Skip to content

Commit

Permalink
feat: add support for ssl_mode to postgresql module (#547)
Browse files Browse the repository at this point in the history
  • Loading branch information
@mckha
mckha authored Dec 4, 2023
1 parent 87d639f commit 9c59232
Show file tree
Hide file tree
Showing 6 changed files with 9 additions and 2 deletions.
1 change: 1 addition & 0 deletions examples/postgresql-ha/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ locals {
read_replica_ip_configuration = {
ipv4_enabled = true
require_ssl = false
ssl_mode = "ENCRYPTED_ONLY"
private_network = null
allocated_ip_range = null
authorized_networks = [
Expand Down
1 change: 1 addition & 0 deletions examples/postgresql-psc/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ locals {
read_replica_ip_configuration = {
ipv4_enabled = false
require_ssl = false
ssl_mode = "ENCRYPTED_ONLY"
psc_enabled = true
psc_allowed_consumer_projects = [var.project_id]
}
Expand Down
4 changes: 2 additions & 2 deletions modules/postgresql/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ Note: CloudSQL provides [disk autoresize](https://cloud.google.com/sql/docs/mysq
| follow\_gae\_application | A Google App Engine application whose zone to remain in. Must be in the same region as this instance. | `string` | `null` | no |
| iam\_users | A list of IAM users to be created in your CloudSQL instance | <pre>list(object({<br> id = string,<br> email = string<br> }))</pre> | `[]` | no |
| insights\_config | The insights\_config settings for the database. | <pre>object({<br> query_plans_per_minute = optional(number, 5)<br> query_string_length = optional(number, 1024)<br> record_application_tags = optional(bool, false)<br> record_client_address = optional(bool, false)<br> })</pre> | `null` | no |
| ip\_configuration | The ip configuration for the master instances. | <pre>object({<br> authorized_networks = optional(list(map(string)), [])<br> ipv4_enabled = optional(bool, true)<br> private_network = optional(string)<br> require_ssl = optional(bool)<br> allocated_ip_range = optional(string)<br> enable_private_path_for_google_cloud_services = optional(bool, false)<br> psc_enabled = optional(bool, false)<br> psc_allowed_consumer_projects = optional(list(string), [])<br> })</pre> | `{}` | no |
| ip\_configuration | The ip configuration for the master instances. | <pre>object({<br> authorized_networks = optional(list(map(string)), [])<br> ipv4_enabled = optional(bool, true)<br> private_network = optional(string)<br> require_ssl = optional(bool)<br> ssl_mode = optional(string)<br> allocated_ip_range = optional(string)<br> enable_private_path_for_google_cloud_services = optional(bool, false)<br> psc_enabled = optional(bool, false)<br> psc_allowed_consumer_projects = optional(list(string), [])<br> })</pre> | `{}` | no |
| maintenance\_window\_day | The day of week (1-7) for the master instance maintenance. | `number` | `1` | no |
| maintenance\_window\_hour | The hour of day (0-23) maintenance window for the master instance maintenance. | `number` | `23` | no |
| maintenance\_window\_update\_track | The update track of maintenance window for the master instance maintenance.Can be either `canary` or `stable`. | `string` | `"canary"` | no |
Expand All @@ -50,7 +50,7 @@ Note: CloudSQL provides [disk autoresize](https://cloud.google.com/sql/docs/mysq
| read\_replica\_deletion\_protection | Used to block Terraform from deleting replica SQL Instances. | `bool` | `false` | no |
| read\_replica\_deletion\_protection\_enabled | Enables protection of replica instance from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform). | `bool` | `false` | no |
| read\_replica\_name\_suffix | The optional suffix to add to the read instance name | `string` | `""` | no |
| read\_replicas | List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption\_key\_name = null | <pre>list(object({<br> name = string<br> name_override = optional(string)<br> tier = optional(string)<br> edition = optional(string)<br> availability_type = optional(string)<br> zone = optional(string)<br> disk_type = optional(string)<br> disk_autoresize = optional(bool)<br> disk_autoresize_limit = optional(number)<br> disk_size = optional(string)<br> user_labels = map(string)<br> database_flags = optional(list(object({<br> name = string<br> value = string<br> })), [])<br> insights_config = optional(object({<br> query_plans_per_minute = optional(number, 5)<br> query_string_length = optional(number, 1024)<br> record_application_tags = optional(bool, false)<br> record_client_address = optional(bool, false)<br> }), null)<br> ip_configuration = object({<br> authorized_networks = optional(list(map(string)), [])<br> ipv4_enabled = optional(bool)<br> private_network = optional(string, )<br> require_ssl = optional(bool)<br> allocated_ip_range = optional(string)<br> enable_private_path_for_google_cloud_services = optional(bool, false)<br> psc_enabled = optional(bool, false)<br> psc_allowed_consumer_projects = optional(list(string), [])<br> })<br> encryption_key_name = optional(string)<br> }))</pre> | `[]` | no |
| read\_replicas | List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption\_key\_name = null | <pre>list(object({<br> name = string<br> name_override = optional(string)<br> tier = optional(string)<br> edition = optional(string)<br> availability_type = optional(string)<br> zone = optional(string)<br> disk_type = optional(string)<br> disk_autoresize = optional(bool)<br> disk_autoresize_limit = optional(number)<br> disk_size = optional(string)<br> user_labels = map(string)<br> database_flags = optional(list(object({<br> name = string<br> value = string<br> })), [])<br> insights_config = optional(object({<br> query_plans_per_minute = optional(number, 5)<br> query_string_length = optional(number, 1024)<br> record_application_tags = optional(bool, false)<br> record_client_address = optional(bool, false)<br> }), null)<br> ip_configuration = object({<br> authorized_networks = optional(list(map(string)), [])<br> ipv4_enabled = optional(bool)<br> private_network = optional(string, )<br> require_ssl = optional(bool)<br> ssl_mode = optional(string)<br> allocated_ip_range = optional(string)<br> enable_private_path_for_google_cloud_services = optional(bool, false)<br> psc_enabled = optional(bool, false)<br> psc_allowed_consumer_projects = optional(list(string), [])<br> })<br> encryption_key_name = optional(string)<br> }))</pre> | `[]` | no |
| region | The region of the Cloud SQL resources | `string` | `"us-central1"` | no |
| secondary\_zone | The preferred zone for the secondary/failover instance, it should be something like: `us-central1-a`, `us-east1-c`. | `string` | `null` | no |
| tier | The tier for the master instance. | `string` | `"db-f1-micro"` | no |
Expand Down
2 changes: 2 additions & 0 deletions modules/postgresql/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ resource "google_sql_database_instance" "default" {
ipv4_enabled = lookup(ip_configuration.value, "ipv4_enabled", null)
private_network = lookup(ip_configuration.value, "private_network", null)
require_ssl = lookup(ip_configuration.value, "require_ssl", null)
ssl_mode = lookup(ip_configuration.value, "ssl_mode", null)
allocated_ip_range = lookup(ip_configuration.value, "allocated_ip_range", null)
enable_private_path_for_google_cloud_services = lookup(ip_configuration.value, "enable_private_path_for_google_cloud_services", false)

