-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix sql_database_instance creation to remove root user earlier #6922
Conversation
…is no longer needed
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are. Terraform GA: Diff ( 2 files changed, 159 insertions(+), 27 deletions(-)) |
Tests analyticsTotal tests: Action takenTriggering VCR tests in RECORDING mode for the tests that failed during VCR. Click here to see the failed testsTestAccLoggingBucketConfigProject_cmekSettings|TestAccFirebaserulesRelease_BasicRelease |
@roaks3: You don't get a reviewer assigned by the Magician anymore, btw! You can assign @GoogleCloudPlatform/terraform-team to roll one. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only a small nitpick. The code looks good assuming test passes: https://ci-oss.hashicorp.engineering/buildConfiguration/GoogleCloudBeta_ProviderGoogleCloudBetaMmUpstream/359834
tier = "db-f1-micro" | ||
backup_configuration { | ||
enabled = false | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only nit: spacing is bit off here -- should be spaces instead of tabs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whoops, thank you!
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are. Terraform GA: Diff ( 2 files changed, 159 insertions(+), 27 deletions(-)) |
Tests analyticsTotal tests: Action takenTriggering VCR tests in RECORDING mode for the tests that failed during VCR. Click here to see the failed testsTestAccFirebaserulesRelease_BasicRelease|TestAccLoggingBucketConfigProject_cmekSettings |
https://ci-oss.hashicorp.engineering/buildConfiguration/GoogleCloudBeta_ProviderGoogleCloudBetaMmUpstream/359847 |
Yea, this test passes locally, but we are hitting an issue in CI with a number of these related tests (like |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
I did some investigating on this test failure and captured my work in hashicorp/terraform-provider-google#12902. I will hold off on merging this momentarily to see if we can resolve the root issue before adding to it with this new test, but if it looks like a long-term fix I will go ahead and move this through. |
It looks like the other issue could take some time, so merging this change now. |
…eCloudPlatform#6922) * Fix sql_database_instance creation to remove root user as soon as it is no longer needed * Fix spacing in test config
b/254877908
This fixes a bug where a root user without a password would sometimes remain on an
sql_database_instance
after creation, creating a security risk. The logic in the provider is meant to remove this root user at the end of the creation function, but if there is a failure before then, the instance is still created but the root user remains.The fix here simply performs the root user removal earlier, so that it is done as soon as it is not longer needed. This eliminates a subset of failure modes that would have left the root user on the instance. I believe this is the best we can do for now, short of more elaborate retry logic.
For testing, it was very difficult to come up with a test that would verify this problem has been resolved, because triggering arbitrary errors is nontrivial, and our test harness does not offer a clean way to check the state of the environment after an error occurs. I've come up with work-arounds to produce a test that I believe is adequate here.
If this PR is for Terraform, I acknowledge that I have:
make test
andmake lint
to ensure it passes unit and linter tests.Release Note Template for Downstream PRs (will be copied)