diff --git a/.github/conventional-commit-lint.yaml b/.github/conventional-commit-lint.yaml
deleted file mode 100644
index b1d8d8b8..00000000
--- a/.github/conventional-commit-lint.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-# Copyright 2022-2025 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# NOTE: This file is automatically generated from:
-# https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github
-
-enabled: true
-always_check_pr_title: true
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index b24662aa..4730bc1b 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -20,8 +20,11 @@ name: 'lint'
on:
workflow_dispatch:
pull_request:
- branches:
- - main
+ types: [opened, edited, reopened, synchronize]
+ branches: [main]
+
+permissions:
+ contents: read
concurrency:
group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'
@@ -52,3 +55,21 @@ jobs:
env:
ENABLE_BPMETADATA: 1
+ commitlint:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ fetch-depth: 0
+ - name: Setup node
+ uses: actions/setup-node@v4
+ with:
+ node-version: lts/*
+ - name: Install commitlint
+ run: |
+ npm install -D @commitlint/cli@19.8.1 @commitlint/config-conventional@19.8.1
+ echo "module.exports = { extends: ['@commitlint/config-conventional'], rules: {'subject-case': [0]} };" > commitlint.config.js
+ npx commitlint --version
+ - name: Validate PR commits with commitlint
+ if: github.event_name == 'pull_request'
+ run: 'echo "${{ github.event.pull_request.title }}" | npx commitlint --verbose'
diff --git a/CHANGELOG.md b/CHANGELOG.md
index de071629..26aa621b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,24 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/) and this
project adheres to [Semantic Versioning](http://semver.org/).
+## [26.2.0](https://github.com/terraform-google-modules/terraform-google-sql-db/compare/v26.1.1...v26.2.0) (2025-08-29)
+
+
+### Features
+
+* **deps:** Update Terraform Google Provider to v7 (major) ([#767](https://github.com/terraform-google-modules/terraform-google-sql-db/issues/767)) ([3eb4c96](https://github.com/terraform-google-modules/terraform-google-sql-db/commit/3eb4c964a06b8786956b8bf5d0c25535083efe1b))
+* Output the Service Attachment links for Replicas ([#758](https://github.com/terraform-google-modules/terraform-google-sql-db/issues/758)) ([e5446b7](https://github.com/terraform-google-modules/terraform-google-sql-db/commit/e5446b7c2d8ba5f227aa108b8431f3f082c281a9))
+* per module requirements ([#749](https://github.com/terraform-google-modules/terraform-google-sql-db/issues/749)) ([0475973](https://github.com/terraform-google-modules/terraform-google-sql-db/commit/0475973f7cf91e815dd176f2c2d8e8951aac4434))
+
+
+### Bug Fixes
+
+* Addng UI validations for MySql and PostgreSQL ([#759](https://github.com/terraform-google-modules/terraform-google-sql-db/issues/759)) ([0b75726](https://github.com/terraform-google-modules/terraform-google-sql-db/commit/0b757267c216276741c90b080984f0b20f318ad7))
+* correct typos in README and variables.tf descriptions ([#753](https://github.com/terraform-google-modules/terraform-google-sql-db/issues/753)) ([1615d75](https://github.com/terraform-google-modules/terraform-google-sql-db/commit/1615d7566e8681c7909bad1fbf71fc207e86a185))
+* rename app hub service id ([#757](https://github.com/terraform-google-modules/terraform-google-sql-db/issues/757)) ([e9a7830](https://github.com/terraform-google-modules/terraform-google-sql-db/commit/e9a7830fc6f3566b62aa18954da32e8b9fe606f4))
+* revert psc_config workaround - causes permanent drift ([#754](https://github.com/terraform-google-modules/terraform-google-sql-db/issues/754)) ([3cb3eee](https://github.com/terraform-google-modules/terraform-google-sql-db/commit/3cb3eeea08525d3d2829b546b8219f30fffa51af))
+* use local.zone fallback for replica region calculation ([#760](https://github.com/terraform-google-modules/terraform-google-sql-db/issues/760)) ([4eb9309](https://github.com/terraform-google-modules/terraform-google-sql-db/commit/4eb930993faf83cfdbc1b3b282f7389690b69431))
+
## [26.1.1](https://github.com/terraform-google-modules/terraform-google-sql-db/compare/v26.1.0...v26.1.1) (2025-07-11)
diff --git a/Makefile b/Makefile
index 2b1c170c..12312160 100644
--- a/Makefile
+++ b/Makefile
@@ -18,7 +18,7 @@
# Make will use bash instead of sh
SHELL := /usr/bin/env bash
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.22
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25
DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
REGISTRY_URL := gcr.io/cloud-foundation-cicd
@@ -80,7 +80,7 @@ docker_generate_docs:
-e ENABLE_BPMETADATA \
-v "$(CURDIR)":/workspace \
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
- /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'
+ /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs --per-module-requirements'
# Alias for backwards compatibility
.PHONY: generate_docs
diff --git a/README.md b/README.md
index 5d9dc974..96fd0148 100644
--- a/README.md
+++ b/README.md
@@ -15,18 +15,22 @@ If you find incompatibilities using Terraform `>=1.13`, please open an issue.
## Upgrading
-The current version is 20.X. The following guides are available to assist with upgrades:
+The current version is 26.X. The following guides are available to assist with upgrades:
- [1.X -> 2.0](./docs/upgrading_to_sql_db_2.0.0.md)
- [2.X -> 3.0](./docs/upgrading_to_sql_db_3.0.0.md)
- [3.X -> 4.0](./docs/upgrading_to_sql_db_4.0.0.md)
- [10.X -> 11.0](./docs/upgrading_to_sql_db_11.0.0.md)
- [11.X -> 12.0](./docs/upgrading_to_sql_db_12.0.0.md)
+- [13.X -> 14.0](./docs/upgrading_to_sql_db_14.0.0.md)
+- [14.X -> 15.0](./docs/upgrading_to_sql_db_15.0.0.md)
+- [16.X -> 17.0](./docs/upgrading_to_sql_db_17.0.0.md)
- [19.X -> 20.0](./docs/upgrading_to_sql_db_20.0.0.md)
- [20.X -> 21.0](./docs/upgrading_to_sql_db_21.0.md)
- [21.X -> 22.0](./docs/upgrading_to_sql_db_22.0.md)
- [22.X -> 23.0](./docs/upgrading_to_sql_db_23.0.md)
- [23.X -> 24.0](./docs/upgrading_to_sql_db_24.0.md)
+- [25.X -> 26.0](./docs/upgrading_to_sql_db_26.0.md)
## Root module
@@ -83,7 +87,7 @@ For MySQL :
```
module "sql-db" {
source = "GoogleCloudPlatform/sql-db/google//modules/mysql"
- version = "~> 26.1"
+ version = "~> 26.2"
}
```
diff --git a/examples/mssql-failover-replica/README.md b/examples/mssql-failover-replica/README.md
index e9d9c72d..837c9f5f 100644
--- a/examples/mssql-failover-replica/README.md
+++ b/examples/mssql-failover-replica/README.md
@@ -23,7 +23,7 @@ Promote instance 2 as primary and change instance 1 as failover replica
```diff
module "mssql2" {
source = "terraform-google-modules/sql-db/google//modules/mssql"
- version = "~> 26.1"
+ version = "~> 26.2"
- master_instance_name = module.mssql1.instance_name
diff --git a/examples/mssql-failover-replica/main.tf b/examples/mssql-failover-replica/main.tf
index ccd4e416..a8bba20d 100644
--- a/examples/mssql-failover-replica/main.tf
+++ b/examples/mssql-failover-replica/main.tf
@@ -56,7 +56,7 @@ module "mssql1" {
module "mssql2" {
source = "terraform-google-modules/sql-db/google//modules/mssql"
- version = "~> 25.0"
+ version = "~> 26.0"
master_instance_name = module.mssql1.instance_name
diff --git a/examples/mysql-private/main.tf b/examples/mysql-private/main.tf
index 5bd4a0c7..f4ec2004 100644
--- a/examples/mysql-private/main.tf
+++ b/examples/mysql-private/main.tf
@@ -29,7 +29,7 @@ locals {
module "network-safer-mysql-simple" {
source = "terraform-google-modules/network/google"
- version = "~> 10.0"
+ version = "~> 11.0"
project_id = var.project_id
network_name = local.network_name
diff --git a/examples/postgresql-with-cross-region-failover/README.md b/examples/postgresql-with-cross-region-failover/README.md
index 88644fb8..9633072b 100644
--- a/examples/postgresql-with-cross-region-failover/README.md
+++ b/examples/postgresql-with-cross-region-failover/README.md
@@ -26,7 +26,7 @@ Promote instance 2 as primary and change instance 1 as failover replica
```diff
module "pg2" {
source = "terraform-google-modules/sql-db/google//modules/postgresql"
- version = "~> 26.1"
+ version = "~> 26.2"
- master_instance_name = module.pg1.instance_name
diff --git a/metadata.yaml b/metadata.yaml
index fd390178..d9b8747b 100644
--- a/metadata.yaml
+++ b/metadata.yaml
@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -75,26 +75,13 @@ spec:
roles:
- level: Project
roles:
- - roles/cloudkms.admin
- - roles/cloudkms.cryptoKeyEncrypterDecrypter
- - roles/cloudscheduler.admin
- roles/cloudsql.admin
- - roles/compute.admin
- - roles/compute.networkAdmin
- roles/iam.serviceAccountAdmin
- roles/iam.serviceAccountUser
- - roles/monitoring.editor
- roles/resourcemanager.projectIamAdmin
- - roles/storage.admin
- - roles/workflows.admin
+ - roles/serviceusage.serviceUsageAdmin
services:
- - cloudkms.googleapis.com
- cloudresourcemanager.googleapis.com
- - cloudscheduler.googleapis.com
- - compute.googleapis.com
- iam.googleapis.com
- - monitoring.googleapis.com
- - servicenetworking.googleapis.com
- serviceusage.googleapis.com
- sqladmin.googleapis.com
- - workflows.googleapis.com
diff --git a/modules/backup/metadata.yaml b/modules/backup/metadata.yaml
index ad41812b..e9c3a59b 100644
--- a/modules/backup/metadata.yaml
+++ b/modules/backup/metadata.yaml
@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -61,10 +61,21 @@ spec:
location: examples/private_service_access
interfaces:
variables:
- - name: backup_monitoring_frequency
- description: Timeframe in which there should be at least one successfull backup
+ - name: region
+ description: The region where to run the workflow
varType: string
- defaultValue: 1d
+ defaultValue: us-central1
+ - name: service_account
+ description: The service account to use for running the workflow and triggering the workflow by Cloud Scheduler - If empty or null a service account will be created. If you have provided a service account you need to grant the Cloud SQL Admin and the Workflows Invoker role to that
+ varType: string
+ - name: project_id
+ description: The project ID
+ varType: string
+ required: true
+ - name: sql_instance
+ description: The name of the SQL instance to backup
+ varType: string
+ required: true
- name: backup_retention_time
description: The number of days backups should be kept
varType: number
@@ -73,69 +84,88 @@ spec:
description: The max amount of backups to list when fetching internal backup runs for the instance. This number must be larger then the amount of backups you wish to keep. E.g. for a daily backup schedule and a backup_retention_time of 30 days, you'd need to set this to at least 31 for old backups to get deleted.
varType: number
defaultValue: 31
+ - name: scheduler_timezone
+ description: The Timezone in which the Scheduler Jobs are triggered
+ varType: string
+ defaultValue: Etc/GMT
- name: backup_schedule
description: The cron schedule to execute the internal backup
varType: string
defaultValue: 45 2 * * *
+ - name: export_schedule
+ description: The cron schedule to execute the export to GCS
+ varType: string
+ defaultValue: 15 3 * * *
+ - name: enable_internal_backup
+ description: Wether to create internal backups with this module
+ varType: bool
+ defaultValue: true
+ - name: enable_export_backup
+ description: Weather to create exports to GCS Buckets with this module
+ varType: bool
+ defaultValue: true
+ - name: export_databases
+ description: The list of databases that should be exported - if is an empty set all databases will be exported
+ varType: set(string)
+ defaultValue: []
+ - name: export_uri
+ description: The bucket and path uri for exporting to GCS
+ varType: string
+ required: true
- name: compress_export
description: Whether or not to compress the export when storing in the bucket; Only valid for MySQL and PostgreSQL
varType: bool
defaultValue: true
+ - name: enable_connector_params
+ description: Whether to enable connector-specific parameters for Google Workflow SQL Export.
