSqlUser_mysqlPasswordPolicy(instance, "password", false),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleSqlUserExists(t, "google_sql_user.user1"),
+					testAccCheckGoogleSqlUserExists(t, "google_sql_user.user2"),
+				),
+			},
+			{
+				// Update password
+				Config: testGoogleSqlUser_mysqlPasswordPolicy(instance, "new_password", false),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleSqlUserExists(t, "google_sql_user.user1"),
+					testAccCheckGoogleSqlUserExists(t, "google_sql_user.user2"),
+				),
+			},
+			{
+				ResourceName:            "google_sql_user.user2",
+				ImportStateId:           fmt.Sprintf("%s/%s/gmail.com/admin", getTestProjectFromEnv(), instance),
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"password"},
+			},
+		},
+	})
+}
+
 func testGoogleSqlUser_mysql(instance, password string, disabled bool) string {
 	return fmt.Sprintf(`
 resource "google_sql_database_instance" "instance" {
@@ -311,6 +348,58 @@ resource "google_sql_user" "user2" {
 `, instance, password, disabled)
 }
 
+func testGoogleSqlUser_mysqlPasswordPolicy(instance, password string, disabled bool) string {
+	return fmt.Sprintf(`
+resource "google_sql_database_instance" "instance" {
+  name                = "%s"
+  region              = "us-central1"
+  database_version    = "MYSQL_5_7"
+  deletion_protection = false
+  settings {
+    tier = "db-f1-micro"
+  }
+}
+
+resource "google_sql_user" "user1" {
+  name     = "admin"
+  instance = google_sql_database_instance.instance.name
+  host     = "google.com"
+  password = "%s"
+  sql_server_user_details {
+    disabled = "%t"
+    server_roles = [ "admin" ]  	
+  }
+	password_policy {
+		allowed_failed_attempts  = 6
+    password_expiration_duration  =  "30s"
+    enable_failed_attempts_check = true
+    status {
+      locked = true
+      password_expiration_time = "2023-07-23T04:06:22.114-07:00"
+    }
+    enable_password_verification = true
+  }
+}
+
+resource "google_sql_user" "user2" {
+  name     = "admin"
+  instance = google_sql_database_instance.instance.name
+  host     = "gmail.com"
+  password = "hunter2"
+	password_policy {
+		allowed_failed_attempts  = 6
+    password_expiration_duration  =  "30s"
+    enable_failed_attempts_check = true
+    status {
+      locked = true
+      password_expiration_time = "2023-07-23T04:06:22.114-07:00"
+    }
+    enable_password_verification = true
+  }
+}
+`, instance, password, disabled)
+}
+
 func testGoogleSqlUser_postgres(instance, password string) string {
 	return fmt.Sprintf(`
 resource "google_sql_database_instance" "instance" {

diff --git a/mmv1/third_party/terraform/website/docs/r/sql_user.html.markdown b/mmv1/third_party/terraform/website/docs/r/sql_user.html.markdown
@@ -100,6 +100,22 @@ The following arguments are supported:
 * `project` - (Optional) The ID of the project in which the resource belongs. If it
     is not provided, the provider project is used.
 
+The optional `password_policy` block is only supported by Mysql. The `password_policy` block supports:
+
+* `allowed_failed_attempts` - (Optional) Number of failed attempts allowed before the user get locked.
+
+* `password_expiration_duration` - (Optional) Password expiration duration with one week grace period.
+
+* `enable_failed_attempts_check` - (Optional) If true, the check that will lock user after too many failed login attempts will be enabled.
+
+* `enable_password_verification` - (Optional) If true, the user must specify the current password before changing the password. This flag is supported only for MySQL.
+
+The optional `password_policy.status` subblock supports:
+
+* `locked` - (Optional) If true, user does not have login privileges.
+
+* `password_expiration_time` - (Optional) Password expiration duration with one week grace period.
+
 ## Attributes Reference
 
 Only the arguments listed above are exposed as attributes.