diff --git a/modules/mysql/.terraform-docs.yml b/modules/mysql/.terraform-docs.yml
new file mode 100644
index 0000000..9ae0793
--- /dev/null
+++ b/modules/mysql/.terraform-docs.yml
@@ -0,0 +1,32 @@
+formatter: markdown table
+
+sections:
+ hide-all: true
+ show:
+ - requirements
+ - providers
+ - inputs
+ - outputs
+ - modules
+
+output:
+ file: README.md
+ mode: inject
+ template: |-
+
+ {{ .Content }}
+
+
+sort:
+ enabled: true
+ by: required
+
+settings:
+ anchor: true
+ color: true
+ default: true
+ escape: true
+ indent: 2
+ required: true
+ sensitive: true
+ type: true
diff --git a/modules/mysql/README.md b/modules/mysql/README.md
index 6dd7cfe..556e80e 100644
--- a/modules/mysql/README.md
+++ b/modules/mysql/README.md
@@ -52,6 +52,21 @@ module "my-private-mysql-db" {
- [MySQL instance public, zonal, with backup exporter](examples/mysql_public_with_exporter)
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | ~> 1.3 |
+| [google](#requirement\_google) | ~> 4.4 |
+| [random](#requirement\_random) | ~> 3 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [google](#provider\_google) | ~> 4.4 |
+| [random](#provider\_random) | ~> 3 |
+
## Modules
| Name | Source | Version |
@@ -86,8 +101,8 @@ module "my-private-mysql-db" {
| [labels](#input\_labels) | Labels to add to the CloudSQL and its replicas. | `map(string)` | `{}` | no |
| [public](#input\_public) | Set to true if the master instance should also have a public IP (less secure). | `bool` | `false` | no |
| [replicas](#input\_replicas) | The replicas instance names and configuration. | `map(any)` | `{}` | no |
-| [require\_ssl](#input\_require\_ssl) | Set to false if you don not want to enforce SSL (less secure). | `bool` | `true` | no |
| [sql\_exporter](#input\_sql\_exporter) | The SQL exporter to use for backups if needed. | object({
bucket_name = string
pubsub_topic = string
timezone = optional(string, "UTC")
}) | `null` | no |
+| [ssl\_mode](#input\_ssl\_mode) | Specify how SSL connection should be enforced in DB connections. | `string` | `"TRUSTED_CLIENT_CERTIFICATE_REQUIRED"` | no |
| [tier](#input\_tier) | The database tier (db-f1-micro, db-custom-cpu-ram). | `string` | `"db-f1-micro"` | no |
| [users\_host](#input\_users\_host) | value | `string` | `""` | no |
diff --git a/modules/mysql/locals.tf b/modules/mysql/locals.tf
index f65f7a5..5e6390f 100644
--- a/modules/mysql/locals.tf
+++ b/modules/mysql/locals.tf
@@ -5,7 +5,8 @@ locals {
# We never set authorized networks, we need all connections via the
# public IP to be mediated by Cloud SQL Proxy.
authorized_networks = []
- require_ssl = var.require_ssl
+ require_ssl = var.ssl_mode == "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" ? true : false # See docs for possible values: https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1beta4/instances#ipconfiguration
+ ssl_mode = var.ssl_mode
private_network = var.private_network
allocated_ip_range = var.allocated_ip_range
}
diff --git a/modules/mysql/variables.tf b/modules/mysql/variables.tf
index 7615006..13cabc9 100644
--- a/modules/mysql/variables.tf
+++ b/modules/mysql/variables.tf
@@ -115,10 +115,14 @@ variable "public" {
default = false
}
-variable "require_ssl" {
- description = "Set to false if you don not want to enforce SSL (less secure)."
- type = bool
- default = true
+variable "ssl_mode" {
+ description = "Specify how SSL connection should be enforced in DB connections."
+ type = string
+ default = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+ validation {
+ condition = var.ssl_mode == "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" || var.ssl_mode == "ENCRYPTED_ONLY" || var.ssl_mode == "ALLOW_UNENCRYPTED_AND_ENCRYPTED"
+ error_message = "ssl_mode only supports TRUSTED_CLIENT_CERTIFICATE_REQUIRED, ENCRYPTED_ONLY or ALLOW_UNENCRYPTED_AND_ENCRYPTED."
