From 19e82c839e65d9b3e3c75e014da690dacf00e63b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 21 Jul 2025 22:49:44 -0500 Subject: [PATCH 01/15] chore(deps): Update Terraform terraform-google-modules/sql-db/google to v26 (#745) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/mssql-failover-replica/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/mssql-failover-replica/main.tf b/examples/mssql-failover-replica/main.tf index ccd4e416..a8bba20d 100644 --- a/examples/mssql-failover-replica/main.tf +++ b/examples/mssql-failover-replica/main.tf @@ -56,7 +56,7 @@ module "mssql1" { module "mssql2" { source = "terraform-google-modules/sql-db/google//modules/mssql" - version = "~> 25.0" + version = "~> 26.0" master_instance_name = module.mssql1.instance_name From f601aac5d7349ab992e67785520506980e1c67a9 Mon Sep 17 00:00:00 2001 From: "Thomas P." Date: Tue, 22 Jul 2025 05:50:54 +0200 Subject: [PATCH 02/15] chore: update current version in readme (#731) Co-authored-by: Imran Nayer --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5d9dc974..f504bb25 100644 --- a/README.md +++ b/README.md @@ -15,18 +15,22 @@ If you find incompatibilities using Terraform `>=1.13`, please open an issue. ## Upgrading -The current version is 20.X. The following guides are available to assist with upgrades: +The current version is 26.X. The following guides are available to assist with upgrades: - [1.X -> 2.0](./docs/upgrading_to_sql_db_2.0.0.md) - [2.X -> 3.0](./docs/upgrading_to_sql_db_3.0.0.md) - [3.X -> 4.0](./docs/upgrading_to_sql_db_4.0.0.md) - [10.X -> 11.0](./docs/upgrading_to_sql_db_11.0.0.md) - [11.X -> 12.0](./docs/upgrading_to_sql_db_12.0.0.md) +- [13.X -> 14.0](./docs/upgrading_to_sql_db_14.0.0.md) +- [14.X -> 15.0](./docs/upgrading_to_sql_db_15.0.0.md) +- [16.X -> 17.0](./docs/upgrading_to_sql_db_17.0.0.md) - [19.X -> 20.0](./docs/upgrading_to_sql_db_20.0.0.md) - [20.X -> 21.0](./docs/upgrading_to_sql_db_21.0.md) - [21.X -> 22.0](./docs/upgrading_to_sql_db_22.0.md) - [22.X -> 23.0](./docs/upgrading_to_sql_db_23.0.md) - [23.X -> 24.0](./docs/upgrading_to_sql_db_24.0.md) +- [25.X -> 26.0](./docs/upgrading_to_sql_db_26.0.md) ## Root module From 61a1e649bb1a6e76947bdc058e9915d5dff24729 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 21 Jul 2025 22:51:16 -0500 Subject: [PATCH 03/15] chore(deps): Update Terraform terraform-google-modules/network/google to v11 (#730) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/mysql-private/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/mysql-private/main.tf b/examples/mysql-private/main.tf index 5bd4a0c7..f4ec2004 100644 --- a/examples/mysql-private/main.tf +++ b/examples/mysql-private/main.tf @@ -29,7 +29,7 @@ locals { module "network-safer-mysql-simple" { source = "terraform-google-modules/network/google" - version = "~> 10.0" + version = "~> 11.0" project_id = var.project_id network_name = local.network_name From 3cb3eeea08525d3d2829b546b8219f30fffa51af Mon Sep 17 00:00:00 2001 From: "Kelvin V. Soares" Date: Mon, 4 Aug 2025 18:53:59 -0300 Subject: [PATCH 04/15] fix: revert psc_config workaround - causes permanent drift (#754) --- modules/postgresql/read_replica.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/postgresql/read_replica.tf b/modules/postgresql/read_replica.tf index 3cae2aa1..8a9b2dc4 100644 --- a/modules/postgresql/read_replica.tf +++ b/modules/postgresql/read_replica.tf @@ -63,10 +63,10 @@ resource "google_sql_database_instance" "replicas" { } } dynamic "psc_config" { - for_each = ip_configuration.value.psc_enabled ? ["psc_enabled"] : ["psc_disabled"] + for_each = ip_configuration.value.psc_enabled ? ["psc_enabled"] : [] content { psc_enabled = ip_configuration.value.psc_enabled - allowed_consumer_projects = ip_configuration.value.psc_enabled ? ip_configuration.value.psc_allowed_consumer_projects : [] + allowed_consumer_projects = ip_configuration.value.psc_allowed_consumer_projects } } } From 0475973f7cf91e815dd176f2c2d8e8951aac4434 Mon Sep 17 00:00:00 2001 From: Zheng Qin Date: Mon, 11 Aug 2025 11:24:06 -0400 Subject: [PATCH 05/15] feat: per module requirements (#749) Co-authored-by: Zheng Qin --- Makefile | 4 +- metadata.yaml | 17 +- modules/backup/metadata.yaml | 164 ++++---- modules/mssql/metadata.yaml | 32 +- modules/mysql/metadata.yaml | 23 +- modules/postgresql/metadata.yaml | 38 +- modules/private_service_access/metadata.yaml | 59 ++- modules/restore/metadata.yaml | 50 +-- modules/safer_mysql/metadata.yaml | 383 ++++++++++--------- test/setup/iam.tf | 61 ++- test/setup/main.tf | 65 +++- 11 files changed, 476 insertions(+), 420 deletions(-) diff --git a/Makefile b/Makefile index 2b1c170c..12312160 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.22 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd @@ -80,7 +80,7 @@ docker_generate_docs: -e ENABLE_BPMETADATA \ -v "$(CURDIR)":/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ - /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs' + /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs --per-module-requirements' # Alias for backwards compatibility .PHONY: generate_docs diff --git a/metadata.yaml b/metadata.yaml index fd390178..d9b8747b 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -75,26 +75,13 @@ spec: roles: - level: Project roles: - - roles/cloudkms.admin - - roles/cloudkms.cryptoKeyEncrypterDecrypter - - roles/cloudscheduler.admin - roles/cloudsql.admin - - roles/compute.admin - - roles/compute.networkAdmin - roles/iam.serviceAccountAdmin - roles/iam.serviceAccountUser - - roles/monitoring.editor - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/workflows.admin + - roles/serviceusage.serviceUsageAdmin services: - - cloudkms.googleapis.com - cloudresourcemanager.googleapis.com - - cloudscheduler.googleapis.com - - compute.googleapis.com - iam.googleapis.com - - monitoring.googleapis.com - - servicenetworking.googleapis.com - serviceusage.googleapis.com - sqladmin.googleapis.com - - workflows.googleapis.com