+ varType: bool
+ defaultValue: false
- name: connector_params_timeout
description: The end-to-end duration the connector call is allowed to run for before throwing a timeout exception. The default value is 1800 and this should be the maximum for connector methods that are not long-running operations. Otherwise, for long-running operations, the maximum timeout for a connector call is 31536000 seconds (one year).
varType: number
defaultValue: 1800
- - name: create_notification_channel
- description: If set to true it will create email notification channel
+ - name: unique_suffix
+ description: Unique suffix to add to scheduler jobs and workflows names.
+ varType: string
+ defaultValue: ""
+ - name: log_db_name_to_export
+ description: Whether or not to log database name in the export workflow
varType: bool
defaultValue: false
- - name: deletion_protection
- description: Whether Terraform will be prevented from destroying the workflow.
- varType: bool
- defaultValue: true
- - name: enable_backup_monitoring
- description: Whether to monitor backup workflows or not
+ - name: use_sql_instance_replica_in_exporter
+ description: Whether or not to use replica instance on exporter workflow.
varType: bool
defaultValue: false
- - name: enable_connector_params
- description: Whether to enable connector-specific parameters for Google Workflow SQL Export.
+ - name: sql_instance_replica
+ description: The name of the SQL instance replica to export
+ varType: string
+ - name: use_serverless_export
+ description: Whether to use serverless export for DB export
varType: bool
defaultValue: false
- - name: enable_export_backup
- description: Weather to create exports to GCS Buckets with this module
+ - name: monitoring_email
+ description: Email address to send alerts
+ varType: string
+ - name: enable_backup_monitoring
+ description: Whether to monitor backup workflows or not
varType: bool
- defaultValue: true
+ defaultValue: false
+ - name: backup_monitoring_frequency
+ description: Timeframe in which there should be at least one successfull backup
+ varType: string
+ defaultValue: 1d
- name: enable_export_monitoring
description: Whether to monitor export workflows or not
varType: bool
defaultValue: false
- - name: enable_internal_backup
- description: Wether to create internal backups with this module
- varType: bool
- defaultValue: true
- - name: export_databases
- description: The list of databases that should be exported - if is an empty set all databases will be exported
- varType: set(string)
- defaultValue: []
- name: export_monitoring_frequency
description: Timeframe in which there should be at least one successfull export
varType: string
defaultValue: 1d
- - name: export_schedule
- description: The cron schedule to execute the export to GCS
- varType: string
- defaultValue: 15 3 * * *
- - name: export_uri
- description: The bucket and path uri for exporting to GCS
- varType: string
- required: true
- - name: log_db_name_to_export
- description: Whether or not to log database name in the export workflow
+ - name: create_notification_channel
+ description: If set to true it will create email notification channel
varType: bool
defaultValue: false
- - name: monitoring_email
- description: Email address to send alerts
- varType: string
- name: notification_channel_name
description: Name of the email notification channel to be created. Only needed when create_notification_channel is set to true.
varType: string
@@ -144,40 +174,10 @@ spec:
description: List of existing notification channels to send alerts to
varType: list(string)
defaultValue: []
- - name: project_id
- description: The project ID
- varType: string
- required: true
- - name: region
- description: The region where to run the workflow
- varType: string
- defaultValue: us-central1
- - name: scheduler_timezone
- description: The Timezone in which the Scheduler Jobs are triggered
- varType: string
- defaultValue: Etc/GMT
- - name: service_account
- description: The service account to use for running the workflow and triggering the workflow by Cloud Scheduler - If empty or null a service account will be created. If you have provided a service account you need to grant the Cloud SQL Admin and the Workflows Invoker role to that
- varType: string
- - name: sql_instance
- description: The name of the SQL instance to backup
- varType: string
- required: true
- - name: sql_instance_replica
- description: The name of the SQL instance replica to export
- varType: string
- - name: unique_suffix
- description: Unique suffix to add to scheduler jobs and workflows names.
- varType: string
- defaultValue: ""
- - name: use_serverless_export
- description: Whether to use serverless export for DB export
- varType: bool
- defaultValue: false
- - name: use_sql_instance_replica_in_exporter
- description: Whether or not to use replica instance on exporter workflow.
+ - name: deletion_protection
+ description: Whether Terraform will be prevented from destroying the workflow.
varType: bool
- defaultValue: false
+ defaultValue: true
outputs:
- name: backup_workflow_name
description: The name for internal backup workflow
@@ -191,26 +191,12 @@ spec:
roles:
- level: Project
roles:
- - roles/cloudkms.admin
- - roles/cloudkms.cryptoKeyEncrypterDecrypter
- - roles/cloudscheduler.admin
- roles/cloudsql.admin
- - roles/compute.admin
- - roles/compute.networkAdmin
- - roles/iam.serviceAccountAdmin
- roles/iam.serviceAccountUser
- - roles/monitoring.editor
- - roles/resourcemanager.projectIamAdmin
- - roles/storage.admin
- - roles/workflows.admin
+ - roles/logging.logWriter
services:
- - cloudkms.googleapis.com
- - cloudresourcemanager.googleapis.com
- - cloudscheduler.googleapis.com
- - compute.googleapis.com
- - iam.googleapis.com
- - monitoring.googleapis.com
- - servicenetworking.googleapis.com
- serviceusage.googleapis.com
- sqladmin.googleapis.com
- - workflows.googleapis.com
+ providerVersions:
+ - source: hashicorp/google
+ version: ">= 6.11.0, < 7"
diff --git a/modules/backup/versions.tf b/modules/backup/versions.tf
index d2492885..061cdb48 100644
--- a/modules/backup/versions.tf
+++ b/modules/backup/versions.tf
@@ -19,7 +19,7 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 6.11.0, < 7"
+ version = ">= 6.11.0, < 8"
}
}
}
diff --git a/modules/mssql/README.md b/modules/mssql/README.md
index f2a47c53..f304edea 100644
--- a/modules/mssql/README.md
+++ b/modules/mssql/README.md
@@ -12,7 +12,7 @@ Basic usage of this module is as follows:
```hcl
module "mssql" {
source = "terraform-google-modules/sql-db/google//modules/mssql"
- version = "~> 26.1"
+ version = "~> 26.2"
name = var.name
random_instance_name = true
diff --git a/modules/mssql/metadata.yaml b/modules/mssql/metadata.yaml
index 8b9c2437..e958e760 100644
--- a/modules/mssql/metadata.yaml
+++ b/modules/mssql/metadata.yaml
@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -25,7 +25,7 @@ spec:
repo: https://github.com/terraform-google-modules/terraform-google-sql-db.git
sourceType: git
dir: /modules/mssql
- version: 26.1.1
+ version: 26.2.0
actuationTool:
flavor: Terraform
version: ">= 1.3"
@@ -81,6 +81,9 @@ spec:
description: Sets random suffix at the end of the Cloud SQL resource name
varType: bool
defaultValue: false
+ - name: maintenance_version
+ description: The current software version on the instance. This attribute can not be set during creation. Refer to available_maintenance_versions attribute to see what maintenance_version are available for upgrade. When this attribute gets updated, it will cause an instance restart. Setting a maintenance_version value that is older than the current one on the instance will be ignored
+ varType: string
- name: database_version
description: "The database version to use: SQLSERVER_2017_STANDARD, SQLSERVER_2017_ENTERPRISE, SQLSERVER_2017_EXPRESS, or SQLSERVER_2017_WEB"
varType: string
@@ -298,6 +301,19 @@ spec:
description: Enable or disable the creation of the default user
varType: bool
defaultValue: true
+ - name: enable_dataplex_integration
+ description: Enable database Dataplex integration
+ varType: bool
+ defaultValue: false
+ - name: insights_config
+ description: The insights_config settings for the database.
+ varType: |-
+ object({
+ query_plans_per_minute = optional(number, 5)
+ query_string_length = optional(number, 1024)
+ record_application_tags = optional(bool, false)
+ record_client_address = optional(bool, false)
+ })
outputs:
- name: additional_users
description: List of maps of additional users and passwords
@@ -547,29 +563,17 @@ spec:
roles:
- level: Project
roles:
- - roles/cloudkms.admin
- - roles/cloudkms.cryptoKeyEncrypterDecrypter
- - roles/cloudscheduler.admin
- roles/cloudsql.admin
- - roles/compute.admin
- - roles/compute.networkAdmin
- - roles/iam.serviceAccountAdmin
- roles/iam.serviceAccountUser
- - roles/monitoring.editor
- - roles/resourcemanager.projectIamAdmin
- - roles/storage.admin
- - roles/workflows.admin
+ - roles/logging.logWriter
services:
- cloudkms.googleapis.com
- cloudresourcemanager.googleapis.com
- - cloudscheduler.googleapis.com
- compute.googleapis.com
- iam.googleapis.com
- monitoring.googleapis.com
- - servicenetworking.googleapis.com
- serviceusage.googleapis.com
- sqladmin.googleapis.com
- - workflows.googleapis.com
providerVersions:
- source: hashicorp/google
version: ">= 5.12, < 7"
diff --git a/modules/mssql/outputs.tf b/modules/mssql/outputs.tf
index e44e6e96..4a143876 100644
--- a/modules/mssql/outputs.tf
+++ b/modules/mssql/outputs.tf
@@ -89,7 +89,7 @@ output "primary" {
output "apphub_service_uri" {
value = {
service_uri = "//cloudsql.googleapis.com/projects${element(split("/projects", google_sql_database_instance.default.self_link), 1)}"
- service_id = substr(format("%s-%s", var.name, md5(var.project_id)), 0, 63)
+ service_id = substr("${var.name}-${md5("mssql-${var.region}-${var.project_id}")}", 0, 63)
}
description = "Service URI in CAIS style to be used by Apphub."
}
diff --git a/modules/mssql/versions.tf b/modules/mssql/versions.tf
index fd74db2e..7d34b62c 100644
--- a/modules/mssql/versions.tf
+++ b/modules/mssql/versions.tf
@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 5.12, < 7"
+ version = ">= 5.12, < 8"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.12, < 7"
+ version = ">= 5.12, < 8"
}
random = {
source = "hashicorp/random"
@@ -36,7 +36,7 @@ terraform {
}
provider_meta "google-beta" {
- module_name = "blueprints/terraform/terraform-google-sql-db:mssql/v26.1.1"
+ module_name = "blueprints/terraform/terraform-google-sql-db:mssql/v26.2.0"
}
}
diff --git a/modules/mysql/README.md b/modules/mysql/README.md
index 8b9ed6a1..e6f4e5d2 100644
--- a/modules/mysql/README.md
+++ b/modules/mysql/README.md
@@ -10,7 +10,7 @@ Functional examples are included in the [examples](../../examples/) directory. B
```hcl
module "mysql-db" {
source = "terraform-google-modules/sql-db/google//modules/mysql"
- version = "~> 26.1"
+ version = "~> 26.2"
name = var.db_name
random_instance_name = true
@@ -49,7 +49,7 @@ module "mysql-db" {
| additional\_databases | A list of databases to be created in your cluster | list(object({
name = string
charset = string
collation = string
})) | `[]` | no |
| additional\_users | A list of users to be created in your cluster. A random password would be set for the user if the `random_password` variable is set. | list(object({
name = string
password = string
random_password = bool
type = string
host = string
})) | `[]` | no |
| availability\_type | The availability type for the master instance. Can be either `REGIONAL` or `null`. | `string` | `"REGIONAL"` | no |
-| backup\_configuration | The backup\_configuration settings subblock for the database setings | object({
binary_log_enabled = optional(bool, false)
enabled = optional(bool, false)
start_time = optional(string)
location = optional(string)
transaction_log_retention_days = optional(string)
retained_backups = optional(number)
retention_unit = optional(string)
}) | `{}` | no |
+| backup\_configuration | The backup\_configuration settings subblock for the database settings | object({
binary_log_enabled = optional(bool, false)
enabled = optional(bool, false)
start_time = optional(string)
location = optional(string)
transaction_log_retention_days = optional(string)
retained_backups = optional(number)
retention_unit = optional(string)
}) | `{}` | no |
| connector\_enforcement | Enforce that clients use the connector library | `bool` | `false` | no |
| create\_timeout | The optional timout that is applied to limit long database creates. | `string` | `"30m"` | no |
| data\_cache\_enabled | Whether data cache is enabled for the instance. Defaults to false. Feature is only available for ENTERPRISE\_PLUS tier and supported database\_versions | `bool` | `false` | no |
@@ -100,7 +100,7 @@ module "mysql-db" {
| retain\_backups\_on\_delete | When this parameter is set to true, Cloud SQL retains backups of the instance even after the instance is deleted. The ON\_DEMAND backup will be retained until customer deletes the backup or the project. The AUTOMATED backup will be retained based on the backups retention setting. | `bool` | `false` | no |
| root\_password | MySQL password for the root user. | `string` | `null` | no |
| secondary\_zone | The preferred zone for the secondary/failover instance, it should be something like: `us-central1-a`, `us-east1-c`. | `string` | `null` | no |
-| tier | The tier for the master instance, for ADC its defualt value will be db-perf-optimized-N-8 which is tier value for edtion ENTERPRISE\_PLUS, if user wants to change the edition, he should chose compatible tier. | `string` | `"db-n1-standard-1"` | no |
+| tier | The tier for the master instance, for ADC its default value will be db-perf-optimized-N-8 which is tier value for edition ENTERPRISE\_PLUS, if user wants to change the edition, he should chose compatible tier. | `string` | `"db-n1-standard-1"` | no |
| update\_timeout | The optional timout that is applied to limit long database updates. | `string` | `"30m"` | no |
| user\_deletion\_policy | The deletion policy for the user. Setting ABANDON allows the resource to be abandoned rather than deleted. This is useful for Postgres, where users cannot be deleted from the API if they have been granted SQL roles. Possible values are: "ABANDON". | `string` | `null` | no |
| user\_host | The host for the default user | `string` | `"%"` | no |
diff --git a/modules/mysql/metadata.display.yaml b/modules/mysql/metadata.display.yaml
index 7edb64ad..db34bf49 100644
--- a/modules/mysql/metadata.display.yaml
+++ b/modules/mysql/metadata.display.yaml
@@ -31,12 +31,57 @@ spec:
activation_policy:
name: activation_policy
title: Activation Policy
+ enumValueLabels:
+ - label: ALWAYS
+ value: ALWAYS
+ - label: NEVER
+ value: NEVER
+ - label: ON_DEMAND
+ value: ON_DEMAND
additional_databases:
name: additional_databases
title: Additional Databases
+ properties:
+ name:
+ name: name
+ title: Database Name
+ regexValidation: ^[a-zA-Z][a-zA-Z0-9_]{0,63}$
+ validation: Database names must be between 1 and 64 characters long, start with a letter, and can only contain letters, numbers, and underscores.