+ }
}
variable "private_network" {
diff --git a/modules/postgresql/.terraform-docs.yml b/modules/postgresql/.terraform-docs.yml
new file mode 100644
index 0000000..9ae0793
--- /dev/null
+++ b/modules/postgresql/.terraform-docs.yml
@@ -0,0 +1,32 @@
+formatter: markdown table
+
+sections:
+ hide-all: true
+ show:
+ - requirements
+ - providers
+ - inputs
+ - outputs
+ - modules
+
+output:
+ file: README.md
+ mode: inject
+ template: |-
+
+ {{ .Content }}
+
+
+sort:
+ enabled: true
+ by: required
+
+settings:
+ anchor: true
+ color: true
+ default: true
+ escape: true
+ indent: 2
+ required: true
+ sensitive: true
+ type: true
diff --git a/modules/postgresql/README.md b/modules/postgresql/README.md
index 49168da..060dd8b 100644
--- a/modules/postgresql/README.md
+++ b/modules/postgresql/README.md
@@ -58,35 +58,32 @@ module "my-private-postgresql-db" {
|------|---------|
| [terraform](#requirement\_terraform) | ~> 1.3 |
| [google](#requirement\_google) | ~> 4.4 |
+| [random](#requirement\_random) | ~> 3 |
## Providers
| Name | Version |
|------|---------|
| [google](#provider\_google) | ~> 4.4 |
-| [random](#provider\_random) | n/a |
+| [random](#provider\_random) | ~> 3 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| [encryption](#module\_encryption) | ../encryption | n/a |
-| [postgresql-db](#module\_postgresql-db) | GoogleCloudPlatform/sql-db/google//modules/postgresql | 11.0.0 |
+| [postgresql-db](#module\_postgresql-db) | GoogleCloudPlatform/sql-db/google//modules/postgresql | 14.1.0 |
| [secrets](#module\_secrets) | ../secrets | n/a |
-## Resources
-
-| Name | Type |
-|------|------|
-| [google_cloud_scheduler_job.exporter](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_scheduler_job) | resource |
-| [google_storage_bucket_iam_member.exporter](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
-| [random_shuffle.zone](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/shuffle) | resource |
-| [google_compute_zones.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_zones) | data source |
-
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [disk\_limit](#input\_disk\_limit) | The maximum size to which storage can be auto increased. | `number` | n/a | yes |
+| [name](#input\_name) | The name of the Cloud SQL resource. | `string` | n/a | yes |
+| [project\_id](#input\_project\_id) | The project ID to manage the Cloud SQL resource. | `string` | n/a | yes |
+| [region](#input\_region) | Region for the master instance. | `string` | n/a | yes |
+| [users](#input\_users) | List of the User's name you want to create (passwords will be auto-generated). Warning! All those users will be admin and have access to all databases created with this module. | `list(string)` | n/a | yes |
| [allocated\_ip\_range](#input\_allocated\_ip\_range) | The name of the allocated ip range for the private ip CloudSQL instance. For example: "google-managed-services-default". If set, the instance ip will be created in the allocated range. | `string` | `null` | no |
| [availability\_type](#input\_availability\_type) | Is CloudSQL instance Regional or Zonal correct values = (REGIONAL\|ZONAL). | `string` | `"REGIONAL"` | no |
| [backup\_configuration](#input\_backup\_configuration) | The backup\_configuration settings subblock for the database setings. | `any` | `{}` | no |
@@ -95,23 +92,18 @@ module "my-private-postgresql-db" {
| [databases](#input\_databases) | List of the default DBs you want to create. | map(object({
export_backup = bool
export_schedule = optional(string, "0 2 * * *")
})) | `{}` | no |
| [db\_charset](#input\_db\_charset) | Charset for the DB. | `string` | `"utf8"` | no |
| [db\_collation](#input\_db\_collation) | Collation for the DB. | `string` | `"en_US.UTF8"` | no |
-| [disk\_limit](#input\_disk\_limit) | The maximum size to which storage can be auto increased. | `number` | n/a | yes |
| [disk\_type](#input\_disk\_type) | The disk type (PD\_SSD, PD\_HDD). | `string` | `"PD_SSD"` | no |
| [encryption\_key\_id](#input\_encryption\_key\_id) | The full path to the encryption key used for the CMEK disk encryption. The provided key must be in the same region as the SQL instance. If not provided, a KMS key will be generated. | `string` | `null` | no |