diff --git a/modules/backup/metadata.yaml b/modules/backup/metadata.yaml index ad41812b..e9c3a59b 100644 --- a/modules/backup/metadata.yaml +++ b/modules/backup/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -61,10 +61,21 @@ spec: location: examples/private_service_access interfaces: variables: - - name: backup_monitoring_frequency - description: Timeframe in which there should be at least one successfull backup + - name: region + description: The region where to run the workflow varType: string - defaultValue: 1d + defaultValue: us-central1 + - name: service_account + description: The service account to use for running the workflow and triggering the workflow by Cloud Scheduler - If empty or null a service account will be created. If you have provided a service account you need to grant the Cloud SQL Admin and the Workflows Invoker role to that + varType: string + - name: project_id + description: The project ID + varType: string + required: true + - name: sql_instance + description: The name of the SQL instance to backup + varType: string + required: true - name: backup_retention_time description: The number of days backups should be kept varType: number @@ -73,69 +84,88 @@ spec: description: The max amount of backups to list when fetching internal backup runs for the instance. This number must be larger then the amount of backups you wish to keep. E.g. for a daily backup schedule and a backup_retention_time of 30 days, you'd need to set this to at least 31 for old backups to get deleted. varType: number defaultValue: 31 + - name: scheduler_timezone + description: The Timezone in which the Scheduler Jobs are triggered + varType: string + defaultValue: Etc/GMT - name: backup_schedule description: The cron schedule to execute the internal backup varType: string defaultValue: 45 2 * * * + - name: export_schedule + description: The cron schedule to execute the export to GCS + varType: string + defaultValue: 15 3 * * * + - name: enable_internal_backup + description: Wether to create internal backups with this module + varType: bool + defaultValue: true + - name: enable_export_backup + description: Weather to create exports to GCS Buckets with this module + varType: bool + defaultValue: true + - name: export_databases + description: The list of databases that should be exported - if is an empty set all databases will be exported + varType: set(string) + defaultValue: [] + - name: export_uri + description: The bucket and path uri for exporting to GCS + varType: string + required: true - name: compress_export description: Whether or not to compress the export when storing in the bucket; Only valid for MySQL and PostgreSQL varType: bool defaultValue: true + - name: enable_connector_params + description: Whether to enable connector-specific parameters for Google Workflow SQL Export. + varType: bool + defaultValue: false - name: connector_params_timeout description: The end-to-end duration the connector call is allowed to run for before throwing a timeout exception. The default value is 1800 and this should be the maximum for connector methods that are not long-running operations. Otherwise, for long-running operations, the maximum timeout for a connector call is 31536000 seconds (one year). varType: number defaultValue: 1800 - - name: create_notification_channel - description: If set to true it will create email notification channel + - name: unique_suffix + description: Unique suffix to add to scheduler jobs and workflows names. + varType: string + defaultValue: "" + - name: log_db_name_to_export + description: Whether or not to log database name in the export workflow varType: bool defaultValue: false - - name: deletion_protection - description: Whether Terraform will be prevented from destroying the workflow. - varType: bool - defaultValue: true - - name: enable_backup_monitoring - description: Whether to monitor backup workflows or not + - name: use_sql_instance_replica_in_exporter + description: Whether or not to use replica instance on exporter workflow. varType: bool defaultValue: false - - name: enable_connector_params - description: Whether to enable connector-specific parameters for Google Workflow SQL Export. + - name: sql_instance_replica + description: The name of the SQL instance replica to export + varType: string + - name: use_serverless_export + description: Whether to use serverless export for DB export varType: bool defaultValue: false - - name: enable_export_backup - description: Weather to create exports to GCS Buckets with this module + - name: monitoring_email + description: Email address to send alerts + varType: string + - name: enable_backup_monitoring + description: Whether to monitor backup workflows or not varType: bool - defaultValue: true + defaultValue: false + - name: backup_monitoring_frequency + description: Timeframe in which there should be at least one successfull backup + varType: string + defaultValue: 1d - name: enable_export_monitoring description: Whether to monitor export workflows or not varType: bool defaultValue: false - - name: enable_internal_backup - description: Wether to create internal backups with this module - varType: bool - defaultValue: true - - name: export_databases - description: The list of databases that should be exported - if is an empty set all databases will be exported - varType: set(string) - defaultValue: [] - name: export_monitoring_frequency description: Timeframe in which there should be at least one successfull export varType: string defaultValue: 1d - - name: export_schedule - description: The cron schedule to execute the export to GCS - varType: string - defaultValue: 15 3 * * * - - name: export_uri - description: The bucket and path uri for exporting to GCS - varType: string - required: true - - name: log_db_name_to_export - description: Whether or not to log database name in the export workflow + - name: create_notification_channel + description: If set to true it will