+ charset:
+ name: charset
+ title: Charset
+ regexValidation: ^[a-zA-Z0-9]+$
+ validation: Database charset should contain only letters and numbers (e.g. 'utf8').
+ collation:
+ name: collation
+ title: Collation
+ regexValidation: ^[a-z0-9_]+$
+ validation: Database collation should contain only lowercase letters, numbers, and underscores.
additional_users:
name: additional_users
title: Additional Users
+ properties:
+ name:
+ name: name
+ title: User Name
+ regexValidation: ^[a-zA-Z][a-zA-Z0-9_]{0,31}$
+ validation: User names must be between 1 and 32 characters long, start with a letter, and can only contain letters, numbers, and underscores.
+ type:
+ name: type
+ title: Type
+ enumValueLabels:
+ - label: BUILT_IN
+ value: BUILT_IN
+ - label: CLOUD_IAM_USER
+ value: CLOUD_IAM_USER
+ - label: CLOUD_IAM_SERVICE_ACCOUNT
+ value: CLOUD_IAM_SERVICE_ACCOUNT
+ - label: CLOUD_IAM_GROUP
+ value: CLOUD_IAM_GROUP
+ - label: CLOUD_IAM_GROUP_USER
+ value: CLOUD_IAM_GROUP_USER
+ - label: CLOUD_IAM_GROUP_SERVICE_ACCOUNT
+ value: CLOUD_IAM_GROUP_SERVICE_ACCOUNT
availability_type:
name: availability_type
title: Availability Type
@@ -58,9 +103,21 @@ spec:
value:
enabled: true
binary_log_enabled: true
+ properties:
+ retention_unit:
+ name: retention_unit
+ title: Retention Unit
+ enumValueLabels:
+ - label: COUNT
+ value: COUNT
connector_enforcement:
name: connector_enforcement
title: Connector Enforcement
+ enumValueLabels:
+ - label: REQUIRED
+ value: REQUIRED
+ - label: NOT_REQUIRED
+ value: NOT_REQUIRED
create_timeout:
name: create_timeout
title: Create Timeout
@@ -95,9 +152,13 @@ spec:
db_charset:
name: db_charset
title: Db Charset
+ regexValidation: ^[a-z0-9]+$
+ validation: Database charset should contain only lowercase letters and numbers.
db_collation:
name: db_collation
title: Db Collation
+ regexValidation: ^[a-z0-9_]+$
+ validation: Database collation should contain only lowercase letters, numbers, and underscores.
db_name:
name: db_name
title: Db Name
@@ -120,6 +181,22 @@ spec:
deny_maintenance_period:
name: deny_maintenance_period
title: Deny Maintenance Period
+ properties:
+ end_date:
+ name: end_date
+ title: End Date
+ regexValidation: ^[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])$
+ validation: End date must be in YYYY-MM-DD format.
+ start_date:
+ name: start_date
+ title: Start Date
+ regexValidation: ^[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])$
+ validation: Start date must be in YYYY-MM-DD format.
+ time:
+ name: time
+ title: Time
+ regexValidation: ^([0-1]?[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]$
+ validation: Time must be in HH:MM:SS format (24-hour clock).
disk_autoresize:
name: disk_autoresize
title: Disk Autoresize
@@ -139,6 +216,13 @@ spec:
name: disk_type
title: Disk Type
level: 1
+ enumValueLabels:
+ - label: PD_SSD
+ value: PD_SSD
+ - label: PD_HDD
+ value: PD_HDD
+ - label: HYPERDISK_BALANCED
+ value: HYPERDISK_BALANCED
edition:
name: edition
title: Edition
@@ -177,12 +261,43 @@ spec:
iam_users:
name: iam_users
title: Iam Users
+ properties:
+ email:
+ name: email
+ title: Email
+ regexValidation: "^([a-zA-Z][a-zA-Z0-9_]{0,15}|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-zA-Z]{2,})$"
+ validation: Must be a valid email address or a Google service account email.
+ type:
+ name: type
+ title: Type
+ enumValueLabels:
+ - label: BUILT_IN
+ value: BUILT_IN
+ - label: CLOUD_IAM_USER
+ value: CLOUD_IAM_USER
+ - label: CLOUD_IAM_SERVICE_ACCOUNT
+ value: CLOUD_IAM_SERVICE_ACCOUNT
+ - label: CLOUD_IAM_GROUP
+ value: CLOUD_IAM_GROUP
+ - label: CLOUD_IAM_GROUP_USER
+ value: CLOUD_IAM_GROUP_USER
+ - label: CLOUD_IAM_GROUP_SERVICE_ACCOUNT
+ value: CLOUD_IAM_GROUP_SERVICE_ACCOUNT
insights_config:
name: insights_config
title: Insights Config
instance_type:
name: instance_type
title: Instance Type
+ enumValueLabels:
+ - label: SQL_INSTANCE_TYPE_UNSPECIFIED
+ value: SQL_INSTANCE_TYPE_UNSPECIFIED
+ - label: CLOUD_SQL_INSTANCE
+ value: CLOUD_SQL_INSTANCE
+ - label: ON_PREMISES_INSTANCE
+ value: ON_PREMISES_INSTANCE
+ - label: READ_REPLICA_INSTANCE
+ value: READ_REPLICA_INSTANCE
ip_configuration:
name: ip_configuration
title: Ip Configuration
@@ -191,8 +306,27 @@ spec:
name: private_network
title: private_network
subtext: The VPC network used to enable private IP access to the Cloud SQL instance. Cannot be unset once configured.
- regexValidation: ^(?:http(?:s)?://.+/)?projects/((?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?)))/global/networks/((?:[a-z](?:[-a-z0-9]*[a-z0-9])?))$
+ regexValidation: "^(?:http(?:s)?://.+/)?projects/((?:(?:[-a-z0-9]{1,63}.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?)))/global/networks/((?:[a-z](?:[-a-z0-9]*[a-z0-9])?))$"
validation: Invalid format. Expected a valid Google Cloud network resource name, e.g. projects/{project}/global/networks/{network}.
+ ssl_mode:
+ name: ssl_mode
+ title: Ssl Mode
+ enumValueLabels:
+ - label: ALLOW_UNENCRYPTED_AND_ENCRYPTED
+ value: ALLOW_UNENCRYPTED_AND_ENCRYPTED
+ - label: ENCRYPTED_ONLY
+ value: ENCRYPTED_ONLY
+ - label: TRUSTED_CLIENT_CERTIFICATE_REQUIRED
+ value: TRUSTED_CLIENT_CERTIFICATE_REQUIRED
+ authorized_networks:
+ name: authorized_networks
+ title: Authorized Networks
+ properties:
+ value:
+ name: value
+ title: Value
+ regexValidation: "^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9][0-9]|[0-9])\\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9][0-9]|[0-9])\\/(3[0-2]|[1-2][0-9]|[0-9])$"
+ validation: Must be a valid IPv4 address in CIDR format.
level: 1
maintenance_window_day:
name: maintenance_window_day
@@ -221,6 +355,9 @@ spec:
name: pricing_plan
title: Pricing Plan
level: 1
+ enumValueLabels:
+ - label: PER_USE
+ value: PER_USE
project_id:
name: project_id
title: Project Id
@@ -239,6 +376,55 @@ spec:
read_replicas:
name: read_replicas
title: Read Replicas
+ properties:
+ name:
+ name: name
+ title: Read Replica Name
+ regexValidation: ^[a-z][a-z0-9-]{0,95}[a-z0-9]$
+ validation: Read replica names must be between 1 and 97 characters long, start with a lowercase letter, and end with a lowercase letter or number. Read replica names can only contain lowercase letters, numbers, and hyphens.
+ edition:
+ name: edition
+ title: Edition
+ enumValueLabels:
+ - label: ENTERPRISE_PLUS
+ value: ENTERPRISE_PLUS
+ - label: ENTERPRISE
+ value: ENTERPRISE
+ availability_type:
+ name: availability_type
+ title: Availability Type
+ enumValueLabels:
+ - label: REGIONAL
+ value: REGIONAL
+ - label: ZONAL
+ value: ZONAL
+ disk_type:
+ name: disk_type
+ title: Disk Type
+ enumValueLabels:
+ - label: PD_SSD
+ value: PD_SSD
+ - label: PD_HDD
+ value: PD_HDD
+ ip_configuration:
+ name: ip_configuration
+ title: Ip Configuration
+ properties:
+ private_network:
+ name: private_network
+ title: Private Network
+ regexValidation: ^(projects/[a-z0-9-]+/)?global/networks/[a-z0-9-]+$
+ validation: Invalid format. Expected a valid Google Cloud network resource name, e.g. projects/{project}/global/networks/{network}.
+ ssl_mode:
+ name: ssl_mode
+ title: Ssl Mode
+ enumValueLabels:
+ - label: ALLOW_UNENCRYPTED_AND_ENCRYPTED
+ value: ALLOW_UNENCRYPTED_AND_ENCRYPTED
+ - label: ENCRYPTED_ONLY
+ value: ENCRYPTED_ONLY
+ - label: TRUSTED_CLIENT_CERTIFICATE_REQUIRED
+ value: TRUSTED_CLIENT_CERTIFICATE_REQUIRED
region:
name: region
title: Region
@@ -246,6 +432,15 @@ spec:
replica_database_version:
name: replica_database_version
title: Replica Database Version
+ enumValueLabels:
+ - label: MYSQL_8_4
+ value: MYSQL_8_4
+ - label: MYSQL_8_0
+ value: MYSQL_8_0
+ - label: MYSQL_5_6
+ value: MYSQL_5_6
+ - label: MYSQL_5_7
+ value: MYSQL_5_7
root_password:
name: root_password
title: Root Password
@@ -266,6 +461,9 @@ spec:
user_deletion_policy:
name: user_deletion_policy
title: User Deletion Policy
+ enumValueLabels:
+ - label: ABANDON
+ value: ABANDON
user_host:
name: user_host
title: User Host
@@ -276,6 +474,8 @@ spec:
name: user_name
title: User Name
level: 1
+ regexValidation: ^[a-zA-Z0-9-]{1,16}$
+ validation: User names must be between 1 and 16 characters long and can contain lowercase letters, numbers, and hyphens.
user_password:
name: user_password
title: User Password
diff --git a/modules/mysql/metadata.yaml b/modules/mysql/metadata.yaml
index d7ade559..83692796 100644
--- a/modules/mysql/metadata.yaml
+++ b/modules/mysql/metadata.yaml
@@ -25,7 +25,7 @@ spec:
repo: https://github.com/terraform-google-modules/terraform-google-sql-db.git
sourceType: git
dir: /modules/mysql
- version: 26.1.1
+ version: 26.2.0
actuationTool:
flavor: Terraform
version: ">= 1.3"
@@ -279,6 +279,10 @@ spec:
retention_unit = optional(string)
})
defaultValue: {}
+ - name: retain_backups_on_delete
+ description: When this parameter is set to true, Cloud SQL retains backups of the instance even after the instance is deleted. The ON_DEMAND backup will be retained until customer deletes the backup or the project. The AUTOMATED backup will be retained based on the backups retention setting.
