padok-team · piaverous · Apr 11, 2024 · Apr 11, 2024
@@ -0,0 +1,32 @@
+formatter: markdown table
+
+sections:
+  hide-all: true
+  show:
+    - requirements
+    - providers
+    - inputs
+    - outputs
+    - modules
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+sort:
+  enabled: true
+  by: required
+
+settings:
+  anchor: true
+  color: true
+  default: true
+  escape: true
+  indent: 2
+  required: true
+  sensitive: true
+  type: true
@@ -52,6 +52,21 @@ module "my-private-mysql-db" {
 - [MySQL instance public, zonal, with backup exporter](examples/mysql_public_with_exporter)
 
 <!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.3 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 4.4 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | ~> 4.4 |
+| <a name="provider_random"></a> [random](#provider\_random) | ~> 3 |
+
 ## Modules
 
 | Name | Source | Version |
@@ -86,8 +101,8 @@ module "my-private-mysql-db" {
 | <a name="input_labels"></a> [labels](#input\_labels) | Labels to add to the CloudSQL and its replicas. | `map(string)` | `{}` | no |
 | <a name="input_public"></a> [public](#input\_public) | Set to true if the master instance should also have a public IP (less secure). | `bool` | `false` | no |
 | <a name="input_replicas"></a> [replicas](#input\_replicas) | The replicas instance names and configuration. | `map(any)` | `{}` | no |
-| <a name="input_require_ssl"></a> [require\_ssl](#input\_require\_ssl) | Set to false if you don not want to enforce SSL (less secure). | `bool` | `true` | no |
 | <a name="input_sql_exporter"></a> [sql\_exporter](#input\_sql\_exporter) | The SQL exporter to use for backups if needed. | <pre>object({<br>    bucket_name  = string<br>    pubsub_topic = string<br>    timezone     = optional(string, "UTC")<br>  })</pre> | `null` | no |
+| <a name="input_ssl_mode"></a> [ssl\_mode](#input\_ssl\_mode) | Specify how SSL connection should be enforced in DB connections. | `string` | `"TRUSTED_CLIENT_CERTIFICATE_REQUIRED"` | no |
 | <a name="input_tier"></a> [tier](#input\_tier) | The database tier (db-f1-micro, db-custom-cpu-ram). | `string` | `"db-f1-micro"` | no |
 | <a name="input_users_host"></a> [users\_host](#input\_users\_host) | value | `string` | `""` | no |
 

@@ -5,7 +5,8 @@ locals {
     # We never set authorized networks, we need all connections via the
     # public IP to be mediated by Cloud SQL Proxy.
     authorized_networks = []
-    require_ssl         = var.require_ssl
+    require_ssl         = var.ssl_mode == "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" ? true : false # See docs for possible values: https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1beta4/instances#ipconfiguration
+    ssl_mode            = var.ssl_mode
     private_network     = var.private_network
     allocated_ip_range  = var.allocated_ip_range
   }

@@ -115,10 +115,14 @@ variable "public" {
   default     = false
 }
 
-variable "require_ssl" {
-  description = "Set to false if you don not want to enforce SSL (less secure)."
-  type        = bool
-  default     = true
+variable "ssl_mode" {
+  description = "Specify how SSL connection should be enforced in DB connections."
+  type        = string
+  default     = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+  validation {
+    condition     = var.ssl_mode == "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" || var.ssl_mode == "ENCRYPTED_ONLY" || var.ssl_mode == "ALLOW_UNENCRYPTED_AND_ENCRYPTED"
+    error_message = "ssl_mode only supports TRUSTED_CLIENT_CERTIFICATE_REQUIRED, ENCRYPTED_ONLY or ALLOW_UNENCRYPTED_AND_ENCRYPTED."
+  }
 }
 
