feat!: Aligned the behaviour of additional_users resource in all 3 Cl…

…oud SQL instance modules. (#398)

Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: g-awmalik <malik.awais@gmail.com>
Co-authored-by: Awais Malik <awmalik@google.com>
Co-authored-by: CFT Bot <cloud-foundation-bot@google.com>

docs/upgrading_to_sql_db_14.0.0.md

@@ -1,6 +1,6 @@
 # Upgrading to SQL DB 14.0.0
 
-The 14.0.0 release of SQL DB is a backward incompatible release. This incompatibility affects `postgresql` submodule that uses IAM authentication.
+The 14.0.0 release of SQL DB is a backward incompatible release. This incompatibility affects `postgresql` submodule that uses IAM authentication. It also affects `additional_users` variable in all 3 modules.
 
 ## Migration Instructions
 
@@ -113,3 +113,111 @@ done
 ```
 
 After IAM bindings are moved, **terraform apply should be without any changes**.
+
+### Added `random_password` field in `additional_users` variable in postgresql module
+This change is in effort to align the behavior of `additional_users` variable in all the modules. Setting `random_password` field generates a random password for the user. Exactly one of `password` or `random_password` should be set.
+
+```diff
+module "pg" {
+  source  = "GoogleCloudPlatform/sql-db/google//modules/postgresql"
+- version = "~> 13.0"
++ version = "~> 14.0"
+
+  name                 = "test"
+  database_version     = "POSTGRES_14"
+  project_id           = var.project_id
+  zone                 = "europe-west1-b"
+  region               = "europe-west1"
+  tier                 = "db-custom-1-3840"
+
+  additional_users = [
+    {
+      name            = "john"
+      password        = "password"
++     random_password = false
+    }
+  ]
+}
+```
+
+### Added `random_password` field in `additional_users` variable in mssql module
+This change is in effort to align the behavior of `additional_users` variable in all the modules. Setting `random_password` field generates a random password for the user. At most one of `password` or `random_password` should be set.
+
+```diff
+module "mssql" {
+  source  = "GoogleCloudPlatform/sql-db/google//modules/mssql"
+- version = "~> 13.0"
++ version = "~> 14.0"
+
+  name                 = "test"
+  database_version     = "SQLSERVER_2017_STANDARD"
+  project_id           = var.project_id
+  zone                 = "europe-west1-b"
+  region               = "europe-west1"
+  tier                 = "db-custom-1-3840"
+
+  additional_users = [
+    {
+      name            = "john"
+      password        = "password"
++     random_password = false
+    }
+  ]
+}
+```
+
+### Changed the variable type of `additional_users` in mysql module
+This change is in effort to align the behavior of `additional_users` variable in all the modules. Setting `random_password` field generates a random password for the user. At most one of `password` or `random_password` should be set. `user_host` would be the host value for the additional users if the `host` field is set as `null`. You can use `type` to create IAM users.
+
+```diff
+module "mysql" {
+  source  = "GoogleCloudPlatform/sql-db/google//modules/mysql"
+- version = "~> 13.0"
++ version = "~> 14.0"
+
+  name                 = "test"
+  database_version     = "MYSQL_8_0"
+  project_id           = var.project_id
+  zone                 = "europe-west1-b"
+  region               = "europe-west1"
+  tier                 = "db-custom-1-3840"
+
+  additional_users = [
+    {
+      name            = "john"
+      password        = "password"
++     random_password = false
++     host            = null
++     type            = null
+    }
+  ]
+}
+```
+
+### Added `random_password` field in `additional_users` variable in safer_mysql module
+This change is in effort to align the behavior of `additional_users` variable in all the modules. Setting `random_password` field generates a random password for the user. At most one of `password` or `random_password` should be set.
+
+```diff
+module "smysql" {
+  source  = "GoogleCloudPlatform/sql-db/google//modules/safer_mysql"
+- version = "~> 13.0"
++ version = "~> 14.0"
+
+  name                 = "test"
+  database_version     = "MYSQL_8_0"
+  project_id           = var.project_id
+  zone                 = "europe-west1-b"
+  region               = "europe-west1"
+  tier                 = "db-custom-1-3840"
+
+  additional_users = [
+    {
+      name            = "john"
+      password        = "password"
+      type            = "BUILT_IN"
+      host            = "%"
++     random_password = false
+    }
+  ]
+}
+```

examples/mysql-ha/main.tf

@@ -143,16 +143,18 @@ module "mysql" {
 
   additional_users = [
     {
-      name     = "tftest2"
-      password = "abcdefg"
-      host     = "localhost"
-      type     = "BUILT_IN"
+      name            = "tftest2"
+      password        = "abcdefg"
+      host            = "localhost"
+      type            = "BUILT_IN"
+      random_password = false
     },
     {
-      name     = "tftest3"
-      password = "abcdefg"
-      host     = "localhost"
-      type     = "BUILT_IN"
+      name            = "tftest3"
+      password        = "abcdefg"
+      host            = "localhost"
+      type            = "BUILT_IN"
+      random_password = false
     },
   ]
 }

examples/mysql-private/main.tf

@@ -60,16 +60,18 @@ module "safer-mysql-db" {
   // Cloud SQL proxy.
   additional_users = [
     {
-      name     = "app"
-      password = "PaSsWoRd"
-      host     = "localhost"