+ varType: bool
+ defaultValue: false
- name: insights_config
description: The insights_config settings for the database.
varType: |-
@@ -914,35 +918,26 @@ spec:
roles:
- level: Project
roles:
- - roles/cloudkms.admin
- - roles/cloudkms.autokeyAdmin
+ - roles/iam.serviceAccountUser
+ - roles/compute.networkAdmin
- roles/cloudkms.cryptoKeyEncrypterDecrypter
- - roles/cloudscheduler.admin
+ - roles/logging.logWriter
- roles/cloudsql.admin
- - roles/compute.admin
- - roles/compute.networkAdmin
- - roles/iam.serviceAccountAdmin
- - roles/iam.serviceAccountUser
- - roles/monitoring.editor
- roles/resourcemanager.projectIamAdmin
- - roles/storage.admin
- - roles/workflows.admin
services:
- cloudkms.googleapis.com
- cloudresourcemanager.googleapis.com
- - cloudscheduler.googleapis.com
- compute.googleapis.com
- iam.googleapis.com
- monitoring.googleapis.com
- servicenetworking.googleapis.com
- serviceusage.googleapis.com
- sqladmin.googleapis.com
- - workflows.googleapis.com
providerVersions:
- source: hashicorp/google
- version: ">= 6.1, < 7"
+ version: ">= 6.31, < 7"
- source: hashicorp/google-beta
- version: ">= 6.1, < 7"
+ version: ">= 6.31, < 7"
- source: hashicorp/null
version: ~> 3.1
- source: hashicorp/random
diff --git a/modules/mysql/outputs.tf b/modules/mysql/outputs.tf
index 6e0ec0a2..f3c639b6 100644
--- a/modules/mysql/outputs.tf
+++ b/modules/mysql/outputs.tf
@@ -158,7 +158,7 @@ output "env_vars" {
output "apphub_service_uri" {
value = {
service_uri = "//sqladmin.googleapis.com/projects${element(split("/projects", google_sql_database_instance.default.self_link), 1)}"
- service_id = substr("${var.name}-${md5("${var.region}-${var.project_id}")}", 0, 63)
+ service_id = substr("${var.name}-${md5("mysql-${var.region}-${var.project_id}")}", 0, 63)
location = var.region
}
description = "Service URI in CAIS style to be used by Apphub."
diff --git a/modules/mysql/variables.tf b/modules/mysql/variables.tf
index db742727..bdb4424e 100644
--- a/modules/mysql/variables.tf
+++ b/modules/mysql/variables.tf
@@ -185,7 +185,7 @@ variable "instance_type" {
// Master
variable "tier" {
- description = "The tier for the master instance, for ADC its defualt value will be db-perf-optimized-N-8 which is tier value for edtion ENTERPRISE_PLUS, if user wants to change the edition, he should chose compatible tier."
+ description = "The tier for the master instance, for ADC its default value will be db-perf-optimized-N-8 which is tier value for edition ENTERPRISE_PLUS, if user wants to change the edition, he should chose compatible tier."
type = string
default = "db-n1-standard-1"
}
@@ -301,7 +301,7 @@ variable "deny_maintenance_period" {
}
variable "backup_configuration" {
- description = "The backup_configuration settings subblock for the database setings"
+ description = "The backup_configuration settings subblock for the database settings"
type = object({
binary_log_enabled = optional(bool, false)
enabled = optional(bool, false)
diff --git a/modules/mysql/versions.tf b/modules/mysql/versions.tf
index cb8c41b6..16458527 100644
--- a/modules/mysql/versions.tf
+++ b/modules/mysql/versions.tf
@@ -27,19 +27,19 @@ terraform {
}
google = {
source = "hashicorp/google"
- version = ">= 6.31, < 7"
+ version = ">= 6.31, < 8"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 6.31, < 7"
+ version = ">= 6.31, < 8"
}
}
provider_meta "google" {
- module_name = "blueprints/terraform/terraform-google-sql-db:mysql/v26.1.1"
+ module_name = "blueprints/terraform/terraform-google-sql-db:mysql/v26.2.0"
}
provider_meta "google-beta" {
- module_name = "blueprints/terraform/terraform-google-sql-db:mysql/v26.1.1"
+ module_name = "blueprints/terraform/terraform-google-sql-db:mysql/v26.2.0"
}
}
diff --git a/modules/postgresql/README.md b/modules/postgresql/README.md
index 8288c664..cb40cb82 100644
--- a/modules/postgresql/README.md
+++ b/modules/postgresql/README.md
@@ -13,7 +13,7 @@ Basic usage of this module is as follows:
```hcl
module "pg" {
source = "terraform-google-modules/sql-db/google//modules/postgresql"
- version = "~> 26.1"
+ version = "~> 26.2"
name = var.pg_ha_name
random_instance_name = true
@@ -120,7 +120,7 @@ module "pg" {
| additional\_databases | A list of databases to be created in your cluster | list(object({
name = string
charset = string
collation = string
})) | `[]` | no |
| additional\_users | A list of users to be created in your cluster. A random password would be set for the user if the `random_password` variable is set. | list(object({
name = string
password = string
random_password = bool
})) | `[]` | no |
| availability\_type | The availability type for the Cloud SQL instance.This is only used to set up high availability for the PostgreSQL instance. Can be either `ZONAL` or `REGIONAL`. | `string` | `"ZONAL"` | no |
-| backup\_configuration | The backup\_configuration settings subblock for the database setings | object({
enabled = optional(bool, false)
start_time = optional(string)
location = optional(string)
point_in_time_recovery_enabled = optional(bool, false)
transaction_log_retention_days = optional(string)
retained_backups = optional(number)
retention_unit = optional(string)
}) | `{}` | no |
+| backup\_configuration | The backup\_configuration settings subblock for the database settings | object({
enabled = optional(bool, false)
start_time = optional(string)
location = optional(string)
point_in_time_recovery_enabled = optional(bool, false)
transaction_log_retention_days = optional(string)
retained_backups = optional(number)
retention_unit = optional(string)
}) | `{}` | no |
| connector\_enforcement | Enforce that clients use the connector library | `bool` | `false` | no |
| create\_kms\_key\_handle | KeyHandles cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed KeyHandle will remove it from state but will not delete the resource from the project. Set this to false if key handle already exists | `bool` | `true` | no |
| create\_timeout | The optional timout that is applied to limit long database creates. | `string` | `"30m"` | no |
@@ -173,7 +173,7 @@ module "pg" {
| retain\_backups\_on\_delete | When this parameter is set to true, Cloud SQL retains backups of the instance even after the instance is deleted. The ON\_DEMAND backup will be retained until customer deletes the backup or the project. The AUTOMATED backup will be retained based on the backups retention setting. | `bool` | `false` | no |
| root\_password | Initial root password during creation | `string` | `null` | no |
| secondary\_zone | The preferred zone for the replica instance, it should be something like: `us-central1-a`, `us-east1-c`. | `string` | `null` | no |
-| tier | The tier for the Cloud SQL instance, for ADC its defualt value will be db-perf-optimized-N-8 which is tier value for edtion ENTERPRISE\_PLUS, if user wants to change the edition, he should chose compatible tier. | `string` | `"db-f1-micro"` | no |
+| tier | The tier for the Cloud SQL instance, for ADC its default value will be db-perf-optimized-N-8 which is tier value for edition ENTERPRISE\_PLUS, if user wants to change the edition, he should chose compatible tier. | `string` | `"db-f1-micro"` | no |
| update\_timeout | The optional timout that is applied to limit long database updates. | `string` | `"30m"` | no |
| use\_autokey | Enable the use of autokeys from Google Cloud KMS for CMEK. This requires autokey already configured in the project | `bool` | `false` | no |
| user\_deletion\_policy | The deletion policy for the user. Setting ABANDON allows the resource to be abandoned rather than deleted. This is useful for Postgres, where users cannot be deleted from the API if they have been granted SQL roles. Possible values are: "ABANDON". | `string` | `null` | no |
@@ -209,6 +209,7 @@ module "pg" {
| replicas | A list of `google_sql_database_instance` resources representing the replicas |
| replicas\_instance\_connection\_names | The connection names of the replica instances to be used in connection strings |
| replicas\_instance\_first\_ip\_addresses | The first IPv4 addresses of the addresses assigned for the replica instances |
+| replicas\_instance\_psc\_attachments | The psc\_service\_attachment\_links created for the replica instances |
| replicas\_instance\_self\_links | The URIs of the replica instances |
| replicas\_instance\_server\_ca\_certs | The CA certificates information used to connect to the replica instances via SSL |
| replicas\_instance\_service\_account\_email\_addresses | The service account email addresses assigned to the replica instances |
diff --git a/modules/postgresql/metadata.display.yaml b/modules/postgresql/metadata.display.yaml
index 366ed34a..a9ff5111 100644
--- a/modules/postgresql/metadata.display.yaml
+++ b/modules/postgresql/metadata.display.yaml
@@ -31,12 +31,25 @@ spec:
activation_policy:
name: activation_policy
title: Activation Policy
+ enumValueLabels:
+ - label: ALWAYS
+ value: ALWAYS
+ - label: NEVER
+ value: NEVER
+ - label: ON_DEMAND
+ value: ON_DEMAND
additional_databases:
name: additional_databases
title: Additional Databases
additional_users:
name: additional_users
title: Additional Users
+ properties:
+ name:
+ name: name
+ title: User Name
+ regexValidation: ^[a-zA-Z0-9-]{1,16}$
+ validation: User names must be between 1 and 16 characters long and can contain lowercase letters, numbers, and hyphens.
availability_type:
name: availability_type
title: Availability Type
@@ -44,6 +57,11 @@ spec:
altDefaults:
- type: ALTERNATE_TYPE_DC
value: REGIONAL
+ enumValueLabels:
+ - label: REGIONAL
+ value: REGIONAL
+ - label: ZONAL
+ value: ZONAL
backup_configuration:
name: backup_configuration
title: Backup Configuration
@@ -53,9 +71,21 @@ spec:
value:
enabled: true
point_in_time_recovery_enabled: true
+ properties:
+ retention_unit:
+ name: retention_unit
+ title: Retention Unit
+ enumValueLabels:
+ - label: COUNT
+ value: COUNT
connector_enforcement:
name: connector_enforcement
title: Connector Enforcement
+ enumValueLabels:
+ - label: REQUIRED
+ value: REQUIRED
+ - label: NOT_REQUIRED
+ value: NOT_REQUIRED
create_timeout:
name: create_timeout
title: Create Timeout
@@ -70,6 +100,11 @@ spec:
name: database_deletion_policy
title: Database Deletion Policy
level: 1
+ enumValueLabels:
+ - label: DELETE
+ value: DELETE
+ - label: ABANDON
+ value: ABANDON
database_flags:
name: database_flags
title: Database Flags
@@ -103,9 +138,13 @@ spec:
db_charset:
name: db_charset
title: Db Charset
+ regexValidation: ^[A-Z0-9]+$
+ validation: Database charset should contain only uppercase letters and numbers.
db_collation:
name: db_collation
title: Db Collation
+ regexValidation: ^[a-zA-Z0-9_.-]+$
+ validation: Database collation should contain only letters, numbers, underscores, hyphens, and periods.
db_name:
name: db_name
title: Db Name
@@ -147,6 +186,13 @@ spec:
name: disk_type
title: Disk Type
level: 1
+ enumValueLabels:
+ - label: PD_SSD
+ value: PD_SSD
+ - label: PD_HDD
+ value: PD_HDD
+ - label: HYPERDISK_BALANCED
+ value: HYPERDISK_BALANCED
edition:
name: edition
title: Edition
@@ -185,12 +231,43 @@ spec:
iam_users:
name: iam_users
title: Iam Users
+ properties:
+ email:
+ name: email
+ title: Email
+ regexValidation: "^([a-zA-Z][a-zA-Z0-9_]{0,15}|[a-z0-9._%+-]+@[a-z0-9.-]+.[a-z]{2,})$"
+ validation: Must be a valid email address or a Google service account email.