 variable "private_network" {

@@ -0,0 +1,32 @@
+formatter: markdown table
+
+sections:
+  hide-all: true
+  show:
+    - requirements
+    - providers
+    - inputs
+    - outputs
+    - modules
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+sort:
+  enabled: true
+  by: required
+
+settings:
+  anchor: true
+  color: true
+  default: true
+  escape: true
+  indent: 2
+  required: true
+  sensitive: true
+  type: true
@@ -58,35 +58,32 @@ module "my-private-postgresql-db" {
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.3 |
 | <a name="requirement_google"></a> [google](#requirement\_google) | ~> 4.4 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_google"></a> [google](#provider\_google) | ~> 4.4 |
-| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_random"></a> [random](#provider\_random) | ~> 3 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_encryption"></a> [encryption](#module\_encryption) | ../encryption | n/a |
-| <a name="module_postgresql-db"></a> [postgresql-db](#module\_postgresql-db) | GoogleCloudPlatform/sql-db/google//modules/postgresql | 11.0.0 |
+| <a name="module_postgresql-db"></a> [postgresql-db](#module\_postgresql-db) | GoogleCloudPlatform/sql-db/google//modules/postgresql | 14.1.0 |
 | <a name="module_secrets"></a> [secrets](#module\_secrets) | ../secrets | n/a |
 
-## Resources
-
-| Name | Type |
-|------|------|
-| [google_cloud_scheduler_job.exporter](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_scheduler_job) | resource |
-| [google_storage_bucket_iam_member.exporter](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
-| [random_shuffle.zone](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/shuffle) | resource |
-| [google_compute_zones.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_zones) | data source |
-
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_disk_limit"></a> [disk\_limit](#input\_disk\_limit) | The maximum size to which storage can be auto increased. | `number` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | The name of the Cloud SQL resource. | `string` | n/a | yes |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The project ID to manage the Cloud SQL resource. | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | Region for the master instance. | `string` | n/a | yes |
+| <a name="input_users"></a> [users](#input\_users) | List of the User's name you want to create (passwords will be auto-generated). Warning! All those users will be admin and have access to all databases created with this module. | `list(string)` | n/a | yes |
 | <a name="input_allocated_ip_range"></a> [allocated\_ip\_range](#input\_allocated\_ip\_range) | The name of the allocated ip range for the private ip CloudSQL instance. For example: "google-managed-services-default". If set, the instance ip will be created in the allocated range. | `string` | `null` | no |
 | <a name="input_availability_type"></a> [availability\_type](#input\_availability\_type) | Is CloudSQL instance Regional or Zonal correct values = (REGIONAL\|ZONAL). | `string` | `"REGIONAL"` | no |
 | <a name="input_backup_configuration"></a> [backup\_configuration](#input\_backup\_configuration) | The backup\_configuration settings subblock for the database setings. | `any` | `{}` | no |
@@ -95,23 +92,18 @@ module "my-private-postgresql-db" {
 | <a name="input_databases"></a> [databases](#input\_databases) | List of the default DBs you want to create. | <pre>map(object({<br>    export_backup   = bool<br>    export_schedule = optional(string, "0 2 * * *")<br>  }))</pre> | `{}` | no |
 | <a name="input_db_charset"></a> [db\_charset](#input\_db\_charset) | Charset for the DB. | `string` | `"utf8"` | no |
 | <a name="input_db_collation"></a> [db\_collation](#input\_db\_collation) | Collation for the DB. | `string` | `"en_US.UTF8"` | no |
-| <a name="input_disk_limit"></a> [disk\_limit](#input\_disk\_limit) | The maximum size to which storage can be auto increased. | `number` | n/a | yes |
 | <a name="input_disk_type"></a> [disk\_type](#input\_disk\_type) | The disk type (PD\_SSD, PD\_HDD). | `string` | `"PD_SSD"` | no |
 | <a name="input_encryption_key_id"></a> [encryption\_key\_id](#input\_encryption\_key\_id) | The full path to the encryption key used for the CMEK disk encryption. The provided key must be in the same region as the SQL instance. If not provided, a KMS key will be generated. | `string` | `null` | no |
 | <a name="input_encryption_key_rotation_period"></a> [encryption\_key\_rotation\_period](#input\_encryption\_key\_rotation\_period) | The encryption key rotation period for the CMEK disk encryption. The provided key must be in the same region as the SQL instance. If encryption\_key\_id is defined, this variable is not used. | `string` | `"7889400s"` | no |
 | <a name="input_engine_version"></a> [engine\_version](#input\_engine\_version) | The version of PostgreSQL engine. Check https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#database_version for possible versions. | `string` | `"POSTGRES_14"` | no |
 | <a name="input_instance_deletion_protection"></a> [instance\_deletion\_protection](#input\_instance\_deletion\_protection) | Used to block Terraform from deleting a SQL Instance. | `bool` | `false` | no |
 | <a name="input_labels"></a> [labels](#input\_labels) | Labels to add to the CloudSQL and its replicas. | `map(string)` | `{}` | no |
-| <a name="input_name"></a> [name](#input\_name) | The name of the Cloud SQL resource. | `string` | n/a | yes |
 | <a name="input_private_network"></a> [private\_network](#input\_private\_network) | The vpc id to create the instance into. | `string` | `null` | no |
-| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The project ID to manage the Cloud SQL resource. | `string` | n/a | yes |
 | <a name="input_public"></a> [public](#input\_public) | Set to true if the master instance should also have a public IP (less secure). | `bool` | `false` | no |
-| <a name="input_region"></a> [region](#input\_region) | Region for the master instance. | `string` | n/a | yes |
 | <a name="input_replicas"></a> [replicas](#input\_replicas) | The replicas instance names and configuration. | `map(any)` | `{}` | no |
-| <a name="input_require_ssl"></a> [require\_ssl](#input\_require\_ssl) | Set to false if you don not want to enforce SSL (less secure). | `bool` | `true` | no |
 | <a name="input_sql_exporter"></a> [sql\_exporter](#input\_sql\_exporter) | The SQL exporter to use for backups if needed. | <pre>object({<br>    bucket_name  = string<br>    pubsub_topic = string<br>    timezone     = optional(string, "UTC")<br>  })</pre> | `null` | no |
+| <a name="input_ssl_mode"></a> [ssl\_mode](#input\_ssl\_mode) | Specify how SSL connection should be enforced in DB connections. | `string` | `"TRUSTED_CLIENT_CERTIFICATE_REQUIRED"` | no |
 | <a name="input_tier"></a> [tier](#input\_tier) | The database tier (db-f1-micro, db-custom-cpu-ram). | `string` | `"db-f1-micro"` | no |
-| <a name="input_users"></a> [users](#input\_users) | List of the User's name you want to create (passwords will be auto-generated). Warning! All those users will be admin and have access to all databases created with this module. | `list(string)` | n/a | yes |
 
