Merge pull request #35 from mmontan/safe-sql

Added a module for MySQL for configurations that are safer than the default

Author: namusyaka

README.md

@@ -29,6 +29,14 @@ In order to operate with the Service Account you must activate the following API
 
 - Cloud SQL API
 
+In order to use Private Service Access, required for using Private IPs, you must activate
+the following APIs on the project where your VPC resides:
+
+- Cloud SQL Admin API
+- Compute Engine API
+- Service Networking API
+- Cloud Resource Manager API
+
 #### Service Account Credentials
 
 You can pass the service account credentials into this module by setting the following environment variables:
@@ -62,7 +70,7 @@ The integration tests for this module leverage kitchen-terraform and kitchen-ins
 You must set up by manually before running the integration test:
 
 ```sh
-for instance in mysql-simple mysql-ha postgresql-simple postgresql-ha; do
+for instance in mysql-simple mysql-ha postgresql-simple postgresql-ha safer-mysql-simple; do
   cp "test/fixtures/$instance/terraform.tfvars.example" "test/fixtures/$instance/terraform.tfvars"
   $EDITOR "test/fixtures/$instance/terraform.tfvars"
 done
@@ -72,6 +80,8 @@ And then, you should pass the service account credentials for running inspec by
 
 - `GOOGLE_APPLICATION_CREDENTIALS`
 
+The project used for testing needs the Cloud Resource Manager API service enabled, and the service account should be assigned `roles/compute.networkAdmin` (in addition to `roles/cloudsql.admin`) to instantiate the VPC required in the tests.
+
 The tests will do the following:
 
 - Perform `bundle install` command

examples/mysql-and-postgres/README.md

@@ -28,15 +28,17 @@ chmod +x cloud_sql_proxy
 ```bash
 MYSQL_CONN_NAME=$(terraform output mysql_conn)
 PSQL_CONN_NAME=$(terraform output psql_conn)
+SAFER_MYSQL_CONN_NAME=$(terraform output safer_mysql_conn)
 
-./cloud_sql_proxy -instances=${MYSQL_CONN_NAME}=tcp:3306,${PSQL_CONN_NAME}=tcp:5432 &
+./cloud_sql_proxy -instances=${MYSQL_CONN_NAME}=tcp:3306,${PSQL_CONN_NAME}=tcp:5432,${MYSQL_CONN_NAME}=tcp:6306 &
 ```
 
 3. Get the generated user passwords:
 