+ type:
+ name: type
+ title: Type
+ enumValueLabels:
+ - label: BUILT_IN
+ value: BUILT_IN
+ - label: CLOUD_IAM_USER
+ value: CLOUD_IAM_USER
+ - label: CLOUD_IAM_SERVICE_ACCOUNT
+ value: CLOUD_IAM_SERVICE_ACCOUNT
+ - label: CLOUD_IAM_GROUP
+ value: CLOUD_IAM_GROUP
+ - label: CLOUD_IAM_GROUP_USER
+ value: CLOUD_IAM_GROUP_USER
+ - label: CLOUD_IAM_GROUP_SERVICE_ACCOUNT
+ value: CLOUD_IAM_GROUP_SERVICE_ACCOUNT
insights_config:
name: insights_config
title: Insights Config
instance_type:
name: instance_type
title: Instance Type
+ enumValueLabels:
+ - label: SQL_INSTANCE_TYPE_UNSPECIFIED
+ value: SQL_INSTANCE_TYPE_UNSPECIFIED
+ - label: CLOUD_SQL_INSTANCE
+ value: CLOUD_SQL_INSTANCE
+ - label: ON_PREMISES_INSTANCE
+ value: ON_PREMISES_INSTANCE
+ - label: READ_REPLICA_INSTANCE
+ value: READ_REPLICA_INSTANCE
ip_configuration:
name: ip_configuration
title: Ip Configuration
@@ -199,8 +276,24 @@ spec:
name: private_network
title: private_network
subtext: The VPC network used to enable private IP access to the Cloud SQL instance. Cannot be unset once configured.
- regexValidation: ^(?:http(?:s)?://.+/)?projects/((?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?)))/global/networks/((?:[a-z](?:[-a-z0-9]*[a-z0-9])?))$
+ regexValidation: "^(?:http(?:s)?://.+/)?projects/((?:(?:[-a-z0-9]{1,63}.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?)))/global/networks/((?:[a-z](?:[-a-z0-9]*[a-z0-9])?))$"
validation: Invalid format. Expected a valid Google Cloud network resource name, e.g. projects/{project}/global/networks/{network}.
+ ssl_mode:
+ name: ssl_mode
+ title: Ssl Mode
+ enumValueLabels:
+ - label: ALLOW_UNENCRYPTED_AND_ENCRYPTED
+ value: ALLOW_UNENCRYPTED_AND_ENCRYPTED
+ - label: ENCRYPTED_ONLY
+ value: ENCRYPTED_ONLY
+ - label: TRUSTED_CLIENT_CERTIFICATE_REQUIRED
+ value: TRUSTED_CLIENT_CERTIFICATE_REQUIRED
+ server_ca_mode:
+ name: server_ca_mode
+ title: Server CA Mode
+ enumValueLabels:
+ - label: GOOGLE_MANAGED_INTERNAL_CA
+ value: GOOGLE_MANAGED_INTERNAL_CA
level: 1
maintenance_window_day:
name: maintenance_window_day
@@ -229,6 +322,9 @@ spec:
name: pricing_plan
title: Pricing Plan
level: 1
+ enumValueLabels:
+ - label: PER_USE
+ value: PER_USE
project_id:
name: project_id
title: Project Id
@@ -247,6 +343,55 @@ spec:
read_replicas:
name: read_replicas
title: Read Replicas
+ properties:
+ name:
+ name: name
+ title: Read Replica Name
+ regexValidation: ^[a-z][a-z0-9-]{0,95}[a-z0-9]$
+ validation: Read replica names must be between 1 and 97 characters long, start with a lowercase letter, and end with a lowercase letter or number. Read replica names can only contain lowercase letters, numbers, and hyphens.
+ edition:
+ name: edition
+ title: Edition
+ enumValueLabels:
+ - label: ENTERPRISE_PLUS
+ value: ENTERPRISE_PLUS
+ - label: ENTERPRISE
+ value: ENTERPRISE
+ availability_type:
+ name: availability_type
+ title: Availability Type
+ enumValueLabels:
+ - label: REGIONAL
+ value: REGIONAL
+ - label: ZONAL
+ value: ZONAL
+ disk_type:
+ name: disk_type
+ title: Disk Type
+ enumValueLabels:
+ - label: PD_SSD
+ value: PD_SSD
+ - label: PD_HDD
+ value: PD_HDD
+ ip_configuration:
+ name: ip_configuration
+ title: Ip Configuration
+ properties:
+ private_network:
+ name: private_network
+ title: Private Network
+ regexValidation: ^(projects/[a-z0-9-]+/)?global/networks/[a-z0-9-]+$
+ validation: Invalid format. Expected a valid Google Cloud network resource name, e.g. projects/{project}/global/networks/{network}.
+ ssl_mode:
+ name: ssl_mode
+ title: Ssl Mode
+ enumValueLabels:
+ - label: ALLOW_UNENCRYPTED_AND_ENCRYPTED
+ value: ALLOW_UNENCRYPTED_AND_ENCRYPTED
+ - label: ENCRYPTED_ONLY
+ value: ENCRYPTED_ONLY
+ - label: TRUSTED_CLIENT_CERTIFICATE_REQUIRED
+ value: TRUSTED_CLIENT_CERTIFICATE_REQUIRED
region:
name: region
title: Region
@@ -271,6 +416,9 @@ spec:
user_deletion_policy:
name: user_deletion_policy
title: User Deletion Policy
+ enumValueLabels:
+ - label: ABANDON
+ value: ABANDON
user_labels:
name: user_labels
title: User Labels
@@ -278,6 +426,8 @@ spec:
name: user_name
title: User Name
level: 1
+ regexValidation: ^[a-zA-Z0-9-]{1,16}$
+ validation: User names must be between 1 and 16 characters long and can contain lowercase letters, numbers, and hyphens.
user_password:
name: user_password
title: User Password
diff --git a/modules/postgresql/metadata.yaml b/modules/postgresql/metadata.yaml
index f8a88c6f..99699297 100644
--- a/modules/postgresql/metadata.yaml
+++ b/modules/postgresql/metadata.yaml
@@ -25,7 +25,7 @@ spec:
repo: https://github.com/terraform-google-modules/terraform-google-sql-db.git
sourceType: git
dir: /modules/postgresql
- version: 26.1.1
+ version: 26.2.0
actuationTool:
flavor: Terraform
version: ">= 1.3"
@@ -279,6 +279,9 @@ spec:
enable_private_path_for_google_cloud_services = optional(bool, false)
psc_enabled = optional(bool, false)
psc_allowed_consumer_projects = optional(list(string), [])
+ server_ca_mode = optional(string)
+ server_ca_pool = optional(string)
+ custom_subject_alternative_names = optional(list(string), [])
})
defaultValue: {}
connections:
@@ -408,7 +411,18 @@ spec:
varType: list(string)
defaultValue: []
- name: use_autokey
- description: Enable the use of autokeys from Google Cloud KMS for CMEK. This requires autokey already configured in the project.
+ description: Enable the use of autokeys from Google Cloud KMS for CMEK. This requires autokey already configured in the project
+ varType: bool
+ defaultValue: false
+ - name: create_kms_key_handle
+ description: KeyHandles cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed KeyHandle will remove it from state but will not delete the resource from the project. Set this to false if key handle already exists
+ varType: bool
+ defaultValue: true
+ - name: kms_key_handle_name
+ description: key handle name. If not provided module will use instance name as key handle name
+ varType: string
+ - name: retain_backups_on_delete
+ description: When this parameter is set to true, Cloud SQL retains backups of the instance even after the instance is deleted. The ON_DEMAND backup will be retained until customer deletes the backup or the project. The AUTOMATED backup will be retained based on the backups retention setting.
varType: bool
defaultValue: false
outputs:
@@ -911,34 +925,28 @@ spec:
- level: Project
roles:
- roles/cloudkms.admin
- - roles/cloudkms.autokeyAdmin
- - roles/cloudkms.cryptoKeyEncrypterDecrypter
- - roles/cloudscheduler.admin
+ - roles/logging.logWriter
- roles/cloudsql.admin
- - roles/compute.admin
- - roles/compute.networkAdmin
- - roles/iam.serviceAccountAdmin
- - roles/iam.serviceAccountUser
- - roles/monitoring.editor
- - roles/resourcemanager.projectIamAdmin
- roles/storage.admin
- - roles/workflows.admin
+ - roles/resourcemanager.projectIamAdmin
+ - roles/iam.serviceAccountUser
+ - roles/compute.networkAdmin
+ - roles/cloudkms.autokeyAdmin
+ - roles/cloudkms.cryptoKeyEncrypterDecrypter
services:
- cloudkms.googleapis.com
- cloudresourcemanager.googleapis.com
- - cloudscheduler.googleapis.com
- compute.googleapis.com
- iam.googleapis.com
- monitoring.googleapis.com
- servicenetworking.googleapis.com
- serviceusage.googleapis.com
- sqladmin.googleapis.com
- - workflows.googleapis.com
providerVersions:
- source: hashicorp/google
- version: ">= 6.1, < 7"
+ version: ">= 6.31, < 7"
- source: hashicorp/google-beta
- version: ">= 6.1, < 7"
+ version: ">= 6.31, < 7"
- source: hashicorp/null
version: ~> 3.1
- source: hashicorp/random
diff --git a/modules/postgresql/outputs.tf b/modules/postgresql/outputs.tf
index 2d1b28b0..a9607bac 100644
--- a/modules/postgresql/outputs.tf
+++ b/modules/postgresql/outputs.tf
@@ -88,6 +88,11 @@ output "replicas_instance_server_ca_certs" {
sensitive = true
}
+output "replicas_instance_psc_attachments" {
+ value = [for r in google_sql_database_instance.replicas : r.psc_service_attachment_link]
+ description = "The psc_service_attachment_links created for the replica instances"
+}
+
output "replicas_instance_service_account_email_addresses" {
value = [for r in google_sql_database_instance.replicas : r.service_account_email_address]
description = "The service account email addresses assigned to the replica instances"
@@ -162,7 +167,7 @@ output "env_vars" {
output "apphub_service_uri" {
value = {
service_uri = "//sqladmin.googleapis.com/projects${element(split("/projects", google_sql_database_instance.default.self_link), 1)}"
- service_id = substr("${var.name}-${md5("${var.region}-${var.project_id}")}", 0, 63)
+ service_id = substr("${var.name}-${md5("postgresql-${var.region}-${var.project_id}")}", 0, 63)
location = var.region
}
description = "Service URI in CAIS style to be used by Apphub."
diff --git a/modules/postgresql/read_replica.tf b/modules/postgresql/read_replica.tf
index 3cae2aa1..f2c0bae7 100644
--- a/modules/postgresql/read_replica.tf
+++ b/modules/postgresql/read_replica.tf
@@ -33,10 +33,10 @@ resource "google_sql_database_instance" "replicas" {
project = var.project_id
name = each.value.name_override == null || each.value.name_override == "" ? "${local.instance_name}-replica${var.read_replica_name_suffix}${each.value.name}" : each.value.name_override
database_version = var.database_version
- region = join("-", slice(split("-", lookup(each.value, "zone", var.zone)), 0, 2))
+ region = join("-", slice(split("-", lookup(each.value, "zone", local.zone)), 0, 2))
master_instance_name = google_sql_database_instance.default.name
deletion_protection = var.read_replica_deletion_protection
- encryption_key_name = (join("-", slice(split("-", lookup(each.value, "zone", var.zone)), 0, 2))) == var.region ? null : each.value.encryption_key_name
+ encryption_key_name = (join("-", slice(split("-", lookup(each.value, "zone", local.zone)), 0, 2))) == var.region ? null : each.value.encryption_key_name
settings {
tier = lookup(each.value, "tier", null) == null ? var.tier : lookup(each.value, "tier", null)
@@ -63,10 +63,10 @@ resource "google_sql_database_instance" "replicas" {
}
}
dynamic "psc_config" {
- for_each = ip_configuration.value.psc_enabled ? ["psc_enabled"] : ["psc_disabled"]
+ for_each = ip_configuration.value.psc_enabled ? ["psc_enabled"] : []
content {
psc_enabled = ip_configuration.value.psc_enabled
- allowed_consumer_projects = ip_configuration.value.psc_enabled ? ip_configuration.value.psc_allowed_consumer_projects : []
+ allowed_consumer_projects = ip_configuration.value.psc_allowed_consumer_projects
}
}
}
diff --git a/modules/postgresql/variables.tf b/modules/postgresql/variables.tf
index 88c2e231..e0976f8c 100644
--- a/modules/postgresql/variables.tf
+++ b/modules/postgresql/variables.tf
@@ -177,7 +177,7 @@ variable "random_instance_name" {
}
variable "tier" {
- description = "The tier for the Cloud SQL instance, for ADC its defualt value will be db-perf-optimized-N-8 which is tier value for edtion ENTERPRISE_PLUS, if user wants to change the edition, he should chose compatible tier."
