GoogleCloudPlatform · umairidris · Apr 15, 2020 · Apr 15, 2020 · Apr 15, 2020 · Apr 15, 2020
diff --git a/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-data/iam/main.tf b/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-data/iam/main.tf
@@ -2,8 +2,10 @@ terraform {
   backend "gcs" {}
 }
 
-resource "google_project_iam_member" "gke_sql_access" {
+resource "google_project_iam_member" "sql_clients" {
+  for_each = toset(var.sql_clients)
+
   project = var.project_id
   role    = "roles/cloudsql.client"
-  member  = "serviceAccount:${var.gke_service_account}"
+  member  = "serviceAccount:${each.key}"
 }
diff --git a/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-data/iam/terragrunt.hcl b/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-data/iam/terragrunt.hcl
@@ -11,10 +11,21 @@ dependency "apps" {
   config_path = "../../project.heroes-hat-dev-apps/apps"
 
   mock_outputs = {
-    service_account = "mock-service-account"
+    service_account = "mock-gke-service-account"
+  }
+}
+
+dependency "networks" {
+  config_path = "../../project.heroes-hat-dev-networks/networks"
+
+  mock_outputs = {
+    bastion_service_account = "mock-bastion-service-account"
   }
 }
 
 inputs = {
-  gke_service_account = dependency.apps.outputs.service_account
+  sql_clients = [
+    dependency.apps.outputs.service_account,
+    dependency.networks.outputs.bastion_service_account,
+  ]
 }
diff --git a/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-data/iam/variables.tf b/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-data/iam/variables.tf
@@ -2,8 +2,7 @@ variable "project_id" {
   type = string
 }
 
-variable "gke_service_account" {
-  description = "The service account used by the GKE cluster"
-  type        = string
+variable "sql_clients" {
+  description = "Clients who have access to the SQL instances in this project"
+  type        = list(string)
 }
-
diff --git a/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-networks/networks/bastion.tf b/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-networks/networks/bastion.tf
@@ -26,14 +26,15 @@ module "bastion" {
   subnet         = module.private.subnets["${var.region}/${local.bastion_subnet_name}"].self_link
   image_family   = "ubuntu-1804-lts"
   members        = var.bastion_users
+  scopes         = [
+    "https://www.googleapis.com/auth/sqlservice.admin",
+  ]
   startup_script = <<EOF
 #!/bin/bash
-if dpkg -l mysql-client-core-5.7; then
-  echo "mysql-client already installed"
-else
-  sudo apt-get -y update
-  sudo apt-get -y install mysql-client-core-5.7
-fi
+sudo apt-get -y update
+sudo apt-get -y install mysql-client-core-5.7
+wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
+chmod +x ./cloudsql_sql_proxy
 EOF
 }
 

diff --git a/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-networks/networks/outputs.tf b/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-networks/networks/outputs.tf
@@ -5,3 +5,7 @@ output "private_network" {
 output "gke_subnetwork" {
   value = local.gke_subnet
 }
+
+output "bastion_service_account" {
+  value = module.bastion.service_account
+}
diff --git a/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-networks/project/terraform.tfvars b/Terraform/org/folder.fda-my-studies/project.heroes-hat-dev-networks/project/terraform.tfvars
@@ -6,6 +6,7 @@ apis = [
   "container.googleapis.com",
   "iap.googleapis.com",
   "servicenetworking.googleapis.com",
+  "sqladmin.googleapis.com",
 ]
 owners = [
   "group:rocketturtle-gcp-admin@rocketturtle.net",