Expand Down Expand Up @@ -241,6 +242,7 @@ resource "random_password" "user-password" {

resource "random_password" "additional_passwords" {
for_each = local.users

keepers = {
name = google_sql_database_instance.default.name
}
Expand Down
1 change: 1 addition & 0 deletions modules/postgresql/read_replica.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ resource "google_sql_database_instance" "replicas" {
ipv4_enabled = lookup(ip_configuration.value, "ipv4_enabled", null)
private_network = lookup(ip_configuration.value, "private_network", null)
require_ssl = lookup(ip_configuration.value, "require_ssl", null)
ssl_mode = lookup(ip_configuration.value, "ssl_mode", null)
allocated_ip_range = lookup(ip_configuration.value, "allocated_ip_range", null)
enable_private_path_for_google_cloud_services = lookup(ip_configuration.value, "enable_private_path_for_google_cloud_services", false)

Expand Down
2 changes: 2 additions & 0 deletions modules/postgresql/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,7 @@ variable "ip_configuration" {
ipv4_enabled = optional(bool, true)
private_network = optional(string)
require_ssl = optional(bool)
ssl_mode = optional(string)
allocated_ip_range = optional(string)
enable_private_path_for_google_cloud_services = optional(bool, false)
psc_enabled = optional(bool, false)
Expand Down Expand Up @@ -257,6 +258,7 @@ variable "read_replicas" {
ipv4_enabled = optional(bool)
private_network = optional(string, )
require_ssl = optional(bool)
ssl_mode = optional(string)
allocated_ip_range = optional(string)
enable_private_path_for_google_cloud_services = optional(bool, false)
psc_enabled = optional(bool, false)
Expand Down

0 comments on commit 9c59232

Please sign in to comment.