 ```
 echo MYSQL_PASSWORD=$(terraform output mysql_user_pass)
 echo PSQL_PASSWORD=$(terraform output psql_user_pass)
+echo SAFER_MYSQL_PASSWORD=$(terraform output safer_mysql_user_pass)
 ```
 
 4. Test the MySQL connection:
@@ -55,6 +57,14 @@ psql -h 127.0.0.1 --user default
 
 > When prompted, enter the value of PSQL_PASSWORD
 
+4. Test the MySQL connection to the safer second instance:
+
+```
+mysql -udefault -p --host 127.0.0.1 --port 6306 default
+```
+
+> When prompted, enter the value of SAFER_MYSQL_PASSWORD
+
 ## Cleanup
 
 1. Stop the Cloud SQL Proxy:

examples/mysql-and-postgres/main.tf

@@ -38,25 +38,33 @@ provider "google" {
   region = "${var.region}"
 }
 
+provider "google-beta" {
+  region = "${var.region}"
+}
+
 variable "network_name" {
   default = "mysql-psql-example"
 }
 
+data "google_client_config" "current" {}
+
+variable "project_id" {}
+
 resource "google_compute_network" "default" {
+  project                 = "${var.project_id}"
   name                    = "${var.network_name}"
-  auto_create_subnetworks = "false"
+  auto_create_subnetworks = false
 }
 
 resource "google_compute_subnetwork" "default" {
+  project                  = "${var.project_id}"
   name                     = "${var.network_name}"
   ip_cidr_range            = "10.127.0.0/20"
   network                  = "${google_compute_network.default.self_link}"
   region                   = "${var.region}"
   private_ip_google_access = true
 }
 
-data "google_client_config" "current" {}
-
 resource "random_id" "name" {
   byte_length = 2
 }
@@ -65,10 +73,12 @@ module "mysql-db" {
   source           = "../../modules/mysql"
   name             = "example-mysql-${random_id.name.hex}"
   database_version = "${var.mysql_version}"
-  project_id       = "${data.google_client_config.current.project}"
+  project_id       = "${var.project_id}"
   zone             = "c"
 
   ip_configuration = [{
+    ipv4_enabled = true
+
     authorized_networks = [{
       name  = "${var.network_name}"
       value = "${google_compute_subnetwork.default.ip_cidr_range}"
@@ -87,29 +97,71 @@ module "postgresql-db" {
   source           = "../../modules/postgresql"
   name             = "example-postgresql-${random_id.name.hex}"
   database_version = "${var.postgresql_version}"
-  project_id       = "${data.google_client_config.current.project}"
+  project_id       = "${var.project_id}"
   zone             = "c"
 
   ip_configuration = [{
+    ipv4_enabled = true
+
     authorized_networks = [{
       name  = "${var.network_name}"
       value = "${google_compute_subnetwork.default.ip_cidr_range}"
     }]
   }]
 }
 
+// We define a connection with the VPC of the Cloud SQL instance.
+module "private-service-access" {
+  source      = "../../modules/private_service_access"
+  project_id  = "${var.project_id}"
+  vpc_network = "${google_compute_network.default.self_link}"
+}
+
+module "safer-mysql-db" {
+  source           = "../../modules/safer_mysql"
+  name             = "example-safer-mysql-${random_id.name.hex}"
+  database_version = "${var.mysql_version}"
+  project_id       = "${var.project_id}"
+  region           = "${var.region}"
+  zone             = "c"
+
+  # By default, all users will be permitted to connect only via the
+  # Cloud SQL proxy.
+  additional_users = [{
+    name = "app"
+  },
+    {
+      name = "readonly"
+    },
+  ]
+
+  assign_public_ip = true
+  vpc_network      = "${google_compute_network.default.self_link}"
+
+  // Used to enforce ordering in the creation of resources.
+  peering_completed = "${module.private-service-access.peering_completed}"
+}
+
 output "mysql_conn" {
-  value = "${data.google_client_config.current.project}:${var.region}:${module.mysql-db.instance_name}"
+  value = "${module.mysql-db.instance_connection_name}"
 }
 
 output "mysql_user_pass" {
   value = "${module.mysql-db.generated_user_password}"
 }
 
 output "psql_conn" {
-  value = "${data.google_client_config.current.project}:${var.region}:${module.postgresql-db.instance_name}"
+  value = "${module.postgresql-db.instance_connection_name}"
 }
 
 output "psql_user_pass" {
   value = "${module.postgresql-db.generated_user_password}"
 }
+
+output "safer_mysql_conn" {
+  value = "${module.safer-mysql-db.instance_connection_name}"
+}
+
+output "safer_mysql_user_pass" {
+  value = "${module.safer-mysql-db.generated_user_password}"
+}

kitchen.yml

@@ -37,3 +37,13 @@ suites:
       name: terraform
       root_module_directory: test/fixtures/postgresql-ha
       command_timeout: 1800
+  - name: safer-mysql-simple
+    driver:
+      name: terraform
+      root_module_directory: test/fixtures/safer-mysql-simple
+      command_timeout: 1800
+  - name: private-service-access
+    driver:
+      name: terraform
+      root_module_directory: test/fixtures/private-service-access
+      command_timeout: 1800

modules/mysql/main.tf

@@ -35,7 +35,7 @@ resource "google_sql_database_instance" "default" {
     activation_policy           = "${var.activation_policy}"
     authorized_gae_applications = ["${var.authorized_gae_applications}"]
     backup_configuration        = ["${var.backup_configuration}"]
-    ip_configuration            = "${local.ip_configurations["${local.ip_configuration_enabled ? "enabled" : "disabled"}"]}"
+    ip_configuration            = ["${local.ip_configurations["${local.ip_configuration_enabled ? "enabled" : "disabled"}"]}"]
 
