fix!: Change additional user default password (#332)

carash · web-flow · commit f96f71ed00e5 · 2022-08-12T10:11:55.000-07:00
* Change additional_users default password
* Update unit test with sensitive values
* Add upgrade section to docs
* Fix example sensitive output
* Update docs/upgrading_to_sql_db_12.0.0.md
diff --git a/docs/upgrading_to_sql_db_12.0.0.md b/docs/upgrading_to_sql_db_12.0.0.md
@@ -95,3 +95,19 @@ module "pg" {
   ]
 }
 ```
+
+Prior to the 12.0.0 `mysql` module release, additional users were created using the `default_user`'s password. In order to keep the password unchanged for additional users for release 12.0.0 and up, `additional_user`'s passwords need to be set explicitly using the `default_user`'s generated password.
+
+```diff
+module "mysql" {
+  source  = "GoogleCloudPlatform/sql-db/google//modules/mysql"
+- version = "~> 11.0"
++ version = "~> 12.0"
+
+  project_id       = var.project_id
+  additional_users = [{
+    name     = "admin"
++   password = module.mysql.generated_user_password
+  }]
+}
+```
diff --git a/examples/mysql-private/outputs.tf b/examples/mysql-private/outputs.tf
@@ -30,6 +30,7 @@ output "mysql_conn" {
 }
 
 output "mysql_user_pass" {
+  sensitive   = true
   value       = module.safer-mysql-db.generated_user_password
   description = "The password for the default user. If not set, a random one will be generated and available in the generated_user_password output variable."
 }
diff --git a/examples/mysql-public/outputs.tf b/examples/mysql-public/outputs.tf
@@ -30,6 +30,7 @@ output "mysql_conn" {
 }
 
 output "mysql_user_pass" {
+  sensitive   = true
   value       = module.mysql-db.generated_user_password
   description = "The password for the default user. If not set, a random one will be generated and available in the generated_user_password output variable."
 }
diff --git a/modules/mysql/main.tf b/modules/mysql/main.tf
@@ -192,7 +192,7 @@ resource "google_sql_user" "additional_users" {
   for_each = local.users
   project  = var.project_id
   name     = each.value.name
-  password = lookup(each.value, "password", random_password.user-password.result)
+  password = lookup(each.value, "password", random_password.additional_passwords[each.key].result)
   host     = lookup(each.value, "host", var.user_host)
   instance = google_sql_database_instance.default.name
   type     = lookup(each.value, "type", "BUILT_IN")

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ output "mysql_conn" {`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`output "mysql_user_pass" {`
	`33`	`+ sensitive = true`
`33`	`34`	`value = module.safer-mysql-db.generated_user_password`
`34`	`35`	`description = "The password for the default user. If not set, a random one will be generated and available in the generated_user_password output variable."`
`35`	`36`	`}`