Skip to content

Commit

Permalink
feat!: Add Password Validation Policy to Postgres Module (#376)
Browse files Browse the repository at this point in the history
Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>
  • Loading branch information
cleibl and bharathkkb authored Jan 5, 2023
1 parent 045bed1 commit 562455b
Show file tree
Hide file tree
Showing 7 changed files with 63 additions and 6 deletions.
14 changes: 12 additions & 2 deletions examples/postgresql-public-iam/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,16 @@ module "postgresql-db" {
authorized_networks = var.authorized_networks
}

password_validation_policy_config = {
# Complexity Default - password must contain at least one lowercase, one uppercase, one number and one non-alphanumeric characters.
complexity = "COMPLEXITY_DEFAULT"
disallow_username_substring = true
min_length = 8
# Password change interval format is in seconds. 3600s=1h
password_change_interval = "3600s"
reuse_interval = 1
}

database_flags = [
{
name = "cloudsql.iam_authentication"
Expand All @@ -45,12 +55,12 @@ module "postgresql-db" {
additional_users = [
{
name = "tftest2"
password = "abcdefg"
password = "Ex@mp!e1"
host = "localhost"
},
{
name = "tftest3"
password = "abcdefg"
password = "Ex@mp!e2"
host = "localhost"
},
]
Expand Down
1 change: 1 addition & 0 deletions modules/postgresql/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ Note: CloudSQL provides [disk autoresize](https://cloud.google.com/sql/docs/mysq
| maintenance\_window\_update\_track | The update track of maintenance window for the master instance maintenance.Can be either `canary` or `stable`. | `string` | `"canary"` | no |
| module\_depends\_on | List of modules or resources this module depends on. | `list(any)` | `[]` | no |
| name | The name of the Cloud SQL resources | `string` | n/a | yes |
| password\_validation\_policy\_config | The password validation policy settings for the database instance. | <pre>object({<br> min_length = number<br> complexity = string<br> reuse_interval = number<br> disallow_username_substring = bool<br> password_change_interval = string<br> })</pre> | `null` | no |
| pricing\_plan | The pricing plan for the master instance. | `string` | `"PER_USE"` | no |
| project\_id | The project ID to manage the Cloud SQL resources | `string` | n/a | yes |
| random\_instance\_name | Sets random suffix at the end of the Cloud SQL resource name | `bool` | `false` | no |
Expand Down
17 changes: 15 additions & 2 deletions modules/postgresql/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,19 @@ resource "google_sql_database_instance" "default" {
}
}

dynamic "password_validation_policy" {
for_each = var.password_validation_policy_config != null ? [var.password_validation_policy_config] : []

content {
enable_password_policy = true
min_length = lookup(password_validation_policy.value, "min_length", 8)
complexity = lookup(password_validation_policy.value, "complexity", "COMPLEXITY_DEFAULT")
reuse_interval = lookup(password_validation_policy.value, "reuse_interval", null)
disallow_username_substring = lookup(password_validation_policy.value, "disallow_username_substring", true)
password_change_interval = lookup(password_validation_policy.value, "password_change_interval", null)
}
}

disk_autoresize = var.disk_autoresize
disk_autoresize_limit = var.disk_autoresize_limit
disk_size = var.disk_size
Expand Down Expand Up @@ -177,7 +190,7 @@ resource "random_password" "user-password" {
}

length = 32
special = false
special = true
depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
}

Expand All @@ -188,7 +201,7 @@ resource "random_password" "additional_passwords" {
}

length = 32
special = false
special = true
depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
}

Expand Down
13 changes: 13 additions & 0 deletions modules/postgresql/read_replica.tf
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,19 @@ resource "google_sql_database_instance" "replicas" {
}
}

dynamic "password_validation_policy" {
for_each = var.password_validation_policy_config != null ? [var.password_validation_policy_config] : []

content {
enable_password_policy = true
min_length = lookup(password_validation_policy.value, "min_length", 8)
complexity = lookup(password_validation_policy.value, "complexity", "COMPLEXITY_DEFAULT")
reuse_interval = lookup(password_validation_policy.value, "reuse_interval", null)
disallow_username_substring = lookup(password_validation_policy.value, "disallow_username_substring", true)
password_change_interval = lookup(password_validation_policy.value, "password_change_interval", null)
}
}

disk_autoresize = lookup(each.value, "disk_autoresize", var.disk_autoresize)
disk_autoresize_limit = lookup(each.value, "disk_autoresize_limit", var.disk_autoresize_limit)
disk_size = lookup(each.value, "disk_size", var.disk_size)
Expand Down
12 changes: 12 additions & 0 deletions modules/postgresql/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,18 @@ variable "insights_config" {
default = null
}

variable "password_validation_policy_config" {
description = "The password validation policy settings for the database instance."
type = object({
min_length = number
complexity = string
reuse_interval = number
disallow_username_substring = bool
password_change_interval = string
})
default = null
}

variable "ip_configuration" {
description = "The ip configuration for the master instances."
type = object({
Expand Down
4 changes: 2 additions & 2 deletions modules/postgresql/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,11 @@ terraform {
}
google = {
source = "hashicorp/google"
version = ">= 4.28.0, < 5.0"
version = ">= 4.33.0, < 5.0"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 4.4.0, < 5.0"
version = ">= 4.33.0, < 5.0"
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,14 @@ func TestPostgreSqlPublicIamModule(t *testing.T) {
assert.Equal(int64(0), op.Get("settings.storageAutoResizeLimit").Int(), "Expected 0 storageAutoResizeLimit")
assert.Equal("db-custom-1-3840", op.Get("settings.tier").String(), "Expected db-custom-1-3840 tier")

// assert password policy settings
assert.Equal("COMPLEXITY_DEFAULT", op.Get("settings.passwordValidationPolicy.complexity").String(), "Expected COMPLEXITY_DEFAULT complexity")
assert.True(op.Get("settings.passwordValidationPolicy.disallowUsernameSubstring").Bool(), "Expected TRUE disallowUsernameSubstring")
assert.True(op.Get("settings.passwordValidationPolicy.enablePasswordPolicy").Bool(), "Expected TRUE enablePasswordPolicy")
assert.Equal(int64(8), op.Get("settings.passwordValidationPolicy.minLength").Int(), "Expected 8 minLength")
assert.Equal("3600s", op.Get("settings.passwordValidationPolicy.passwordChangeInterval").String(), "Expected 3600s passwordChangeInterval")
assert.Equal(int64(1), op.Get("settings.passwordValidationPolicy.reuseInterval").Int(), "Expected 1 reuseInterval")

// assert location database settings
assert.Equal("sql#locationPreference", op.Get("settings.locationPreference.kind").String(), "Expected sql#locationPreference locationPreference.kind")
assert.Equal("us-central1-c", op.Get("settings.locationPreference.zone").String(), "Expected us-central1-c locationPreference.zone")
Expand Down

0 comments on commit 562455b

Please sign in to comment.