     disk_autoresize = "${var.disk_autoresize}"
 

modules/postgresql/main.tf

@@ -35,7 +35,7 @@ resource "google_sql_database_instance" "default" {
     availability_type           = "${var.availability_type}"
     authorized_gae_applications = ["${var.authorized_gae_applications}"]
     backup_configuration        = ["${var.backup_configuration}"]
-    ip_configuration            = "${local.ip_configurations["${local.ip_configuration_enabled ? "enabled" : "disabled"}"]}"
+    ip_configuration            = ["${local.ip_configurations["${local.ip_configuration_enabled ? "enabled" : "disabled"}"]}"]
 
     disk_autoresize = "${var.disk_autoresize}"
     disk_size       = "${var.disk_size}"

modules/private_service_access/README.md

@@ -0,0 +1,34 @@
+# Submodule for VPC peering Cloud SQL services
+
+MySQL [Private IP](https://cloud.google.com/sql/docs/mysql/private-ip)
+configurations require a special peering between your VPC network and a
+VPC managed by Google. The module supports creating such a peering.
+
+It is sufficient to instantiate this module once for all MySQL instances
+that are connected to the same VPC.
+
+> NOTE: See the linked [documentation](https://cloud.google.com/sql/docs/mysql/private-ip)
+> for all requirements for accessing a MySQL instance via its Private IP.
+
+[^]: (autogen_docs_start)
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| address | First IP address of the IP range to allocate to CLoud SQL instances and other Private Service Access services. If not set, GCP will pick a valid one for you. | string | `""` | no |
+| ip\_version | IP Version for the allocation. Can be IPV4 or IPV6. | string | `""` | no |
+| labels | The key/value labels for the IP range allocated to the peered network. | map | `<map>` | no |
+| prefix\_length | Prefix length of the IP range reserved for Cloud SQL instances and other Private Service Access services. Defaults to /16. | string | `"16"` | no |
+| project\_id | The project ID of the VPC network to peer. This can be a shared VPC host projec. | string | n/a | yes |
+| vpc\_network | Name of the VPC network to peer. | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| address | First IP of the reserved range. |
+| google\_compute\_global\_address\_name | URL of the reserved range. |
+| peering\_completed | Use for enforce ordering between resource creation |
+
+[^]: (autogen_docs_end)

modules/private_service_access/main.tf

@@ -0,0 +1,46 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// We define a VPC peering subnet that will be peered with the
+// Cloud SQL instance network. The Cloud SQL instance will
+// have a private IP within the provided range.
+// https://cloud.google.com/vpc/docs/configure-private-services-access
+resource "google_compute_global_address" "google-managed-services-range" {
+  provider      = "google-beta"
+  project       = "${var.project_id}"
+  name          = "google-managed-services-${var.vpc_network}"
+  purpose       = "VPC_PEERING"
+  address       = "${var.address}"
+  prefix_length = "${var.prefix_length}"
+  ip_version    = "${var.ip_version}"
+  labels        = "${var.labels}"
+  address_type  = "INTERNAL"
+  network       = "${var.vpc_network}"
+}
+
+# Creates the peering with the producer network.
+resource "google_service_networking_connection" "private_service_access" {
+  provider                = "google-beta"
+  network                 = "${google_compute_global_address.google-managed-services-range.network}"
+  service                 = "servicenetworking.googleapis.com"
+  reserved_peering_ranges = ["${google_compute_global_address.google-managed-services-range.name}"]
+}
+
+resource "null_resource" "dependency_setter" {
+  depends_on = [
+    "google_service_networking_connection.private_service_access",
+  ]
+}

modules/private_service_access/outputs.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "address" {
+  value       = "${google_compute_global_address.google-managed-services-range.address}"
+  description = "First IP of the reserved range."
+}
+
+output "google_compute_global_address_name" {
+  value       = "${google_compute_global_address.google-managed-services-range.name}"
+  description = "URL of the reserved range."
+}
+
+output "peering_completed" {
+  value       = "${null_resource.dependency_setter.id}"
+  description = "Use for enforce ordering between resource creation"
+}

modules/private_service_access/variables.tf

@@ -0,0 +1,43 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project ID of the VPC network to peer. This can be a shared VPC host projec."
+}
+
+variable "vpc_network" {
+  description = "Name of the VPC network to peer."
+}
+
+variable "address" {
+  description = "First IP address of the IP range to allocate to CLoud SQL instances and other Private Service Access services. If not set, GCP will pick a valid one for you."
+  default     = ""
+}
+
+variable "prefix_length" {
+  description = "Prefix length of the IP range reserved for Cloud SQL instances and other Private Service Access services. Defaults to /16."
+  default     = "16"
+}
+
+variable "ip_version" {
+  description = "IP Version for the allocation. Can be IPV4 or IPV6."
+  default     = ""
+}
+
+variable "labels" {
+  description = "The key/value labels for the IP range allocated to the peered network."
+  default     = {}
+}