create email notification channel varType: bool defaultValue: false - - name: monitoring_email - description: Email address to send alerts - varType: string - name: notification_channel_name description: Name of the email notification channel to be created. Only needed when create_notification_channel is set to true. varType: string @@ -144,40 +174,10 @@ spec: description: List of existing notification channels to send alerts to varType: list(string) defaultValue: [] - - name: project_id - description: The project ID - varType: string - required: true - - name: region - description: The region where to run the workflow - varType: string - defaultValue: us-central1 - - name: scheduler_timezone - description: The Timezone in which the Scheduler Jobs are triggered - varType: string - defaultValue: Etc/GMT - - name: service_account - description: The service account to use for running the workflow and triggering the workflow by Cloud Scheduler - If empty or null a service account will be created. If you have provided a service account you need to grant the Cloud SQL Admin and the Workflows Invoker role to that - varType: string - - name: sql_instance - description: The name of the SQL instance to backup - varType: string - required: true - - name: sql_instance_replica - description: The name of the SQL instance replica to export - varType: string - - name: unique_suffix - description: Unique suffix to add to scheduler jobs and workflows names. - varType: string - defaultValue: "" - - name: use_serverless_export - description: Whether to use serverless export for DB export - varType: bool - defaultValue: false - - name: use_sql_instance_replica_in_exporter - description: Whether or not to use replica instance on exporter workflow. + - name: deletion_protection + description: Whether Terraform will be prevented from destroying the workflow. varType: bool - defaultValue: false + defaultValue: true outputs: - name: backup_workflow_name description: The name for internal backup workflow @@ -191,26 +191,12 @@ spec: roles: - level: Project roles: - - roles/cloudkms.admin - - roles/cloudkms.cryptoKeyEncrypterDecrypter - - roles/cloudscheduler.admin - roles/cloudsql.admin - - roles/compute.admin - - roles/compute.networkAdmin - - roles/iam.serviceAccountAdmin - roles/iam.serviceAccountUser - - roles/monitoring.editor - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/workflows.admin + - roles/logging.logWriter services: - - cloudkms.googleapis.com - - cloudresourcemanager.googleapis.com - - cloudscheduler.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - monitoring.googleapis.com - - servicenetworking.googleapis.com - serviceusage.googleapis.com - sqladmin.googleapis.com - - workflows.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 6.11.0, < 7" diff --git a/modules/mssql/metadata.yaml b/modules/mssql/metadata.yaml index 8b9c2437..30cbf5e1 100644 --- a/modules/mssql/metadata.yaml +++ b/modules/mssql/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -81,6 +81,9 @@ spec: description: Sets random suffix at the end of the Cloud SQL resource name varType: bool defaultValue: false + - name: maintenance_version + description: The current software version on the instance. This attribute can not be set during creation. Refer to available_maintenance_versions attribute to see what maintenance_version are available for upgrade. When this attribute gets updated, it will cause an instance restart. Setting a maintenance_version value that is older than the current one on the instance will be ignored + varType: string - name: database_version description: "The database version to use: SQLSERVER_2017_STANDARD, SQLSERVER_2017_ENTERPRISE, SQLSERVER_2017_EXPRESS, or SQLSERVER_2017_WEB" varType: string @@ -298,6 +301,19 @@ spec: description: Enable or disable the creation of the default user varType: bool defaultValue: true + - name: enable_dataplex_integration + description: Enable database Dataplex integration + varType: bool + defaultValue: false + - name: insights_config + description: The insights_config settings for the database. + varType: |- + object({ + query_plans_per_minute = optional(number, 5) + query_string_length = optional(number, 1024) + record_application_tags = optional(bool, false) + record_client_address = optional(bool, false) + }) outputs: - name: additional_users description: List of maps of additional users and passwords @@ -547,29 +563,17 @@ spec: roles: - level: Project roles: - - roles/cloudkms.admin - - roles/cloudkms.cryptoKeyEncrypterDecrypter - - roles/cloudscheduler.admin - roles/cloudsql.admin - - roles/compute.admin - - roles/compute.networkAdmin - - roles/iam.serviceAccountAdmin - roles/iam.serviceAccountUser - - roles/monitoring.editor - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/workflows.admin + - roles/logging.logWriter services: - cloudkms.googleapis.com - cloudresourcemanager.googleapis.com - - cloudscheduler.googleapis.com - compute.googleapis.com - iam.googleapis.com - monitoring.googleapis.com - - servicenetworking.googleapis.com - serviceusage.googleapis.com - sqladmin.googleapis.com - - workflows.googleapis.com providerVersions: - source: hashicorp/google version: ">= 5.12, < 7" diff --git a/modules/mysql/metadata.yaml b/modules/mysql/metadata.yaml index d7ade559..8a5f0386 100644 --- a/modules/mysql/metadata.yaml +++ b/modules/mysql/metadata.yaml @@ -279,6 +279,10 @@ spec: retention_unit = optional(string) }) defaultValue: {} + - name: retain_backups_on_delete + description: When this parameter is set to true, Cloud SQL retains backups of the instance even after the instance is deleted. The ON_DEMAND backup will be retained until customer deletes the backup or the project. The AUTOMATED backup will be retained based on the backups retention setting. + varType: bool + defaultValue: false - name: insights_config description: The insights_config settings for the database. varType: |- @@ -914,35 +918,26 @@ spec: roles: - level: Project roles: - - roles/cloudkms.admin - - roles/cloudkms.autokeyAdmin + - roles/iam.serviceAccountUser + - roles/compute.networkAdmin - roles/cloudkms.cryptoKeyEncrypterDecrypter - - roles/cloudscheduler.admin + - roles/logging.logWriter - roles/cloudsql.admin - - roles/compute.admin - - roles/compute.networkAdmin - - roles/iam.serviceAccountAdmin - - roles/iam.serviceAccountUser - - roles/monitoring.editor - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/workflows.admin services: - cloudkms.googleapis.com - cloudresourcemanager.googleapis.com - - cloudscheduler.googleapis.com - compute.googleapis.com - iam.googleapis.com - monitoring.googleapis.com - servicenetworking.googleapis.com - serviceusage.googleapis.com - sqladmin.googleapis.com - - workflows.googleapis.com providerVersions: - source: hashicorp/google - version: ">= 6.1, < 7" + version: ">= 6.31, < 7" - source: hashicorp/google-beta - version: ">= 6.1, < 7" + version: ">= 6.31, < 7" - source: hashicorp/null version: ~> 3.1 - source: hashicorp/random diff --git a/modules/postgresql/metadata.yaml b/modules/postgresql/metadata.yaml index f8a88c6f..73a69453 100644 --- a/modules/postgresql/metadata.yaml +++ b/modules/postgresql/metadata.yaml @@ -279,6 +279,9 @@ spec: enable_private_path_for_google_cloud_services = optional(bool, false) psc_enabled = optional(bool, false) psc_allowed_consumer_projects = optional(list(string), []) + server_ca_mode = optional(string) + server_ca_pool = optional(string) + custom_subject_alternative_names = optional(list(string), []) }) defaultValue: {} connections: @@ -408,7 +411,18 @@ spec: varType: list(string) defaultValue: [] - name: use_autokey - description: Enable the use of autokeys from Google Cloud KMS for CMEK. This requires autokey already configured in the project. + description: Enable the use of autokeys from Google Cloud KMS for CMEK. This requires autokey already configured in the project + varType: bool + defaultValue: false + - name: create_kms_key_handle + description: KeyHandles cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed KeyHandle will remove it from state but will not delete the resource from the project. Set this to false if key handle already exists + varType: bool + defaultValue: true + - name: kms_key_handle_name + description: key handle name. If not provided module will use instance name as key handle name + varType: string + - name: retain_backups_on_delete + description: When this parameter is set to true, Cloud SQL retains backups of the instance even after the instance is deleted. The ON_DEMAND backup will be retained until customer deletes the backup or the project. The AUTOMATED backup will be retained based on the backups retention setting. varType: bool defaultValue: false outputs: @@ -911,34 +925,28 @@ spec: - level: Project roles: - roles/cloudkms.admin - - roles/cloudkms.autokeyAdmin - - roles/cloudkms.cryptoKeyEncrypterDecrypter - - roles/cloudscheduler.admin + - roles/logging.logWriter - roles/cloudsql.admin - - roles/compute.admin - - roles/compute.networkAdmin - - roles/iam.serviceAccountAdmin - - roles/iam.serviceAccountUser - - roles/monitoring.editor - - roles/resourcemanager.projectIamAdmin - roles/storage.admin - - roles/workflows.admin + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountUser + - roles/compute.networkAdmin + - roles/cloudkms.autokeyAdmin + - roles/cloudkms.cryptoKeyEncrypterDecrypter services: - cloudkms.googleapis.com - cloudresourcemanager.googleapis.com - - cloudscheduler.googleapis.com - compute.googleapis.com - iam.googleapis.com - monitoring.googleapis.com - servicenetworking.googleapis.com - serviceusage.googleapis.com - sqladmin.googleapis.com - - workflows.googleapis.com providerVersions: - source: hashicorp/google - version: ">= 6.1, < 7" + version: ">= 6.31, < 7" - source: hashicorp/google-beta - version: ">= 6.1, < 7" + version: ">= 6.31, < 7" - source: hashicorp/null version: ~> 3.1 - source: hashicorp/random diff --git a/modules/private_service_access/metadata.yaml b/modules/private_service_access/metadata.yaml index 78920025..7eb1f6f9 100644 --- a/modules/private_service_access/metadata.yaml +++ b/modules/private_service_access/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,7 +28,7 @@ spec: version: 26.1.1 actuationTool: flavor: Terraform - version: ">= 0.13" + version: ">= 1.3" description: {} content: examples: @@ -62,17 +62,26 @@ spec: location: examples/private_service_access interfaces: variables: + - name: project_id + description: The project ID of the VPC network to peer. This can be a shared VPC host projec. + varType: string + required: true + - name: vpc_network + description: Name of the VPC network to peer. + varType: string + required: true - name: address description: First IP address of the IP range to allocate to CLoud SQL instances and other Private Service Access services. If not set, GCP will pick a valid one for you. varType: string defaultValue: "" - - name: deletion_policy - description: The deletion policy for the service networking connection. Setting to ABANDON allows the resource to be abandoned rather than deleted. This will enable a successful terraform destroy when destroying CloudSQL instances. Use with care as it can lead to dangling resources. - varType: string - name: description description: An optional description of the Global Address resource. varType: string defaultValue: "" + - name: prefix_length + description: Prefix length of the IP range reserved for Cloud SQL instances and other Private Service Access services. Defaults to /16. + varType: number + defaultValue: 16 - name: ip_version description: IP Version for the allocation. Can be IPV4 or IPV6. varType: string @@ -81,18 +90,9 @@ spec: description: The key/value labels for the IP range allocated to the peered network. varType: map(string) defaultValue: {} - - name: prefix_length - description: Prefix length of the IP range reserved for Cloud SQL instances