feat!: Switch to random_password instead of random_id (#308)

bharathkkb · mikecook · web-flow · commit 9126ee6c38e0 · 2022-06-01T19:13:15.000-05:00
* use random_password instead of random_id

- random_id byte_length = 8 (integers) contains 26.6 bits of
  entropy. hex encoding does not change that entropy.
  Instead use random_password length = 32 restricted to (upper,
  lower, int) which contains 190.5 bits of entropy.
- Restrict random_password to special = false to prevent issues
  with allowed characters.

* upgrade guide for default pass

Co-authored-by: Michael Cook &lt;mcook@octoml.ai&gt;
diff --git a/docs/upgrading_to_sql_db_11.0.0.md b/docs/upgrading_to_sql_db_11.0.0.md
@@ -4,6 +4,8 @@ The 11.0.0 release of SQL DB is a backward incompatible release. This incompatib
 
 ## Migration Instructions
 
+### Add support for setting disk_autoresize_limit
+
 Prior to the 11.0.0 release, all instances could only be created without a limit.
 
 ```hcl
@@ -91,3 +93,23 @@ module "pg" {
   ]
 }
 ```
+
+### Switched to using random_password to generate default passwords
+
+With the 11.0.0 release, the `random_id` resource used to generate default passwords has been replaced with `random_password` resource. This improves the default behavior by generating stronger passwords as defaults. To continue using the previously generated password and prevent updates to the `google_sql_user` resources, specify the old password via `user_password` variable or `additional_users.password`. It is recommended to store this value in [Secret Manager](https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets#secretmanager-create-secret-gcloud) as opposed to passing it in via plain text.
+
+```diff
++ data "google_secret_manager_secret_version" "user_password" {
++  secret_id = "pg-user-pass"
++  project   = var.project_id
++ }
+
+module "pg" {
+  source  = "GoogleCloudPlatform/sql-db/google//modules/postgresql"
+- version = "~> 10.0"
++ version = "~> 11.0"
+
+  project_id    = var.project_id
++ user_password = data.google_secret_manager_secret_version.user_password.secret_data
+}
+```
diff --git a/modules/mysql/main.tf b/modules/mysql/main.tf
@@ -153,23 +153,25 @@ resource "google_sql_database" "additional_databases" {
   depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
 
-resource "random_id" "user-password" {
+resource "random_password" "user-password" {
   keepers = {
     name = google_sql_database_instance.default.name
   }
 
-  byte_length = 8
-  depends_on  = [null_resource.module_depends_on, google_sql_database_instance.default]
+  length     = 32
+  special    = false
+  depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
 
-resource "random_id" "additional_passwords" {
+resource "random_password" "additional_passwords" {
   for_each = local.users
   keepers = {
     name = google_sql_database_instance.default.name
   }
 
-  byte_length = 8
-  depends_on  = [null_resource.module_depends_on, google_sql_database_instance.default]
+  length     = 32
+  special    = false
+  depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
 
 resource "google_sql_user" "default" {
@@ -178,7 +180,7 @@ resource "google_sql_user" "default" {
   project  = var.project_id
   instance = google_sql_database_instance.default.name
   host     = var.user_host
-  password = var.user_password == "" ? random_id.user-password.hex : var.user_password
+  password = var.user_password == "" ? random_password.user-password.result : var.user_password
   depends_on = [
     null_resource.module_depends_on,
     google_sql_database_instance.default,
@@ -190,7 +192,7 @@ resource "google_sql_user" "additional_users" {
   for_each = local.users
   project  = var.project_id
   name     = each.value.name
-  password = lookup(each.value, "password", random_id.user-password.hex)
+  password = lookup(each.value, "password", random_password.user-password.result)
   host     = lookup(each.value, "host", var.user_host)
   instance = google_sql_database_instance.default.name
   type     = lookup(each.value, "type", "BUILT_IN")
diff --git a/modules/mysql/outputs.tf b/modules/mysql/outputs.tf
@@ -88,7 +88,7 @@ output "read_replica_instance_names" {
 
 output "generated_user_password" {
   description = "The auto generated default user password if not input password was provided"
-  value       = random_id.user-password.hex
+  value       = random_password.user-password.result
   sensitive   = true
 }
 
diff --git a/modules/postgresql/main.tf b/modules/postgresql/main.tf
@@ -164,31 +164,33 @@ resource "google_sql_database" "additional_databases" {
   depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
 
-resource "random_id" "user-password" {
+resource "random_password" "user-password" {
   keepers = {
     name = google_sql_database_instance.default.name
   }
 
-  byte_length = 8
-  depends_on  = [null_resource.module_depends_on, google_sql_database_instance.default]
+  length     = 32
+  special    = false
+  depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
 
-resource "random_id" "additional_passwords" {
+resource "random_password" "additional_passwords" {
   for_each = local.users
   keepers = {
     name = google_sql_database_instance.default.name
   }
 
-  byte_length = 8
-  depends_on  = [null_resource.module_depends_on, google_sql_database_instance.default]
+  length     = 32
+  special    = false
+  depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
 
 resource "google_sql_user" "default" {
   count    = var.enable_default_user ? 1 : 0
   name     = var.user_name
   project  = var.project_id
   instance = google_sql_database_instance.default.name
-  password = var.user_password == "" ? random_id.user-password.hex : var.user_password
+  password = var.user_password == "" ? random_password.user-password.result : var.user_password
   depends_on = [
     null_resource.module_depends_on,
     google_sql_database_instance.default,
@@ -200,7 +202,7 @@ resource "google_sql_user" "additional_users" {
   for_each = local.users
   project  = var.project_id
   name     = each.value.name
-  password = coalesce(each.value["password"], random_id.additional_passwords[each.value.name].hex)
+  password = coalesce(each.value["password"], random_password.additional_passwords[each.value.name].result)
   instance = google_sql_database_instance.default.name
   depends_on = [
     null_resource.module_depends_on,
diff --git a/modules/postgresql/outputs.tf b/modules/postgresql/outputs.tf
@@ -93,7 +93,7 @@ output "read_replica_instance_names" {
 
 output "generated_user_password" {
   description = "The auto generated default user password if not input password was provided"
-  value       = random_id.user-password.hex
+  value       = random_password.user-password.result
   sensitive   = true
 }
 

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ output "read_replica_instance_names" {`
`88`	`88`
`89`	`89`	`output "generated_user_password" {`
`90`	`90`	`description = "The auto generated default user password if not input password was provided"`
`91`		`- value = random_id.user-password.hex`
	`91`	`+ value = random_password.user-password.result`
`92`	`92`	`sensitive = true`
`93`	`93`	`}`
`94`	`94`
Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ output "read_replica_instance_names" {`
`93`	`93`
`94`	`94`	`output "generated_user_password" {`
`95`	`95`	`description = "The auto generated default user password if not input password was provided"`
`96`		`- value = random_id.user-password.hex`
	`96`	`+ value = random_password.user-password.result`
`97`	`97`	`sensitive = true`
`98`	`98`	`}`
`99`	`99`