feat: Create random passwords for additional_users (#236)

samcre · web-flow · commit 94ef3de43200 · 2021-09-10T11:13:50.000-04:00
* Creates random passwords for additional_users

For every Cloud SQL instance type, if `additional_users.password` it's
an empty string, the module will create a random password.

Also, adds an output to retrieve users and passwords from other
resources.

* Updates README.md

* Adds missing key on mssql module

* Fixes key on MSSQL module

* Updates outputs for every module
diff --git a/modules/mssql/README.md b/modules/mssql/README.md
@@ -48,6 +48,7 @@ The following dependency must be available for SQL Server module:
 
 | Name | Description |
 |------|-------------|
+| additional\_users | List of maps of additional users and passwords |
 | generated\_user\_password | The auto generated default user password if not input password was provided |
 | instance\_address | The IPv4 addesses assigned for the master instance |
 | instance\_connection\_name | The connection name of the master instance to be used in connection strings |
diff --git a/modules/mssql/main.tf b/modules/mssql/main.tf
@@ -155,6 +155,13 @@ resource "random_password" "user-password" {
   depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
 
+resource "random_password" "additional_passwords" {
+  for_each   = local.users
+  length     = 8
+  special    = true
+  depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
+}
+
 resource "google_sql_user" "default" {
   name       = var.user_name
   project    = var.project_id
@@ -167,7 +174,7 @@ resource "google_sql_user" "additional_users" {
   for_each   = local.users
   project    = var.project_id
   name       = each.value.name
-  password   = lookup(each.value, "password", random_password.user-password.result)
+  password   = lookup(each.value, "password", random_password.additional_passwords[each.value.name].result)
   instance   = google_sql_database_instance.default.name
   depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
diff --git a/modules/mssql/outputs.tf b/modules/mssql/outputs.tf
@@ -61,6 +61,17 @@ output "generated_user_password" {
   sensitive   = true
 }
 
+output "additional_users" {
+  description = "List of maps of additional users and passwords"
+  value = [for r in google_sql_user.additional_users :
+    {
+      name     = r.name
+      password = r.password
+    }
+  ]
+  sensitive = true
+}
+
 output "root_password" {
   description = "MSSERVER password for the root user. If not set, a random one will be generated and available in the root_password output variable."
   value       = coalesce(var.root_password, random_password.root-password.result)
diff --git a/modules/mysql/README.md b/modules/mysql/README.md
@@ -51,6 +51,7 @@ Note: CloudSQL provides [disk autoresize](https://cloud.google.com/sql/docs/mysq
 
 | Name | Description |
 |------|-------------|
+| additional\_users | List of maps of additional users and passwords |
 | generated\_user\_password | The auto generated default user password if not input password was provided |
 | instance\_connection\_name | The connection name of the master instance to be used in connection strings |
 | instance\_first\_ip\_address | The first IPv4 address of the addresses assigned for the master instance. |
diff --git a/modules/mysql/main.tf b/modules/mysql/main.tf
@@ -160,6 +160,16 @@ resource "random_id" "user-password" {
   depends_on  = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
 
+resource "random_id" "additional_passwords" {
+  for_each = local.users
+  keepers = {
+    name = google_sql_database_instance.default.name
+  }
+
+  byte_length = 8
+  depends_on  = [null_resource.module_depends_on, google_sql_database_instance.default]
+}
+
 resource "google_sql_user" "default" {
   count      = var.enable_default_user ? 1 : 0
   name       = var.user_name
diff --git a/modules/mysql/outputs.tf b/modules/mysql/outputs.tf
@@ -92,6 +92,17 @@ output "generated_user_password" {
   sensitive   = true
 }
 
+output "additional_users" {
+  description = "List of maps of additional users and passwords"
+  value = [for r in google_sql_user.additional_users :
+    {
+      name     = r.name
+      password = r.password
+    }
+  ]
+  sensitive = true
+}
+
 output "public_ip_address" {
   description = "The first public (PRIMARY) IPv4 address assigned for the master instance"
   value       = google_sql_database_instance.default.public_ip_address
diff --git a/modules/postgresql/README.md b/modules/postgresql/README.md
@@ -52,6 +52,7 @@ Note: CloudSQL provides [disk autoresize](https://cloud.google.com/sql/docs/mysq
 
 | Name | Description |
 |------|-------------|
+| additional\_users | List of maps of additional users and passwords |
 | generated\_user\_password | The auto generated default user password if not input password was provided |
 | instance\_connection\_name | The connection name of the master instance to be used in connection strings |
 | instance\_first\_ip\_address | The first IPv4 address of the addresses assigned. |
diff --git a/modules/postgresql/main.tf b/modules/postgresql/main.tf
@@ -171,6 +171,16 @@ resource "random_id" "user-password" {
   depends_on  = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
 
+resource "random_id" "additional_passwords" {
+  for_each = local.users
+  keepers = {
+    name = google_sql_database_instance.default.name
+  }
+
+  byte_length = 8
+  depends_on  = [null_resource.module_depends_on, google_sql_database_instance.default]
+}
+
 resource "google_sql_user" "default" {
   count      = var.enable_default_user ? 1 : 0
   name       = var.user_name
@@ -184,7 +194,7 @@ resource "google_sql_user" "additional_users" {
   for_each   = local.users
   project    = var.project_id
   name       = each.value.name
-  password   = coalesce(each.value["password"], random_id.user-password.hex)
+  password   = coalesce(each.value["password"], random_id.additional_passwords[each.value.name].hex)
   instance   = google_sql_database_instance.default.name
   depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
diff --git a/modules/postgresql/outputs.tf b/modules/postgresql/outputs.tf
@@ -97,6 +97,17 @@ output "generated_user_password" {
   sensitive   = true
 }
 
+output "additional_users" {
+  description = "List of maps of additional users and passwords"
+  value = [for r in google_sql_user.additional_users :
+    {
+      name     = r.name
+      password = r.password
+    }
+  ]
+  sensitive = true
+}
+
 // Resources
 output "primary" {
   value       = google_sql_database_instance.default