and other Private Service Access services. Defaults to /16. - varType: number - defaultValue: 16 - - name: project_id - description: The project ID of the VPC network to peer. This can be a shared VPC host projec. - varType: string - required: true - - name: vpc_network - description: Name of the VPC network to peer. + - name: deletion_policy + description: The deletion policy for the service networking connection. Setting to ABANDON allows the resource to be abandoned rather than deleted. This will enable a successful terraform destroy when destroying CloudSQL instances. Use with care as it can lead to dangling resources. varType: string - required: true outputs: - name: address description: First IP of the reserved range. @@ -104,26 +104,15 @@ spec: roles: - level: Project roles: - - roles/cloudkms.admin - - roles/cloudkms.cryptoKeyEncrypterDecrypter - - roles/cloudscheduler.admin - - roles/cloudsql.admin - - roles/compute.admin - - roles/compute.networkAdmin - - roles/iam.serviceAccountAdmin + - roles/servicenetworking.networksAdmin - roles/iam.serviceAccountUser - - roles/monitoring.editor - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/workflows.admin services: - - cloudkms.googleapis.com - - cloudresourcemanager.googleapis.com - - cloudscheduler.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - monitoring.googleapis.com - servicenetworking.googleapis.com - serviceusage.googleapis.com - - sqladmin.googleapis.com - - workflows.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 5.38, < 7" + - source: hashicorp/google-beta + version: ">= 5.38, < 7" + - source: hashicorp/null + version: ~> 3.1 diff --git a/modules/restore/metadata.yaml b/modules/restore/metadata.yaml index bf9f7c32..6bb0bb81 100644 --- a/modules/restore/metadata.yaml +++ b/modules/restore/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,7 +27,7 @@ spec: dir: /modules/restore actuationTool: flavor: Terraform - version: ">= 0.13" + version: ">= 1.3" description: {} content: examples: @@ -61,18 +61,6 @@ spec: location: examples/private_service_access interfaces: variables: - - name: import_databases - description: The list of databases that should be imported - if is an empty set all databases will be imported - varType: set(string) - defaultValue: [] - - name: import_uri - description: The bucket and path uri of GCS backup file for importing - varType: string - required: true - - name: project_id - description: The project ID - varType: string - required: true - name: region description: The region to run the workflow varType: string @@ -80,10 +68,22 @@ spec: - name: service_account description: The service account to use for running the workflow and triggering the workflow by Cloud Scheduler - If empty or null a service account will be created. If you have provided a service account you need to grant the Cloud SQL Admin and the Workflows Invoker role to that varType: string + - name: project_id + description: The project ID + varType: string + required: true - name: sql_instance description: The name of the SQL instance to backup varType: string required: true + - name: import_databases + description: The list of databases that should be imported - if is an empty set all databases will be imported + varType: set(string) + defaultValue: [] + - name: import_uri + description: The bucket and path uri of GCS backup file for importing + varType: string + required: true outputs: - name: import_workflow_name description: The name for import workflow @@ -95,26 +95,12 @@ spec: roles: - level: Project roles: - - roles/cloudkms.admin - - roles/cloudkms.cryptoKeyEncrypterDecrypter - - roles/cloudscheduler.admin - roles/cloudsql.admin - - roles/compute.admin - - roles/compute.networkAdmin - - roles/iam.serviceAccountAdmin - roles/iam.serviceAccountUser - - roles/monitoring.editor - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/workflows.admin + - roles/logging.logWriter services: - - cloudkms.googleapis.com - - cloudresourcemanager.googleapis.com - - cloudscheduler.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - monitoring.googleapis.com - - servicenetworking.googleapis.com - serviceusage.googleapis.com - sqladmin.googleapis.com - - workflows.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.0, < 7" diff --git a/modules/safer_mysql/metadata.yaml b/modules/safer_mysql/metadata.yaml index ef246241..2dac8ee8 100644 --- a/modules/safer_mysql/metadata.yaml +++ b/modules/safer_mysql/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -62,114 +62,77 @@ spec: location: examples/private_service_access interfaces: variables: - - name: activation_policy - description: The activation policy for the master instance. Can be either `ALWAYS`, `NEVER` or `ON_DEMAND`. - varType: string - defaultValue: ALWAYS - - name: additional_databases - description: A list of databases to be created in your cluster - varType: |- - list(object({ - name = string - charset = string - collation = string - })) - defaultValue: [] - - name: additional_users - description: A list of users to be created in your cluster. A random password would be set for the user if the `random_password` variable is set. - varType: |- - list(object({ - name = string - password = string - host = string - type = string - random_password = bool - })) - defaultValue: [] - - name: allocated_ip_range - description: Existing allocated IP range name for the Private IP CloudSQL instance. The networks needs to be configured with https://cloud.google.com/vpc/docs/configure-private-services-access. - varType: string - - name: assign_public_ip - description: Set to true if the master instance should also have a public IP (less secure). - varType: bool - defaultValue: false - - name: availability_type - description: The availability type for the master instance. Can be either `REGIONAL` or `null`. + - name: project_id + description: The project ID to manage the Cloud SQL resources varType: string - defaultValue: REGIONAL - - name: