From 9c59232a37725aef57162e836090c64495e6acd9 Mon Sep 17 00:00:00 2001
From: Haz <56537674+mckha@users.noreply.github.com>
Date: Mon, 4 Dec 2023 16:44:07 +0000
Subject: [PATCH] feat: add support for ssl_mode to postgresql module (#547)
---
examples/postgresql-ha/main.tf | 1 +
examples/postgresql-psc/main.tf | 1 +
modules/postgresql/README.md | 4 ++--
modules/postgresql/main.tf | 2 ++
modules/postgresql/read_replica.tf | 1 +
modules/postgresql/variables.tf | 2 ++
6 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/examples/postgresql-ha/main.tf b/examples/postgresql-ha/main.tf
index 625877a2..a3e90ffa 100644
--- a/examples/postgresql-ha/main.tf
+++ b/examples/postgresql-ha/main.tf
@@ -19,6 +19,7 @@ locals {
read_replica_ip_configuration = {
ipv4_enabled = true
require_ssl = false
+ ssl_mode = "ENCRYPTED_ONLY"
private_network = null
allocated_ip_range = null
authorized_networks = [
diff --git a/examples/postgresql-psc/main.tf b/examples/postgresql-psc/main.tf
index 66e20570..2b25d0b6 100644
--- a/examples/postgresql-psc/main.tf
+++ b/examples/postgresql-psc/main.tf
@@ -19,6 +19,7 @@ locals {
read_replica_ip_configuration = {
ipv4_enabled = false
require_ssl = false
+ ssl_mode = "ENCRYPTED_ONLY"
psc_enabled = true
psc_allowed_consumer_projects = [var.project_id]
}
diff --git a/modules/postgresql/README.md b/modules/postgresql/README.md
index bd3cc467..63dbcff2 100644
--- a/modules/postgresql/README.md
+++ b/modules/postgresql/README.md
@@ -37,7 +37,7 @@ Note: CloudSQL provides [disk autoresize](https://cloud.google.com/sql/docs/mysq
| follow\_gae\_application | A Google App Engine application whose zone to remain in. Must be in the same region as this instance. | `string` | `null` | no |
| iam\_users | A list of IAM users to be created in your CloudSQL instance | list(object({
id = string,
email = string
})) | `[]` | no |
| insights\_config | The insights\_config settings for the database. | object({
query_plans_per_minute = optional(number, 5)
query_string_length = optional(number, 1024)
record_application_tags = optional(bool, false)
record_client_address = optional(bool, false)
}) | `null` | no |
-| ip\_configuration | The ip configuration for the master instances. | object({
authorized_networks = optional(list(map(string)), [])
ipv4_enabled = optional(bool, true)
private_network = optional(string)
require_ssl = optional(bool)
allocated_ip_range = optional(string)
enable_private_path_for_google_cloud_services = optional(bool, false)
psc_enabled = optional(bool, false)
psc_allowed_consumer_projects = optional(list(string), [])
}) | `{}` | no |
+| ip\_configuration | The ip configuration for the master instances. | object({
authorized_networks = optional(list(map(string)), [])
ipv4_enabled = optional(bool, true)
private_network = optional(string)
require_ssl = optional(bool)
ssl_mode = optional(string)
allocated_ip_range = optional(string)
enable_private_path_for_google_cloud_services = optional(bool, false)
psc_enabled = optional(bool, false)
psc_allowed_consumer_projects = optional(list(string), [])
}) | `{}` | no |
| maintenance\_window\_day | The day of week (1-7) for the master instance maintenance. | `number` | `1` | no |
| maintenance\_window\_hour | The hour of day (0-23) maintenance window for the master instance maintenance. | `number` | `23` | no |
| maintenance\_window\_update\_track | The update track of maintenance window for the master instance maintenance.Can be either `canary` or `stable`. | `string` | `"canary"` | no |
@@ -50,7 +50,7 @@ Note: CloudSQL provides [disk autoresize](https://cloud.google.com/sql/docs/mysq
| read\_replica\_deletion\_protection | Used to block Terraform from deleting replica SQL Instances. | `bool` | `false` | no |
| read\_replica\_deletion\_protection\_enabled | Enables protection of replica instance from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform). | `bool` | `false` | no |
| read\_replica\_name\_suffix | The optional suffix to add to the read instance name | `string` | `""` | no |
-| read\_replicas | List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption\_key\_name = null | list(object({
name = string
name_override = optional(string)
tier = optional(string)
edition = optional(string)
availability_type = optional(string)
zone = optional(string)
disk_type = optional(string)
disk_autoresize = optional(bool)
disk_autoresize_limit = optional(number)
disk_size = optional(string)
user_labels = map(string)
database_flags = optional(list(object({
name = string
value = string
})), [])
insights_config = optional(object({
query_plans_per_minute = optional(number, 5)