-      type     = "BUILT_IN"
+      name            = "app"
+      password        = "PaSsWoRd"
+      host            = "localhost"
+      type            = "BUILT_IN"
+      random_password = false
     },
     {
-      name     = "readonly"
-      password = "PaSsWoRd"
-      host     = "localhost"
-      type     = "BUILT_IN"
+      name            = "readonly"
+      password        = "PaSsWoRd"
+      host            = "localhost"
+      type            = "BUILT_IN"
+      random_password = false
     },
   ]
 

examples/postgresql-ha/main.tf

@@ -141,14 +141,16 @@ module "pg" {
 
   additional_users = [
     {
-      name     = "tftest2"
-      password = "abcdefg"
-      host     = "localhost"
+      name            = "tftest2"
+      password        = "abcdefg"
+      host            = "localhost"
+      random_password = false
     },
     {
-      name     = "tftest3"
-      password = "abcdefg"
-      host     = "localhost"
+      name            = "tftest3"
+      password        = "abcdefg"
+      host            = "localhost"
+      random_password = false
     },
   ]
 }

examples/postgresql-public-iam/main.tf

@@ -54,14 +54,16 @@ module "postgresql-db" {
 
   additional_users = [
     {
-      name     = "tftest2"
-      password = "Ex@mp!e1"
-      host     = "localhost"
+      name            = "tftest2"
+      password        = "Ex@mp!e1"
+      host            = "localhost"
+      random_password = false
     },
     {
-      name     = "tftest3"
-      password = "Ex@mp!e2"
-      host     = "localhost"
+      name            = "tftest3"
+      password        = "Ex@mp!e2"
+      host            = "localhost"
+      random_password = false
     },
   ]
 

metadata.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

modules/backup/metadata.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

modules/mssql/README.md

@@ -12,7 +12,7 @@ The following dependency must be available for SQL Server module:
 | activation\_policy | The activation policy for the master instance.Can be either `ALWAYS`, `NEVER` or `ON_DEMAND`. | `string` | `"ALWAYS"` | no |
 | active\_directory\_config | Active domain that the SQL instance will join. | `map(string)` | `{}` | no |
 | additional\_databases | A list of databases to be created in your cluster | <pre>list(object({<br>    name      = string<br>    charset   = string<br>    collation = string<br>  }))</pre> | `[]` | no |
-| additional\_users | A list of users to be created in your cluster | <pre>list(object({<br>    name     = string<br>    password = string<br>  }))</pre> | `[]` | no |
+| additional\_users | A list of users to be created in your cluster. A random password would be set for the user if the `random_password` variable is set. | <pre>list(object({<br>    name            = string<br>    password        = string<br>    random_password = bool<br>  }))</pre> | `[]` | no |
 | availability\_type | The availability type for the master instance.This is only used to set up high availability for the MSSQL instance. Can be either `ZONAL` or `REGIONAL`. | `string` | `"ZONAL"` | no |
 | backup\_configuration | The database backup configuration. | <pre>object({<br>    binary_log_enabled             = bool<br>    enabled                        = bool<br>    point_in_time_recovery_enabled = bool<br>    start_time                     = string<br>    transaction_log_retention_days = string<br>    retained_backups               = number<br>    retention_unit                 = string<br>  })</pre> | <pre>{<br>  "binary_log_enabled": null,<br>  "enabled": false,<br>  "point_in_time_recovery_enabled": null,<br>  "retained_backups": null,<br>  "retention_unit": null,<br>  "start_time": null,<br>  "transaction_log_retention_days": null<br>}</pre> | no |
 | create\_timeout | The optional timeout that is applied to limit long database creates. | `string` | `"15m"` | no |

modules/mssql/main.tf

@@ -184,8 +184,11 @@ resource "random_password" "user-password" {
 }
 
 resource "random_password" "additional_passwords" {
-  for_each   = local.users
-  length     = 8
+  for_each = local.users
+  keepers = {
+    name = google_sql_database_instance.default.name
+  }
+  length     = 32
   special    = true
   depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
@@ -202,7 +205,7 @@ resource "google_sql_user" "additional_users" {
   for_each   = local.users
   project    = var.project_id
   name       = each.value.name
-  password   = lookup(each.value, "password", random_password.additional_passwords[each.value.name].result)
+  password   = each.value.random_password ? random_password.additional_passwords[each.value.name].result : each.value.password
   instance   = google_sql_database_instance.default.name
   depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
 }

modules/mssql/metadata.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -68,11 +68,12 @@ spec:
     default: []
     required: false
   - name: additional_users
-    description: A list of users to be created in your cluster
+    description: A list of users to be created in your cluster. A random password would be set for the user if the `random_password` variable is set.
     type: |-
       list(object({
-          name     = string
-          password = string
+          name            = string
+          password        = string
+          random_password = bool
         }))
     default: []
     required: false

modules/mssql/variables.tf

@@ -246,12 +246,17 @@ variable "user_password" {
 }
 
 variable "additional_users" {