+ description = "The tier for the Cloud SQL instance, for ADC its default value will be db-perf-optimized-N-8 which is tier value for edition ENTERPRISE_PLUS, if user wants to change the edition, he should chose compatible tier."
type = string
default = "db-f1-micro"
}
@@ -283,7 +283,7 @@ variable "deny_maintenance_period" {
}
variable "backup_configuration" {
- description = "The backup_configuration settings subblock for the database setings"
+ description = "The backup_configuration settings subblock for the database settings"
type = object({
enabled = optional(bool, false)
start_time = optional(string)
diff --git a/modules/postgresql/versions.tf b/modules/postgresql/versions.tf
index 4d2d417a..35d0f5a1 100644
--- a/modules/postgresql/versions.tf
+++ b/modules/postgresql/versions.tf
@@ -27,19 +27,19 @@ terraform {
}
google = {
source = "hashicorp/google"
- version = ">= 6.31, < 7"
+ version = ">= 6.31, < 8"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 6.31, < 7"
+ version = ">= 6.31, < 8"
}
}
provider_meta "google" {
- module_name = "blueprints/terraform/terraform-google-sql-db:postgresql/v26.1.1"
+ module_name = "blueprints/terraform/terraform-google-sql-db:postgresql/v26.2.0"
}
provider_meta "google-beta" {
- module_name = "blueprints/terraform/terraform-google-sql-db:postgresql/v26.1.1"
+ module_name = "blueprints/terraform/terraform-google-sql-db:postgresql/v26.2.0"
}
}
diff --git a/modules/private_service_access/README.md b/modules/private_service_access/README.md
index 96ba0749..43b3794d 100644
--- a/modules/private_service_access/README.md
+++ b/modules/private_service_access/README.md
@@ -16,7 +16,7 @@ Basic usage of this module is as follows:
```
module "test_psa" {
source = "terraform-google-modules/sql-db/google//modules/private_service_access"
- version = "~> 26.1"
+ version = "~> 26.2"
project_id = var.project_id
vpc_network = google_compute_network.default.name
@@ -38,7 +38,7 @@ module "test_psa" {
| ip\_version | IP Version for the allocation. Can be IPV4 or IPV6. | `string` | `""` | no |
| labels | The key/value labels for the IP range allocated to the peered network. | `map(string)` | `{}` | no |
| prefix\_length | Prefix length of the IP range reserved for Cloud SQL instances and other Private Service Access services. Defaults to /16. | `number` | `16` | no |
-| project\_id | The project ID of the VPC network to peer. This can be a shared VPC host projec. | `string` | n/a | yes |
+| project\_id | The project ID of the VPC network to peer. This can be a shared VPC host project. | `string` | n/a | yes |
| vpc\_network | Name of the VPC network to peer. | `string` | n/a | yes |
## Outputs
diff --git a/modules/private_service_access/metadata.yaml b/modules/private_service_access/metadata.yaml
index 78920025..56b1a336 100644
--- a/modules/private_service_access/metadata.yaml
+++ b/modules/private_service_access/metadata.yaml
@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -25,10 +25,10 @@ spec:
repo: https://github.com/terraform-google-modules/terraform-google-sql-db.git
sourceType: git
dir: /modules/private_service_access
- version: 26.1.1
+ version: 26.2.0
actuationTool:
flavor: Terraform
- version: ">= 0.13"
+ version: ">= 1.3"
description: {}
content:
examples:
@@ -62,17 +62,26 @@ spec:
location: examples/private_service_access
interfaces:
variables:
+ - name: project_id
+ description: The project ID of the VPC network to peer. This can be a shared VPC host projec.
+ varType: string
+ required: true
+ - name: vpc_network
+ description: Name of the VPC network to peer.
+ varType: string
+ required: true
- name: address
description: First IP address of the IP range to allocate to CLoud SQL instances and other Private Service Access services. If not set, GCP will pick a valid one for you.
varType: string
defaultValue: ""
- - name: deletion_policy
- description: The deletion policy for the service networking connection. Setting to ABANDON allows the resource to be abandoned rather than deleted. This will enable a successful terraform destroy when destroying CloudSQL instances. Use with care as it can lead to dangling resources.
- varType: string
- name: description
description: An optional description of the Global Address resource.
varType: string
defaultValue: ""
+ - name: prefix_length
+ description: Prefix length of the IP range reserved for Cloud SQL instances and other Private Service Access services. Defaults to /16.
+ varType: number
+ defaultValue: 16
- name: ip_version
description: IP Version for the allocation. Can be IPV4 or IPV6.
varType: string
@@ -81,18 +90,9 @@ spec:
description: The key/value labels for the IP range allocated to the peered network.
varType: map(string)
defaultValue: {}
- - name: prefix_length
- description: Prefix length of the IP range reserved for Cloud SQL instances and other Private Service Access services. Defaults to /16.
- varType: number
- defaultValue: 16
- - name: project_id
- description: The project ID of the VPC network to peer. This can be a shared VPC host projec.
- varType: string
- required: true
- - name: vpc_network
- description: Name of the VPC network to peer.
+ - name: deletion_policy
+ description: The deletion policy for the service networking connection. Setting to ABANDON allows the resource to be abandoned rather than deleted. This will enable a successful terraform destroy when destroying CloudSQL instances. Use with care as it can lead to dangling resources.
varType: string
- required: true
outputs:
- name: address
description: First IP of the reserved range.
@@ -104,26 +104,15 @@ spec:
roles:
- level: Project
roles:
- - roles/cloudkms.admin
- - roles/cloudkms.cryptoKeyEncrypterDecrypter
- - roles/cloudscheduler.admin
- - roles/cloudsql.admin
- - roles/compute.admin
- - roles/compute.networkAdmin
- - roles/iam.serviceAccountAdmin
+ - roles/servicenetworking.networksAdmin
- roles/iam.serviceAccountUser
- - roles/monitoring.editor
- - roles/resourcemanager.projectIamAdmin
- - roles/storage.admin
- - roles/workflows.admin
services:
- - cloudkms.googleapis.com
- - cloudresourcemanager.googleapis.com
- - cloudscheduler.googleapis.com
- - compute.googleapis.com
- - iam.googleapis.com
- - monitoring.googleapis.com
- servicenetworking.googleapis.com
- serviceusage.googleapis.com
- - sqladmin.googleapis.com
- - workflows.googleapis.com
+ providerVersions:
+ - source: hashicorp/google
+ version: ">= 5.38, < 7"
+ - source: hashicorp/google-beta
+ version: ">= 5.38, < 7"
+ - source: hashicorp/null
+ version: ~> 3.1
diff --git a/modules/private_service_access/variables.tf b/modules/private_service_access/variables.tf
index 6129d68f..0010a7cf 100644
--- a/modules/private_service_access/variables.tf
+++ b/modules/private_service_access/variables.tf
@@ -15,7 +15,7 @@
*/
variable "project_id" {
- description = "The project ID of the VPC network to peer. This can be a shared VPC host projec."
+ description = "The project ID of the VPC network to peer. This can be a shared VPC host project."
type = string
}
diff --git a/modules/private_service_access/versions.tf b/modules/private_service_access/versions.tf
index d9fc5113..7798a30a 100644
--- a/modules/private_service_access/versions.tf
+++ b/modules/private_service_access/versions.tf
@@ -23,20 +23,20 @@ terraform {
}
google = {
source = "hashicorp/google"
- version = ">= 5.38, < 7"
+ version = ">= 5.38, < 8"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 5.38, < 7"
+ version = ">= 5.38, < 8"
}
}
provider_meta "google" {
- module_name = "blueprints/terraform/terraform-google-sql-db:private_service_access/v26.1.1"
+ module_name = "blueprints/terraform/terraform-google-sql-db:private_service_access/v26.2.0"
}
provider_meta "google-beta" {
- module_name = "blueprints/terraform/terraform-google-sql-db:private_service_access/v26.1.1"
+ module_name = "blueprints/terraform/terraform-google-sql-db:private_service_access/v26.2.0"
}
}
diff --git a/modules/restore/metadata.yaml b/modules/restore/metadata.yaml
index bf9f7c32..6bb0bb81 100644
--- a/modules/restore/metadata.yaml
+++ b/modules/restore/metadata.yaml
@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,7 +27,7 @@ spec:
dir: /modules/restore
actuationTool:
flavor: Terraform
- version: ">= 0.13"
+ version: ">= 1.3"
description: {}
content:
examples:
@@ -61,18 +61,6 @@ spec:
location: examples/private_service_access
interfaces:
variables:
- - name: import_databases
- description: The list of databases that should be imported - if is an empty set all databases will be imported
- varType: set(string)
- defaultValue: []
- - name: import_uri
- description: The bucket and path uri of GCS backup file for importing
- varType: string
- required: true
- - name: project_id
- description: The project ID
- varType: string
- required: true
- name: region
description: The region to run the workflow
varType: string
@@ -80,10 +68,22 @@ spec:
- name: service_account
description: The service account to use for running the workflow and triggering the workflow by Cloud Scheduler - If empty or null a service account will be created. If you have provided a service account you need to grant the Cloud SQL Admin and the Workflows Invoker role to that
varType: string
+ - name: project_id
+ description: The project ID
+ varType: string
+ required: true
- name: sql_instance
description: The name of the SQL instance to backup
varType: string
required: true
+ - name: import_databases
+ description: The list of databases that should be imported - if is an empty set all databases will be imported
+ varType: set(string)
+ defaultValue: []
+ - name: import_uri
+ description: The bucket and path uri of GCS backup file for importing
+ varType: string
+ required: true
outputs:
- name: import_workflow_name
description: The name for import workflow
@@ -95,26 +95,12 @@ spec:
roles:
- level: Project
roles:
- - roles/cloudkms.admin
- - roles/cloudkms.cryptoKeyEncrypterDecrypter
- - roles/cloudscheduler.admin
- roles/cloudsql.admin
- - roles/compute.admin
- - roles/compute.networkAdmin
- - roles/iam.serviceAccountAdmin
- roles/iam.serviceAccountUser
- - roles/monitoring.editor
- - roles/resourcemanager.projectIamAdmin
- - roles/storage.admin
- - roles/workflows.admin
+ - roles/logging.logWriter
services:
- - cloudkms.googleapis.com
- - cloudresourcemanager.googleapis.com
- - cloudscheduler.googleapis.com
- - compute.googleapis.com
- - iam.googleapis.com
- - monitoring.googleapis.com
- - servicenetworking.googleapis.com
- serviceusage.googleapis.com
- sqladmin.googleapis.com
- - workflows.googleapis.com
+ providerVersions:
+ - source: hashicorp/google
+ version: ">= 4.0, < 7"
diff --git a/modules/restore/versions.tf b/modules/restore/versions.tf
index 8fbfeba7..e1e8536d 100644
--- a/modules/restore/versions.tf
+++ b/modules/restore/versions.tf
@@ -19,7 +19,7 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 4.0, < 7"
+ version = ">= 4.0, < 8"
}
}
}
diff --git a/modules/safer_mysql/README.md b/modules/safer_mysql/README.md
index 156a4eb3..42e80c24 100644
--- a/modules/safer_mysql/README.md
+++ b/modules/safer_mysql/README.md
@@ -167,7 +167,7 @@ Functional examples are included in the [examples](../../examples/) directory. B
```hcl
module "safer-mysql-db" {
source = "terraform-google-modules/sql-db/google//modules/safer_mysql"
- version = "~> 26.1"
+ version = "~> 26.2"
name = var.db_name
@@ -244,7 +244,7 @@ module "safer-mysql-db" {
| allocated\_ip\_range | Existing allocated IP range name for the Private IP CloudSQL instance. The networks needs to be configured with https://cloud.google.com/vpc/docs/configure-private-services-access. | `string` | `null` | no |
| assign\_public\_ip | Set to true if the master instance should also have a public IP (less secure). | `bool` | `false` | no |
| availability\_type | The availability type for the master instance. Can be either `REGIONAL` or `null`. | `string` | `"REGIONAL"` | no |
-| backup\_configuration | The backup\_configuration settings subblock for the database setings | object({
binary_log_enabled = bool
enabled = bool
start_time = string
location = string
transaction_log_retention_days = string
retained_backups = number
retention_unit = string
}) | {
"binary_log_enabled": false,
"enabled": false,
"location": null,
"retained_backups": null,
"retention_unit": null,
"start_time": null,
"transaction_log_retention_days": null
} | no |
+| backup\_configuration | The backup\_configuration settings subblock for the database settings | object({
binary_log_enabled = bool
enabled = bool
start_time = string
location = string
transaction_log_retention_days = string
retained_backups = number
retention_unit = string
}) | {
"binary_log_enabled": false,
"enabled": false,
"location": null,
"retained_backups": null,
"retention_unit": null,
"start_time": null,
"transaction_log_retention_days": null
} | no |
| create\_timeout | The optional timout that is applied to limit long database creates. | `string` | `"30m"` | no |
| data\_cache\_enabled | Whether data cache is enabled for the instance. Defaults to false. Feature is only available for ENTERPRISE\_PLUS tier and supported database\_versions | `bool` | `false` | no |
| database\_flags | The database flags for the master instance. See [more details](https://cloud.google.com/sql/docs/mysql/flags) | list(object({
name = string
value = string
})) | `[]` | no |
diff --git a/modules/safer_mysql/metadata.yaml b/modules/safer_mysql/metadata.yaml
index ef246241..8f516c5a 100644
--- a/modules/safer_mysql/metadata.yaml
+++ b/modules/safer_mysql/metadata.yaml
@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -25,7 +25,7 @@ spec:
repo: https://github.com/terraform-google-modules/terraform-google-sql-db.git
sourceType: git
dir: /modules/safer_mysql
- version: 26.1.1
+ version: 26.2.0
actuationTool:
flavor: Terraform
version: ">= 1.3"
@@ -62,114 +62,77 @@ spec:
location: examples/private_service_access
interfaces:
variables:
- - name: activation_policy
- description: The activation policy for the master instance. Can be either `ALWAYS`, `NEVER` or `ON_DEMAND`.
