fix!: Change additional user default password (#332)

* Change additional_users default password * Update unit test with sensitive values * Add upgrade section to docs * Fix example sensitive output * Update docs/upgrading_to_sql_db_12.0.0.md
terraform-google-modules · Aug 12, 2022 · f96f71e · f96f71e
1 parent ad6f427
commit f96f71e
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 1 deletion.
diff --git a/docs/upgrading_to_sql_db_12.0.0.md b/docs/upgrading_to_sql_db_12.0.0.md
@@ -95,3 +95,19 @@ module "pg" {
   ]
 }
 ```
+
+Prior to the 12.0.0 `mysql` module release, additional users were created using the `default_user`'s password. In order to keep the password unchanged for additional users for release 12.0.0 and up, `additional_user`'s passwords need to be set explicitly using the `default_user`'s generated password.
+
+```diff
+module "mysql" {
+  source  = "GoogleCloudPlatform/sql-db/google//modules/mysql"
+- version = "~> 11.0"
++ version = "~> 12.0"
+
+  project_id       = var.project_id
+  additional_users = [{
+    name     = "admin"
++   password = module.mysql.generated_user_password
+  }]
+}
+```
diff --git a/examples/mysql-private/outputs.tf b/examples/mysql-private/outputs.tf
@@ -30,6 +30,7 @@ output "mysql_conn" {
 }
 
 output "mysql_user_pass" {
+  sensitive   = true
   value       = module.safer-mysql-db.generated_user_password
   description = "The password for the default user. If not set, a random one will be generated and available in the generated_user_password output variable."
 }

diff --git a/examples/mysql-public/outputs.tf b/examples/mysql-public/outputs.tf
@@ -30,6 +30,7 @@ output "mysql_conn" {
 }
 
 output "mysql_user_pass" {
+  sensitive   = true
   value       = module.mysql-db.generated_user_password
   description = "The password for the default user. If not set, a random one will be generated and available in the generated_user_password output variable."
 }

diff --git a/modules/mysql/main.tf b/modules/mysql/main.tf
@@ -192,7 +192,7 @@ resource "google_sql_user" "additional_users" {
   for_each = local.users
   project  = var.project_id
   name     = each.value.name
-  password = lookup(each.value, "password", random_password.user-password.result)
+  password = lookup(each.value, "password", random_password.additional_passwords[each.key].result)
   host     = lookup(each.value, "host", var.user_host)
   instance = google_sql_database_instance.default.name
   type     = lookup(each.value, "type", "BUILT_IN")