query_string_length = optional(number, 1024)
record_application_tags = optional(bool, false)
record_client_address = optional(bool, false)
}), null)
ip_configuration = object({
authorized_networks = optional(list(map(string)), [])
ipv4_enabled = optional(bool)
private_network = optional(string, )
require_ssl = optional(bool)
allocated_ip_range = optional(string)
enable_private_path_for_google_cloud_services = optional(bool, false)
psc_enabled = optional(bool, false)
psc_allowed_consumer_projects = optional(list(string), [])
})
encryption_key_name = optional(string)
})) | `[]` | no |
+| read\_replicas | List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption\_key\_name = null | list(object({
name = string
name_override = optional(string)
tier = optional(string)
edition = optional(string)
availability_type = optional(string)
zone = optional(string)
disk_type = optional(string)
disk_autoresize = optional(bool)
disk_autoresize_limit = optional(number)
disk_size = optional(string)
user_labels = map(string)
database_flags = optional(list(object({
name = string
value = string
})), [])
insights_config = optional(object({
query_plans_per_minute = optional(number, 5)
query_string_length = optional(number, 1024)
record_application_tags = optional(bool, false)
record_client_address = optional(bool, false)
}), null)
ip_configuration = object({
authorized_networks = optional(list(map(string)), [])
ipv4_enabled = optional(bool)
private_network = optional(string, )
require_ssl = optional(bool)
ssl_mode = optional(string)
allocated_ip_range = optional(string)
enable_private_path_for_google_cloud_services = optional(bool, false)
psc_enabled = optional(bool, false)
psc_allowed_consumer_projects = optional(list(string), [])
})
encryption_key_name = optional(string)
})) | `[]` | no |
| region | The region of the Cloud SQL resources | `string` | `"us-central1"` | no |
| secondary\_zone | The preferred zone for the secondary/failover instance, it should be something like: `us-central1-a`, `us-east1-c`. | `string` | `null` | no |
| tier | The tier for the master instance. | `string` | `"db-f1-micro"` | no |
diff --git a/modules/postgresql/main.tf b/modules/postgresql/main.tf
index e7d49705..e34a1b3b 100644
--- a/modules/postgresql/main.tf
+++ b/modules/postgresql/main.tf
@@ -105,6 +105,7 @@ resource "google_sql_database_instance" "default" {
ipv4_enabled = lookup(ip_configuration.value, "ipv4_enabled", null)
private_network = lookup(ip_configuration.value, "private_network", null)
require_ssl = lookup(ip_configuration.value, "require_ssl", null)
+ ssl_mode = lookup(ip_configuration.value, "ssl_mode", null)
allocated_ip_range = lookup(ip_configuration.value, "allocated_ip_range", null)
enable_private_path_for_google_cloud_services = lookup(ip_configuration.value, "enable_private_path_for_google_cloud_services", false)
@@ -241,6 +242,7 @@ resource "random_password" "user-password" {
resource "random_password" "additional_passwords" {
for_each = local.users
+
keepers = {
name = google_sql_database_instance.default.name
}
diff --git a/modules/postgresql/read_replica.tf b/modules/postgresql/read_replica.tf
index 03432672..c1250d97 100644
--- a/modules/postgresql/read_replica.tf
+++ b/modules/postgresql/read_replica.tf
@@ -56,6 +56,7 @@ resource "google_sql_database_instance" "replicas" {
ipv4_enabled = lookup(ip_configuration.value, "ipv4_enabled", null)
private_network = lookup(ip_configuration.value, "private_network", null)
require_ssl = lookup(ip_configuration.value, "require_ssl", null)
+ ssl_mode = lookup(ip_configuration.value, "ssl_mode", null)
allocated_ip_range = lookup(ip_configuration.value, "allocated_ip_range", null)
enable_private_path_for_google_cloud_services = lookup(ip_configuration.value, "enable_private_path_for_google_cloud_services", false)
diff --git a/modules/postgresql/variables.tf b/modules/postgresql/variables.tf
index acf463f5..9ed8b7da 100644
--- a/modules/postgresql/variables.tf
+++ b/modules/postgresql/variables.tf
@@ -219,6 +219,7 @@ variable "ip_configuration" {
ipv4_enabled = optional(bool, true)
private_network = optional(string)
require_ssl = optional(bool)
+ ssl_mode = optional(string)
allocated_ip_range = optional(string)
enable_private_path_for_google_cloud_services = optional(bool, false)
psc_enabled = optional(bool, false)
@@ -257,6 +258,7 @@ variable "read_replicas" {
ipv4_enabled = optional(bool)
private_network = optional(string, )
require_ssl = optional(bool)
+ ssl_mode = optional(string)
allocated_ip_range = optional(string)
enable_private_path_for_google_cloud_services = optional(bool, false)
psc_enabled = optional(bool, false)