Skip to content

Latest commit

 

History

History
110 lines (90 loc) · 5.23 KB

README.md

File metadata and controls

110 lines (90 loc) · 5.23 KB
Raw

Terraform GCP Cloud SQL users setup

Module creates users for Cloud SQL instance, add permissions and exports users to GCP Secret Manager.

Only PSQL is supported.

Usage

module "database_users" {
  source = "git::ssh://[email protected]/AckeeCZ/terraform-gcp-cloud-sql-user.git"
  users = {
    "ackee.fella" : {
      permissions : ["DELETE", "SELECT", "INSERT", "REFERENCES", "TRIGGER", "TRUNCATE", "UPDATE"]
      seq_permissions : ["USAGE", "UPDATE", "SELECT"]
      seq_objects : [
        "audits_id_seq",
        "countries_id_seq",
        "discounts_id_seq",
        "ga_callbacks_id_seq",
        "invoices_id_seq",
        "languages_id_seq",
        "merchants_id_seq",
        "mf_callbacks_id_seq",
        "shops_id_seq"
      ]
    }
    "reader-sa" : {
      permissions : ["SELECT"]
      create_sa : true
    }
    "[email protected]" : {
      permissions : ["SELECT"]
      type : "CLOUD_IAM_USER"
    }
  }
  database               = local.postgres_database_name
  postgres_instance_name = local.instance_name
  project                = var.project
}

See example folder for more details.

Users variable

Users variable is a map of users. Each user has following attributes:

  • permissions - list of permissions for objects
  • seq_permissions - list of permissions for sequences
  • seq_objects - list of sequences objects
  • create_sa - create service account for user
  • type - type of user, default is BUILT_IN, other is CLOUD_IAM_USER
  • special - use special characters for the password
  • override_special - override special characters for the password
  • role - role for the user, default is the key in the users map

Requirements

No requirements.

Providers

Name Version
google n/a
postgresql n/a
random n/a

Modules

No modules.

Resources

Name Type
google_project_iam_member.assign_cloudsql_client resource
google_project_iam_member.test resource
google_project_iam_member.test_cloudsql_client resource
google_secret_manager_secret.database_credentials resource
google_secret_manager_secret_version.database_credentials resource
google_service_account.sa resource
google_service_account_key.sa_key resource
google_sql_user.user resource
postgresql_default_privileges.permissions resource
postgresql_default_privileges.seq_permissions resource
postgresql_grant.permissions resource
postgresql_grant.seq_permissions resource
random_password.password resource

Inputs

Name Description Type Default Required
database Database name used for permission setup string n/a yes
expose_password Expose password to Terraform output bool false no
owner If set, default privileges will be set for users string "" no
postgres_instance_name Cloud SQL instance name string n/a yes
project Project ID string n/a yes
save_credentials Save credentials to GCP Secret Manager bool true no
users Map of users and their attributes, key is the user login map {} no

Outputs

Name Description
passwords Passwords generated