 ## Outputs
 
@@ -122,5 +114,6 @@ module "my-private-postgresql-db" {
 | <a name="output_private_ip_address"></a> [private\_ip\_address](#output\_private\_ip\_address) | The first private IPv4 address assigned for the master instance. |
 | <a name="output_public_ip_address"></a> [public\_ip\_address](#output\_public\_ip\_address) | The first public (PRIMARY) IPv4 address assigned for the master instance. |
 | <a name="output_read_replica_instance_names"></a> [read\_replica\_instance\_names](#output\_read\_replica\_instance\_names) | The instance names for the read replica instances. |
+| <a name="output_secrets"></a> [secrets](#output\_secrets) | The secrets created for the users. |
 | <a name="output_users"></a> [users](#output\_users) | List of maps of users and passwords. |
 <!-- END_TF_DOCS -->
@@ -5,7 +5,8 @@ locals {
     # We never set authorized networks, we need all connections via the
     # public IP to be mediated by Cloud SQL Proxy.
     authorized_networks = []
-    require_ssl         = var.require_ssl
+    require_ssl         = var.ssl_mode == "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" ? true : false # See docs for possible values: https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1beta4/instances#ipconfiguration
+    ssl_mode            = var.ssl_mode
     private_network     = var.private_network
     allocated_ip_range  = var.allocated_ip_range
   }

@@ -111,10 +111,14 @@ variable "public" {
   default     = false
 }
 
-variable "require_ssl" {
-  description = "Set to false if you don not want to enforce SSL (less secure)."
-  type        = bool
-  default     = true
+variable "ssl_mode" {
+  description = "Specify how SSL connection should be enforced in DB connections."
+  type        = string
+  default     = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+  validation {
+    condition     = var.ssl_mode == "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" || var.ssl_mode == "ENCRYPTED_ONLY" || var.ssl_mode == "ALLOW_UNENCRYPTED_AND_ENCRYPTED"
+    error_message = "ssl_mode only supports TRUSTED_CLIENT_CERTIFICATE_REQUIRED, ENCRYPTED_ONLY or ALLOW_UNENCRYPTED_AND_ENCRYPTED."
+  }
 }
 
 variable "private_network" {