- varType: string
- defaultValue: ALWAYS
- - name: additional_databases
- description: A list of databases to be created in your cluster
- varType: |-
- list(object({
- name = string
- charset = string
- collation = string
- }))
- defaultValue: []
- - name: additional_users
- description: A list of users to be created in your cluster. A random password would be set for the user if the `random_password` variable is set.
- varType: |-
- list(object({
- name = string
- password = string
- host = string
- type = string
- random_password = bool
- }))
- defaultValue: []
- - name: allocated_ip_range
- description: Existing allocated IP range name for the Private IP CloudSQL instance. The networks needs to be configured with https://cloud.google.com/vpc/docs/configure-private-services-access.
- varType: string
- - name: assign_public_ip
- description: Set to true if the master instance should also have a public IP (less secure).
- varType: bool
- defaultValue: false
- - name: availability_type
- description: The availability type for the master instance. Can be either `REGIONAL` or `null`.
+ - name: project_id
+ description: The project ID to manage the Cloud SQL resources
varType: string
- defaultValue: REGIONAL
- - name: backup_configuration
- description: The backup_configuration settings subblock for the database setings
- varType: |-
- object({
- binary_log_enabled = bool
- enabled = bool
- start_time = string
- location = string
- transaction_log_retention_days = string
- retained_backups = number
- retention_unit = string
- })
- defaultValue:
- binary_log_enabled: false
- enabled: false
- location: null
- retained_backups: null
- retention_unit: null
- start_time: null
- transaction_log_retention_days: null
- - name: create_timeout
- description: The optional timout that is applied to limit long database creates.
+ required: true
+ - name: name
+ description: The name of the Cloud SQL resources
varType: string
- defaultValue: 30m
- - name: data_cache_enabled
- description: Whether data cache is enabled for the instance. Defaults to false. Feature is only available for ENTERPRISE_PLUS tier and supported database_versions
+ required: true
+ - name: random_instance_name
+ description: Sets random suffix at the end of the Cloud SQL resource name
varType: bool
defaultValue: false
- - name: database_flags
- description: The database flags for the master instance. See [more details](https://cloud.google.com/sql/docs/mysql/flags)
- varType: |-
- list(object({
- name = string
- value = string
- }))
- defaultValue: []
- name: database_version
description: The database version to use
varType: string
required: true
- - name: db_charset
- description: The charset for the default database
+ - name: maintenance_version
+ description: The current software version on the instance. This attribute can not be set during creation. Refer to available_maintenance_versions attribute to see what maintenance_version are available for upgrade. When this attribute gets updated, it will cause an instance restart. Setting a maintenance_version value that is older than the current one on the instance will be ignored
varType: string
- defaultValue: ""
- - name: db_collation
- description: "The collation for the default database. Example: 'utf8_general_ci'"
+ - name: region
+ description: The region of the Cloud SQL resources
varType: string
- defaultValue: ""
- - name: db_name
- description: The name of the default database to create
+ required: true
+ - name: vpc_network
+ description: Existing VPC network to which instances are connected. The networks needs to be configured with https://cloud.google.com/vpc/docs/configure-private-services-access.
varType: string
- defaultValue: default
- - name: delete_timeout
- description: The optional timout that is applied to limit long database deletes.
+ required: true
+ - name: allocated_ip_range
+ description: Existing allocated IP range name for the Private IP CloudSQL instance. The networks needs to be configured with https://cloud.google.com/vpc/docs/configure-private-services-access.
varType: string
- defaultValue: 30m
- - name: deletion_protection
- description: Used to block Terraform from deleting a SQL Instance.
- varType: bool
- defaultValue: true
+ - name: tier
+ description: The tier for the master instance.
+ varType: string
+ defaultValue: db-n1-standard-1
+ - name: edition
+ description: The edition of the instance, can be ENTERPRISE or ENTERPRISE_PLUS.
+ varType: string
+ - name: zone
+ description: "The zone for the master instance, it should be something like: `us-central1-a`, `us-east1-c`."
+ varType: string
+ - name: secondary_zone
+ description: "The preferred zone for the secondary/failover instance, it should be something like: `us-central1-a`, `us-east1-c`."
+ varType: string
+ - name: master_instance_name
+ description: The name of the existing instance that will act as the master in the replication setup.
+ varType: string
+ - name: failover_dr_replica_name
+ description: If the instance is a primary instance, then this field identifies the disaster recovery (DR) replica. The standard format of this field is "your-project:your-instance". You can also set this field to "your-instance", but cloud SQL backend will convert it to the aforementioned standard format.
+ varType: string
+ - name: instance_type
+ description: Users can upgrade a read replica instance to a stand-alone Cloud SQL instance with the help of instance_type. To promote, users have to set the instance_type property as CLOUD_SQL_INSTANCE and remove/unset master_instance_name and replica_configuration from instance configuration. This operation might cause your instance to restart.
+ varType: string
+ - name: follow_gae_application
+ description: A Google App Engine application whose zone to remain in. Must be in the same region as this instance.
+ varType: string
+ - name: activation_policy
+ description: The activation policy for the master instance. Can be either `ALWAYS`, `NEVER` or `ON_DEMAND`.
+ varType: string
+ defaultValue: ALWAYS
+ - name: availability_type
+ description: The availability type for the master instance. Can be either `REGIONAL` or `null`.
+ varType: string
+ defaultValue: REGIONAL
- name: deletion_protection_enabled
description: Enables protection of an instance from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform).
varType: bool
defaultValue: false
- - name: deny_maintenance_period
- description: The Deny Maintenance Period fields to prevent automatic maintenance from occurring during a 90-day time period. List accepts only one value. See [more details](https://cloud.google.com/sql/docs/mysql/maintenance)
- varType: |-
- list(object({
- end_date = string
- start_date = string
- time = string
- }))
- defaultValue: []
+ - name: read_replica_deletion_protection_enabled
+ description: Enables protection of a read replica from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform).
+ varType: bool
+ defaultValue: false
- name: disk_autoresize
description: Configuration to increase storage size
varType: bool
@@ -186,38 +149,10 @@ spec:
description: The disk type for the master instance.
varType: string
defaultValue: PD_SSD
- - name: edition
- description: The edition of the instance, can be ENTERPRISE or ENTERPRISE_PLUS.
- varType: string
- - name: encryption_key_name
- description: The full path to the encryption key used for the CMEK disk encryption
- varType: string
- - name: failover_dr_replica_name
- description: If the instance is a primary instance, then this field identifies the disaster recovery (DR) replica. The standard format of this field is "your-project:your-instance". You can also set this field to "your-instance", but cloud SQL backend will convert it to the aforementioned standard format.
- varType: string
- - name: follow_gae_application
- description: A Google App Engine application whose zone to remain in. Must be in the same region as this instance.
- varType: string
- - name: iam_users
- description: A list of IAM users to be created in your CloudSQL instance
- varType: |-
- list(object({
- id = string,
- email = string
- }))
- defaultValue: []
- - name: insights_config
- description: The insights_config settings for the database.
- varType: |-
- object({
- query_plans_per_minute = number
- query_string_length = number
- record_application_tags = bool
- record_client_address = bool
- })
- - name: instance_type
- description: Users can upgrade a read replica instance to a stand-alone Cloud SQL instance with the help of instance_type. To promote, users have to set the instance_type property as CLOUD_SQL_INSTANCE and remove/unset master_instance_name and replica_configuration from instance configuration. This operation might cause your instance to restart.
+ - name: pricing_plan
+ description: The pricing plan for the master instance.
varType: string
+ defaultValue: PER_USE
- name: maintenance_window_day
description: The day of week (1-7) for the master instance maintenance.
varType: number
@@ -230,35 +165,57 @@ spec:
description: The update track of maintenance window for the master instance maintenance. Can be either `canary` or `stable`.
varType: string
defaultValue: stable
- - name: master_instance_name
- description: The name of the existing instance that will act as the master in the replication setup.
- varType: string
- - name: module_depends_on
- description: List of modules or resources this module depends on.
- varType: list(any)
- defaultValue: []
- - name: name
- description: The name of the Cloud SQL resources
- varType: string
- required: true
- - name: pricing_plan
- description: The pricing plan for the master instance.
- varType: string
- defaultValue: PER_USE
- - name: project_id
- description: The project ID to manage the Cloud SQL resources
- varType: string
- required: true
- - name: random_instance_name
- description: Sets random suffix at the end of the Cloud SQL resource name
+ - name: data_cache_enabled
+ description: Whether data cache is enabled for the instance. Defaults to false. Feature is only available for ENTERPRISE_PLUS tier and supported database_versions
varType: bool
defaultValue: false
- - name: read_replica_deletion_protection
- description: Used to block Terraform from deleting replica SQL Instances.
+ - name: deny_maintenance_period
+ description: The Deny Maintenance Period fields to prevent automatic maintenance from occurring during a 90-day time period. List accepts only one value. See [more details](https://cloud.google.com/sql/docs/mysql/maintenance)
+ varType: |-
+ list(object({
+ end_date = string
+ start_date = string
+ time = string
+ }))
+ defaultValue: []
+ - name: database_flags
+ description: The database flags for the master instance. See [more details](https://cloud.google.com/sql/docs/mysql/flags)
+ varType: |-
+ list(object({
+ name = string
+ value = string
+ }))
+ defaultValue: []
+ - name: user_labels
+ description: The key/value labels for the master instances.