| [encryption\_key\_rotation\_period](#input\_encryption\_key\_rotation\_period) | The encryption key rotation period for the CMEK disk encryption. The provided key must be in the same region as the SQL instance. If encryption\_key\_id is defined, this variable is not used. | `string` | `"7889400s"` | no |
| [engine\_version](#input\_engine\_version) | The version of PostgreSQL engine. Check https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#database_version for possible versions. | `string` | `"POSTGRES_14"` | no |
| [instance\_deletion\_protection](#input\_instance\_deletion\_protection) | Used to block Terraform from deleting a SQL Instance. | `bool` | `false` | no |
| [labels](#input\_labels) | Labels to add to the CloudSQL and its replicas. | `map(string)` | `{}` | no |
-| [name](#input\_name) | The name of the Cloud SQL resource. | `string` | n/a | yes |
| [private\_network](#input\_private\_network) | The vpc id to create the instance into. | `string` | `null` | no |
-| [project\_id](#input\_project\_id) | The project ID to manage the Cloud SQL resource. | `string` | n/a | yes |
| [public](#input\_public) | Set to true if the master instance should also have a public IP (less secure). | `bool` | `false` | no |
-| [region](#input\_region) | Region for the master instance. | `string` | n/a | yes |
| [replicas](#input\_replicas) | The replicas instance names and configuration. | `map(any)` | `{}` | no |
-| [require\_ssl](#input\_require\_ssl) | Set to false if you don not want to enforce SSL (less secure). | `bool` | `true` | no |
| [sql\_exporter](#input\_sql\_exporter) | The SQL exporter to use for backups if needed. | object({
bucket_name = string
pubsub_topic = string
timezone = optional(string, "UTC")
}) | `null` | no |
+| [ssl\_mode](#input\_ssl\_mode) | Specify how SSL connection should be enforced in DB connections. | `string` | `"TRUSTED_CLIENT_CERTIFICATE_REQUIRED"` | no |
| [tier](#input\_tier) | The database tier (db-f1-micro, db-custom-cpu-ram). | `string` | `"db-f1-micro"` | no |
-| [users](#input\_users) | List of the User's name you want to create (passwords will be auto-generated). Warning! All those users will be admin and have access to all databases created with this module. | `list(string)` | n/a | yes |
## Outputs
@@ -122,5 +114,6 @@ module "my-private-postgresql-db" {
| [private\_ip\_address](#output\_private\_ip\_address) | The first private IPv4 address assigned for the master instance. |
| [public\_ip\_address](#output\_public\_ip\_address) | The first public (PRIMARY) IPv4 address assigned for the master instance. |
| [read\_replica\_instance\_names](#output\_read\_replica\_instance\_names) | The instance names for the read replica instances. |
+| [secrets](#output\_secrets) | The secrets created for the users. |
| [users](#output\_users) | List of maps of users and passwords. |
diff --git a/modules/postgresql/locals.tf b/modules/postgresql/locals.tf
index b1dae73..a28fd41 100644
--- a/modules/postgresql/locals.tf
+++ b/modules/postgresql/locals.tf
@@ -5,7 +5,8 @@ locals {
# We never set authorized networks, we need all connections via the
# public IP to be mediated by Cloud SQL Proxy.
authorized_networks = []
- require_ssl = var.require_ssl
+ require_ssl = var.ssl_mode == "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" ? true : false # See docs for possible values: https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1beta4/instances#ipconfiguration
+ ssl_mode = var.ssl_mode
private_network = var.private_network
allocated_ip_range = var.allocated_ip_range
}
diff --git a/modules/postgresql/variables.tf b/modules/postgresql/variables.tf
index 04dacfc..c74b850 100644
--- a/modules/postgresql/variables.tf
+++ b/modules/postgresql/variables.tf
@@ -111,10 +111,14 @@ variable "public" {
default = false
}
-variable "require_ssl" {
- description = "Set to false if you don not want to enforce SSL (less secure)."
- type = bool
- default = true
+variable "ssl_mode" {
+ description = "Specify how SSL connection should be enforced in DB connections."
+ type = string
+ default = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+ validation {
+ condition = var.ssl_mode == "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" || var.ssl_mode == "ENCRYPTED_ONLY" || var.ssl_mode == "ALLOW_UNENCRYPTED_AND_ENCRYPTED"
+ error_message = "ssl_mode only supports TRUSTED_CLIENT_CERTIFICATE_REQUIRED, ENCRYPTED_ONLY or ALLOW_UNENCRYPTED_AND_ENCRYPTED."
+ }
}
variable "private_network" {