-  description = "A list of users to be created in your cluster"
+  description = "A list of users to be created in your cluster. A random password would be set for the user if the `random_password` variable is set."
   type = list(object({
-    name     = string
-    password = string
+    name            = string
+    password        = string
+    random_password = bool
   }))
   default = []
+  validation {
+    condition     = length([for user in var.additional_users : false if user.random_password == true && (user.password != null && user.password != "")]) == 0
+    error_message = "You cannot set both password and random_password, choose one of them."
+  }
 }
 
 variable "root_password" {

modules/mysql/README.md

@@ -9,7 +9,7 @@ Note: CloudSQL provides [disk autoresize](https://cloud.google.com/sql/docs/mysq
 |------|-------------|------|---------|:--------:|
 | activation\_policy | The activation policy for the master instance. Can be either `ALWAYS`, `NEVER` or `ON_DEMAND`. | `string` | `"ALWAYS"` | no |
 | additional\_databases | A list of databases to be created in your cluster | <pre>list(object({<br>    name      = string<br>    charset   = string<br>    collation = string<br>  }))</pre> | `[]` | no |
-| additional\_users | A list of users to be created in your cluster | `list(map(any))` | `[]` | no |
+| additional\_users | A list of users to be created in your cluster. A random password would be set for the user if the `random_password` variable is set. | <pre>list(object({<br>    name            = string<br>    password        = string<br>    random_password = bool<br>    type            = string<br>    host            = string<br>  }))</pre> | `[]` | no |
 | availability\_type | The availability type for the master instance. Can be either `REGIONAL` or `null`. | `string` | `"REGIONAL"` | no |
 | backup\_configuration | The backup\_configuration settings subblock for the database setings | <pre>object({<br>    binary_log_enabled             = bool<br>    enabled                        = bool<br>    start_time                     = string<br>    location                       = string<br>    transaction_log_retention_days = string<br>    retained_backups               = number<br>    retention_unit                 = string<br>  })</pre> | <pre>{<br>  "binary_log_enabled": false,<br>  "enabled": false,<br>  "location": null,<br>  "retained_backups": null,<br>  "retention_unit": null,<br>  "start_time": null,<br>  "transaction_log_retention_days": null<br>}</pre> | no |
 | create\_timeout | The optional timout that is applied to limit long database creates. | `string` | `"10m"` | no |

modules/mysql/main.tf

@@ -186,9 +186,8 @@ resource "random_password" "additional_passwords" {
   keepers = {
     name = google_sql_database_instance.default.name
   }
-
   length     = 32
-  special    = false
+  special    = true
   depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
 
@@ -210,10 +209,10 @@ resource "google_sql_user" "additional_users" {
   for_each = local.users
   project  = var.project_id
   name     = each.value.name
-  password = lookup(each.value, "password", random_password.additional_passwords[each.key].result)
-  host     = lookup(each.value, "host", var.user_host)
+  password = each.value.random_password ? random_password.additional_passwords[each.value.name].result : each.value.password
+  host     = each.value.host == null ? var.user_host : each.value.host
   instance = google_sql_database_instance.default.name
-  type     = lookup(each.value, "type", "BUILT_IN")
+  type     = coalesce(each.value.type, "BUILT_IN")
   depends_on = [
     null_resource.module_depends_on,
     google_sql_database_instance.default,

modules/mysql/metadata.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -63,8 +63,15 @@ spec:
     default: []
     required: false
   - name: additional_users
-    description: A list of users to be created in your cluster
-    type: list(map(any))
+    description: A list of users to be created in your cluster. A random password would be set for the user if the `random_password` variable is set.
+    type: |-
+      list(object({
+          name            = string
+          password        = string
+          random_password = bool
+          type            = string
+          host            = string
+        }))
     default: []
     required: false
   - name: availability_type

modules/mysql/outputs.tf

@@ -98,6 +98,8 @@ output "additional_users" {
     {
       name     = r.name
       password = r.password
+      type     = r.type
+      host     = r.host
     }
   ]
   sensitive = true

modules/mysql/variables.tf

@@ -292,9 +292,19 @@ variable "user_password" {
 }
 
 variable "additional_users" {
-  description = "A list of users to be created in your cluster"
-  type        = list(map(any))
-  default     = []
+  description = "A list of users to be created in your cluster. A random password would be set for the user if the `random_password` variable is set."
+  type = list(object({
+    name            = string
+    password        = string
+    random_password = bool
+    type            = string
+    host            = string
+  }))
+  default = []
+  validation {
+    condition     = length([for user in var.additional_users : false if user.random_password == true && (user.password != null && user.password != "")]) == 0
+    error_message = "You cannot set both password and random_password, choose one of them."
+  }
 }
 
 variable "create_timeout" {