+ varType: map(string)
+ defaultValue: {}
+ - name: backup_configuration
+ description: The backup_configuration settings subblock for the database setings
+ varType: |-
+ object({
+ binary_log_enabled = bool
+ enabled = bool
+ start_time = string
+ location = string
+ transaction_log_retention_days = string
+ retained_backups = number
+ retention_unit = string
+ })
+ defaultValue:
+ binary_log_enabled: false
+ enabled: false
+ location: null
+ retained_backups: null
+ retention_unit: null
+ start_time: null
+ transaction_log_retention_days: null
+ - name: retain_backups_on_delete
+ description: When this parameter is set to true, Cloud SQL retains backups of the instance even after the instance is deleted. The ON_DEMAND backup will be retained until customer deletes the backup or the project. The AUTOMATED backup will be retained based on the backups retention setting.
varType: bool
- defaultValue: false
- - name: read_replica_deletion_protection_enabled
- description: Enables protection of a read replica from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform).
+ defaultValue: true
+ - name: assign_public_ip
+ description: Set to true if the master instance should also have a public IP (less secure).
varType: bool
defaultValue: false
- name: read_replica_name_suffix
@@ -294,31 +251,40 @@ spec:
authorized_networks = list(map(string))
ipv4_enabled = bool
private_network = string
- require_ssl = bool
allocated_ip_range = string
})
encryption_key_name = string
}))
defaultValue: []
- - name: region
- description: The region of the Cloud SQL resources
- varType: string
- required: true
- - name: secondary_zone
- description: "The preferred zone for the secondary/failover instance, it should be something like: `us-central1-a`, `us-east1-c`."
+ - name: enable_default_db
+ description: Enable or disable the creation of the default database
+ varType: bool
+ defaultValue: true
+ - name: db_name
+ description: The name of the default database to create
varType: string
- - name: tier
- description: The tier for the master instance.
+ defaultValue: default
+ - name: db_charset
+ description: The charset for the default database
varType: string
- defaultValue: db-n1-standard-1
- - name: update_timeout
- description: The optional timout that is applied to limit long database updates.
+ defaultValue: ""
+ - name: db_collation
+ description: "The collation for the default database. Example: 'utf8_general_ci'"
varType: string
- defaultValue: 30m
- - name: user_labels
- description: The key/value labels for the master instances.
- varType: map(string)
- defaultValue: {}
+ defaultValue: ""
+ - name: additional_databases
+ description: A list of databases to be created in your cluster
+ varType: |-
+ list(object({
+ name = string
+ charset = string
+ collation = string
+ }))
+ defaultValue: []
+ - name: enable_default_user
+ description: Enable or disable the creation of the default user
+ varType: bool
+ defaultValue: true
- name: user_name
description: The name of the default user
varType: string
@@ -327,13 +293,62 @@ spec:
description: The password for the default user. If not set, a random one will be generated and available in the generated_user_password output variable.
varType: string
defaultValue: ""
- - name: vpc_network
- description: Existing VPC network to which instances are connected. The networks needs to be configured with https://cloud.google.com/vpc/docs/configure-private-services-access.
+ - name: additional_users
+ description: A list of users to be created in your cluster. A random password would be set for the user if the `random_password` variable is set.
+ varType: |-
+ list(object({
+ name = string
+ password = string
+ host = string
+ type = string
+ random_password = bool
+ }))
+ defaultValue: []
+ - name: iam_users
+ description: A list of IAM users to be created in your CloudSQL instance. iam.users.type can be CLOUD_IAM_USER, CLOUD_IAM_SERVICE_ACCOUNT, CLOUD_IAM_GROUP and is required for type CLOUD_IAM_GROUP (IAM groups)
+ varType: |-
+ list(object({
+ id = string,
+ email = string,
+ type = optional(string)
+ }))
+ defaultValue: []
+ - name: create_timeout
+ description: The optional timout that is applied to limit long database creates.
varType: string
- required: true
- - name: zone
- description: "The zone for the master instance, it should be something like: `us-central1-a`, `us-east1-c`."
+ defaultValue: 30m
+ - name: update_timeout
+ description: The optional timout that is applied to limit long database updates.
+ varType: string
+ defaultValue: 30m
+ - name: delete_timeout
+ description: The optional timout that is applied to limit long database deletes.
varType: string
+ defaultValue: 30m
+ - name: module_depends_on
+ description: List of modules or resources this module depends on.
+ varType: list(any)
+ defaultValue: []
+ - name: deletion_protection
+ description: Used to block Terraform from deleting a SQL Instance.
+ varType: bool
+ defaultValue: true
+ - name: read_replica_deletion_protection
+ description: Used to block Terraform from deleting replica SQL Instances.
+ varType: bool
+ defaultValue: false
+ - name: encryption_key_name
+ description: The full path to the encryption key used for the CMEK disk encryption
+ varType: string
+ - name: insights_config
+ description: The insights_config settings for the database.
+ varType: |-
+ object({
+ query_plans_per_minute = number
+ query_string_length = number
+ record_application_tags = bool
+ record_client_address = bool
+ })
outputs:
- name: generated_user_password
description: The auto generated default user password if not input password was provided
@@ -369,26 +384,12 @@ spec:
roles:
- level: Project
roles:
- - roles/cloudkms.admin
- - roles/cloudkms.cryptoKeyEncrypterDecrypter
- - roles/cloudscheduler.admin
- - roles/cloudsql.admin
- - roles/compute.admin
- - roles/compute.networkAdmin
- - roles/iam.serviceAccountAdmin
- roles/iam.serviceAccountUser
- - roles/monitoring.editor
- - roles/resourcemanager.projectIamAdmin
- - roles/storage.admin
- - roles/workflows.admin
+ - roles/logging.logWriter
+ - roles/cloudsql.admin
services:
- - cloudkms.googleapis.com
- - cloudresourcemanager.googleapis.com
- - cloudscheduler.googleapis.com
- - compute.googleapis.com
- - iam.googleapis.com
- - monitoring.googleapis.com
- - servicenetworking.googleapis.com
- serviceusage.googleapis.com
- sqladmin.googleapis.com
- - workflows.googleapis.com
+ providerVersions:
+ - source: hashicorp/google
+ version: ">= 6.31, < 7"
diff --git a/modules/safer_mysql/variables.tf b/modules/safer_mysql/variables.tf
index 7b5ff289..058a5d6e 100644
--- a/modules/safer_mysql/variables.tf
+++ b/modules/safer_mysql/variables.tf
@@ -216,7 +216,7 @@ variable "user_labels" {
}
variable "backup_configuration" {
- description = "The backup_configuration settings subblock for the database setings"
+ description = "The backup_configuration settings subblock for the database settings"
type = object({
binary_log_enabled = bool
enabled = bool
diff --git a/modules/safer_mysql/versions.tf b/modules/safer_mysql/versions.tf
index 2a8bd5c3..6b361d2e 100644
--- a/modules/safer_mysql/versions.tf
+++ b/modules/safer_mysql/versions.tf
@@ -20,12 +20,12 @@ terraform {
google = {
source = "hashicorp/google"
- version = ">= 6.31, < 7"
+ version = ">= 6.31, < 8"
}
}
provider_meta "google" {
- module_name = "blueprints/terraform/terraform-google-sql-db:safer_mysql/v26.1.1"
+ module_name = "blueprints/terraform/terraform-google-sql-db:safer_mysql/v26.2.0"
}
}
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
index 951be51b..6479da45 100644
--- a/test/setup/iam.tf
+++ b/test/setup/iam.tf
@@ -15,21 +15,70 @@
*/
locals {
- int_required_roles = [
+ per_module_roles = {
+ backup = [
+ "roles/cloudsql.admin",
+ "roles/iam.serviceAccountUser",
+ "roles/logging.logWriter",
+ ]
+ mssql = [
+ "roles/cloudsql.admin",
+ "roles/iam.serviceAccountUser",
+ "roles/logging.logWriter",
+ ]
+ mysql = [
+ "roles/cloudsql.admin",
+ "roles/resourcemanager.projectIamAdmin",
+ "roles/iam.serviceAccountUser",
+ "roles/compute.networkAdmin",
+ "roles/cloudkms.cryptoKeyEncrypterDecrypter",
+ "roles/logging.logWriter",
+ ]
+ postgresql = [
+ "roles/cloudsql.admin",
+ "roles/storage.admin",
+ "roles/resourcemanager.projectIamAdmin",
+ "roles/iam.serviceAccountUser",
+ "roles/compute.networkAdmin",
+ "roles/cloudkms.admin",
+ "roles/cloudkms.autokeyAdmin",
+ "roles/cloudkms.cryptoKeyEncrypterDecrypter",
+ "roles/logging.logWriter",
+ ]
+ private_service_access = [
+ "roles/servicenetworking.networksAdmin",
+ "roles/iam.serviceAccountUser",
+ ]
+ restore = [
+ "roles/cloudsql.admin",
+ "roles/iam.serviceAccountUser",
+ "roles/logging.logWriter",
+ ]
+ safer_mysql = [
+ "roles/cloudsql.admin",
+ "roles/iam.serviceAccountUser",
+ "roles/logging.logWriter",
+ ]
+ root = [
+ "roles/resourcemanager.projectIamAdmin",
+ "roles/serviceusage.serviceUsageAdmin",
+ "roles/cloudsql.admin",
+ "roles/iam.serviceAccountAdmin",
+ "roles/iam.serviceAccountUser",
+ ]
+ }
+
+ int_required_roles = concat([
"roles/cloudkms.admin",
"roles/cloudkms.autokeyAdmin",
"roles/cloudkms.cryptoKeyEncrypterDecrypter",
"roles/cloudscheduler.admin",
- "roles/cloudsql.admin",
"roles/compute.admin",
"roles/compute.networkAdmin",
- "roles/iam.serviceAccountAdmin",
- "roles/iam.serviceAccountUser",
"roles/monitoring.editor",
- "roles/resourcemanager.projectIamAdmin",
"roles/storage.admin",
"roles/workflows.admin",
- ]
+ ], flatten(values(local.per_module_roles)))
}
resource "google_service_account" "int_test" {
diff --git a/test/setup/main.tf b/test/setup/main.tf
index 69a03212..3b1be9af 100644
--- a/test/setup/main.tf
+++ b/test/setup/main.tf
@@ -14,6 +14,62 @@
* limitations under the License.
*/
+locals {
+ per_module_services = {
+ backup = [
+ "sqladmin.googleapis.com",
+ "serviceusage.googleapis.com",
+ ]
+ mssql = [
+ "sqladmin.googleapis.com",
+ "serviceusage.googleapis.com",
+ "iam.googleapis.com",
+ "cloudkms.googleapis.com",
+ "cloudresourcemanager.googleapis.com",
+ "compute.googleapis.com",
+ "monitoring.googleapis.com",
+ ]
+ mysql = [
+ "sqladmin.googleapis.com",
+ "serviceusage.googleapis.com",
+ "servicenetworking.googleapis.com",
+ "iam.googleapis.com",
+ "cloudkms.googleapis.com",
+ "cloudresourcemanager.googleapis.com",
+ "compute.googleapis.com",
+ "monitoring.googleapis.com",
+ ]
+ postgresql = [
+ "sqladmin.googleapis.com",
+ "serviceusage.googleapis.com",
+ "servicenetworking.googleapis.com",
+ "iam.googleapis.com",
+ "cloudkms.googleapis.com",
+ "cloudresourcemanager.googleapis.com",
+ "compute.googleapis.com",
+ "monitoring.googleapis.com",
+ ]
+ private_service_access = [
+ "servicenetworking.googleapis.com",
+ "serviceusage.googleapis.com",
+ ]
+ restore = [
+ "sqladmin.googleapis.com",
+ "serviceusage.googleapis.com",
+ ]
+ safer_mysql = [
+ "sqladmin.googleapis.com",
+ "serviceusage.googleapis.com",
+ ]
+ root = [
+ "sqladmin.googleapis.com",
+ "serviceusage.googleapis.com",
+ "iam.googleapis.com",
+ "cloudresourcemanager.googleapis.com",
+ ]
+ }
+}
+
module "project" {
source = "terraform-google-modules/project-factory/google"
version = "~> 18.0"
@@ -25,18 +81,13 @@ module "project" {
billing_account = var.billing_account
deletion_policy = "DELETE"
- activate_apis = [
+ activate_apis = concat([
"cloudkms.googleapis.com",
- "cloudresourcemanager.googleapis.com",
"cloudscheduler.googleapis.com",
"compute.googleapis.com",
- "iam.googleapis.com",
"monitoring.googleapis.com",
- "servicenetworking.googleapis.com",
- "serviceusage.googleapis.com",
- "sqladmin.googleapis.com",
"workflows.googleapis.com",
- ]
+ ], flatten(values(local.per_module_services)))
}
resource "google_service_account" "cloudsql_pg_sa" {