backup_configuration - description: The backup_configuration settings subblock for the database setings - varType: |- - object({ - binary_log_enabled = bool - enabled = bool - start_time = string - location = string - transaction_log_retention_days = string - retained_backups = number - retention_unit = string - }) - defaultValue: - binary_log_enabled: false - enabled: false - location: null - retained_backups: null - retention_unit: null - start_time: null - transaction_log_retention_days: null - - name: create_timeout - description: The optional timout that is applied to limit long database creates. + required: true + - name: name + description: The name of the Cloud SQL resources varType: string - defaultValue: 30m - - name: data_cache_enabled - description: Whether data cache is enabled for the instance. Defaults to false. Feature is only available for ENTERPRISE_PLUS tier and supported database_versions + required: true + - name: random_instance_name + description: Sets random suffix at the end of the Cloud SQL resource name varType: bool defaultValue: false - - name: database_flags - description: The database flags for the master instance. See [more details](https://cloud.google.com/sql/docs/mysql/flags) - varType: |- - list(object({ - name = string - value = string - })) - defaultValue: [] - name: database_version description: The database version to use varType: string required: true - - name: db_charset - description: The charset for the default database + - name: maintenance_version + description: The current software version on the instance. This attribute can not be set during creation. Refer to available_maintenance_versions attribute to see what maintenance_version are available for upgrade. When this attribute gets updated, it will cause an instance restart. Setting a maintenance_version value that is older than the current one on the instance will be ignored varType: string - defaultValue: "" - - name: db_collation - description: "The collation for the default database. Example: 'utf8_general_ci'" + - name: region + description: The region of the Cloud SQL resources varType: string - defaultValue: "" - - name: db_name - description: The name of the default database to create + required: true + - name: vpc_network + description: Existing VPC network to which instances are connected. The networks needs to be configured with https://cloud.google.com/vpc/docs/configure-private-services-access. varType: string - defaultValue: default - - name: delete_timeout - description: The optional timout that is applied to limit long database deletes. + required: true + - name: allocated_ip_range + description: Existing allocated IP range name for the Private IP CloudSQL instance. The networks needs to be configured with https://cloud.google.com/vpc/docs/configure-private-services-access. varType: string - defaultValue: 30m - - name: deletion_protection - description: Used to block Terraform from deleting a SQL Instance. - varType: bool - defaultValue: true + - name: tier + description: The tier for the master instance. + varType: string + defaultValue: db-n1-standard-1 + - name: edition + description: The edition of the instance, can be ENTERPRISE or ENTERPRISE_PLUS. + varType: string + - name: zone + description: "The zone for the master instance, it should be something like: `us-central1-a`, `us-east1-c`." + varType: string + - name: secondary_zone + description: "The preferred zone for the secondary/failover instance, it should be something like: `us-central1-a`, `us-east1-c`." + varType: string + - name: master_instance_name + description: The name of the existing instance that will act as the master in the replication setup. + varType: string + - name: failover_dr_replica_name + description: If the instance is a primary instance, then this field identifies the disaster recovery (DR) replica. The standard format of this field is "your-project:your-instance". You can also set this field to "your-instance", but cloud SQL backend will convert it to the aforementioned standard format. + varType: string + - name: instance_type + description: Users can upgrade a read replica instance to a stand-alone Cloud SQL instance with the help of instance_type. To promote, users have to set the instance_type property as CLOUD_SQL_INSTANCE and remove/unset master_instance_name and replica_configuration from instance configuration. This operation might cause your instance to restart. + varType: string + - name: follow_gae_application + description: A Google App Engine application whose zone to remain in. Must be in the same region as this instance. + varType: string + - name: activation_policy + description: The activation policy for the master instance. Can be either `ALWAYS`, `NEVER` or `ON_DEMAND`. + varType: string + defaultValue: ALWAYS + - name: availability_type + description: The availability type for the master instance. Can be either `REGIONAL` or `null`. + varType: string + defaultValue: REGIONAL - name: deletion_protection_enabled description: Enables protection of an instance from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform). varType: bool defaultValue: false - - name: deny_maintenance_period - description: The Deny Maintenance Period fields to prevent automatic maintenance from occurring during a 90-day time period. List accepts only one value. See [more details](https://cloud.google.com/sql/docs/mysql/maintenance) - varType: |- - list(object({ - end_date = string - start_date = string - time = string - })) - defaultValue: [] + - name: read_replica_deletion_protection_enabled + description: Enables protection of a read replica from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform). + varType: bool + defaultValue: false - name: disk_autoresize description: Configuration to increase storage size varType: bool @@ -186,38 +149,10 @@ spec: description: The disk type for the master instance. varType: string defaultValue: PD_SSD - - name: edition - description: The edition of the instance, can be ENTERPRISE or ENTERPRISE_PLUS. - varType: string - - name: encryption_key_name - description: The full path to the encryption key used for the CMEK disk encryption - varType: string - - name: failover_dr_replica_name - description: If the instance is a primary instance, then this field identifies the disaster recovery (DR) replica. The standard format of this field is "your-project:your-instance". You can also set this field to "your-instance", but cloud SQL backend will convert it to the aforementioned standard format. - varType: string - - name: follow_gae_application - description: A Google App Engine application whose zone to remain in. Must be in the same region as this instance. - varType: string - - name: iam_users - description: A list of IAM users to be created in your CloudSQL instance - varType: |- - list(object({ - id = string, - email = string - })) - defaultValue: [] - - name: insights_config - description: The insights_config settings for the database. - varType: |- - object({ - query_plans_per_minute = number - query_string_length = number - record_application_tags = bool - record_client_address = bool - }) - - name: instance_type - description: Users can upgrade a read replica instance to a stand-alone Cloud SQL instance with the help of instance_type. To promote, users have to set the instance_type property as CLOUD_SQL_INSTANCE and remove/unset master_instance_name and replica_configuration from instance configuration. This operation might cause your instance to restart. + - name: pricing_plan + description: The pricing plan for the master instance. varType: string + defaultValue: PER_USE - name: maintenance_window_day description: The day of week (1-7) for the master instance maintenance. varType: number @@ -230,35 +165,57 @@ spec: description: The update track of maintenance window for the master instance maintenance. Can be either `canary` or `stable`. varType: string defaultValue: stable - - name: master_instance_name - description: The name of the existing instance that will act as the master in the replication setup. - varType: string - - name: module_depends_on - description: List of modules or resources this module depends on. - varType: list(any) - defaultValue: [] - - name: name - description: The name of the Cloud SQL resources - varType: string - required: true - - name: pricing_plan - description: The pricing plan for the master instance. - varType: string - defaultValue: PER_USE - - name: project_id - description: The project ID to manage the Cloud SQL resources - varType: string - required: true - - name: random_instance_name - description: Sets random suffix at the end of the Cloud SQL resource name + - name: data_cache_enabled + description: Whether data cache is enabled for the instance. Defaults to false. Feature is only available for ENTERPRISE_PLUS tier and supported database_versions varType: bool defaultValue: false - - name: read_replica_deletion_protection - description: Used to block Terraform from deleting replica SQL Instances. + - name: deny_maintenance_period + description: The Deny Maintenance Period fields to prevent automatic maintenance from occurring during a 90-day time period. List accepts only one value. See [more details](https://cloud.google.com/sql/docs/mysql/maintenance) + varType: |- + list(object({ + end_date = string + start_date = string + time = string + })) + defaultValue: [] + - name: database_flags + description: The database flags for the master instance. See [more details](https://cloud.google.com/sql/docs/mysql/flags) + varType: |- + list(object({ + name = string + value = string + })) + defaultValue: [] + - name: user_labels + description: The key/value labels for the master instances. + varType: map(string) + defaultValue: {} + - name: backup_configuration + description: The backup_configuration settings subblock for the database setings + varType: |- + object({ + binary_log_enabled = bool + enabled = bool + start_time = string + location = string + transaction_log_retention_days = string + retained_backups = number + retention_unit = string + }) + defaultValue: + binary_log_enabled: false + enabled: false + location: null + retained_backups: null + retention_unit: null + start_time: null + transaction_log_retention_days: null + - name: retain_backups_on_delete + description: When this parameter is set to true, Cloud SQL retains backups of the instance even after the instance is deleted. The ON_DEMAND backup will be retained until customer deletes the backup or the project. The AUTOMATED backup will be retained based on the backups retention setting. varType: bool - defaultValue: false - - name: read_replica_deletion_protection_enabled - description: Enables protection of a read replica from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform). + defaultValue: true + - name: assign_public_ip + description: Set to true if the master instance should also have a public IP (less secure). varType: bool defaultValue: false - name: read_replica_name_suffix @@ -294,31 +251,40 @@ spec: authorized_networks = list(map(string)) ipv4_enabled = bool private_network = string - require_ssl = bool allocated_ip_range = string }) encryption_key_name = string })) defaultValue: [] - - name: region - description: The region of the Cloud SQL resources - varType: string - required: true - - name: secondary_zone - description: "The preferred zone for the secondary/failover instance, it should be something like: `us-central1-a`, `us-east1-c`." + - name: enable_default_db + description: Enable or disable the creation of the default database + varType: bool + defaultValue: true + - name: db_name + description: The name of the default database to create varType: string - - name: tier - description: The tier for the master instance. + defaultValue: default + - name: db_charset + description: The charset for the default database varType: string - defaultValue: db-n1-standard-1 - - name: update_timeout - description: The optional timout that is applied to limit long database updates. + defaultValue: "" + - name: db_collation + description: "The collation for the default database. Example: 'utf8_general_ci'" varType: string - defaultValue: 30m - - name: user_labels - description: The key/value labels for the master instances. - varType: map(string) - defaultValue: {} + defaultValue: "" + - name: additional_databases + description: A list of databases to be created in your cluster + varType: |- + list(object({ + name = string + charset = string + collation = string + })) + defaultValue: [] + - name: enable_default_user + description: Enable or disable the creation of the default user + varType: bool + defaultValue: true - name: user_name description: The name of the default user varType: string @@ -327,13 +293,62 @@ spec: description: The password for the default user. If not set, a random one will be generated and available in the generated_user_password output variable. varType: string defaultValue: "" - - name: vpc_network - description: Existing VPC network to which instances are connected. The networks needs to be configured with https://cloud.google.com/vpc/docs/configure-private-services-access. + - name: additional_users + description: A list of users to be created in your cluster. A random password would be set for the user if the `random_password` variable is set. + varType: |- + list(object({ + name = string + password = string + host = string + type = string + random_password = bool + })) + defaultValue: [] + - name: iam_users + description: A list of IAM users to be created in your CloudSQL instance. iam.users.type can be CLOUD_IAM_USER, CLOUD_IAM_SERVICE_ACCOUNT, CLOUD_IAM_GROUP and is required for type CLOUD_IAM_GROUP (IAM groups) + varType: |- + list(object({ + id = string, + email = string, + type = optional(string) + })) + defaultValue: [] + - name: create_timeout + description: The optional timout that is applied to limit long database creates. varType: string - required: true - - name: zone - description: "The zone for the master instance, it should be something like: `us-central1-a`, `us-east1-c`." + defaultValue: 30m + - name: update_timeout + description: The optional timout that is applied to limit long database updates. + varType: string + defaultValue: 30m + - name: delete_timeout + description: The optional timout that is applied to limit long database deletes. varType: string + defaultValue: 30m + - name: module_depends_on + description: List of modules or resources this module depends on. + varType: list(any) + defaultValue: [] + - name: deletion_protection + description: Used to block Terraform from deleting a SQL Instance. + varType: bool + defaultValue: true + - name: read_replica_deletion_protection + description: Used to block Terraform from deleting replica SQL Instances. + varType: bool + defaultValue: false + - name: encryption_key_name + description: The full path to the encryption key used for the CMEK disk encryption + varType: string + - name: insights_config + description: The insights_config settings for the database. + varType: |- + object({ + query_plans_per_minute = number + query_string_length = number + record_application_tags = bool + record_client_address = bool + }) outputs: - name: generated_user_password description: The auto generated default user password if not input password was provided @@ -369,26 +384,12 @@ spec: roles: - level: Project roles: - - roles/cloudkms.admin - - roles/cloudkms.cryptoKeyEncrypterDecrypter - - roles/cloudscheduler.admin - - roles/cloudsql.admin - - roles/compute.admin - - roles/compute.networkAdmin - - roles/iam.serviceAccountAdmin - roles/iam.serviceAccountUser - - roles/monitoring.editor - - roles/resourcemanager.projectIamAdmin - - roles/storage.admin - - roles/workflows.admin + - roles/logging.logWriter + - roles/cloudsql.admin services: - - cloudkms.googleapis.com - - cloudresourcemanager.googleapis.com - - cloudscheduler.googleapis.com - - compute.googleapis.com - - iam.googleapis.com - - monitoring.googleapis.com - - servicenetworking.googleapis.com - serviceusage.googleapis.com - sqladmin.googleapis.com - - workflows.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 6.31, < 7" diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 951be51b..6479da45 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -15,21 +15,70 @@ */ locals { - int_required_roles = [ + per_module_roles = { + backup = [ + "roles/cloudsql.admin", + "roles/iam.serviceAccountUser", + "roles/logging.logWriter", + ] + mssql = [ + "roles/cloudsql.admin", + "roles/iam.serviceAccountUser", + "roles/logging.logWriter", + ] + mysql = [ + "roles/cloudsql.admin", + "roles/resourcemanager.projectIamAdmin", + "roles/iam.serviceAccountUser", + "roles/compute.networkAdmin", + "roles/cloudkms.cryptoKeyEncrypterDecrypter", + "roles/logging.logWriter", + ] + postgresql = [ + "roles/cloudsql.admin", + "roles/storage.admin", + "roles/resourcemanager.projectIamAdmin", + "roles/iam.serviceAccountUser", + "roles/compute.networkAdmin", + "roles/cloudkms.admin", + "roles/cloudkms.autokeyAdmin", + "roles/cloudkms.cryptoKeyEncrypterDecrypter", + "roles/logging.logWriter", + ] + private_service_access = [ + "roles/servicenetworking.networksAdmin", + "roles/iam.serviceAccountUser", + ] + restore = [ + "roles/cloudsql.admin", + "roles/iam.serviceAccountUser", + "roles/logging.logWriter", + ] + safer_mysql = [ + "roles/cloudsql.admin", + "roles/iam.serviceAccountUser", + "roles/logging.logWriter", + ] + root = [ + "roles/resourcemanager.projectIamAdmin", + "roles/serviceusage.serviceUsageAdmin", + "roles/cloudsql.admin", + "roles/iam.serviceAccountAdmin", + "roles/iam.serviceAccountUser", + ] + } + + int_required_roles = concat([ "roles/cloudkms.admin", "roles/cloudkms.autokeyAdmin", "roles/cloudkms.cryptoKeyEncrypterDecrypter", "roles/cloudscheduler.admin", - "roles/cloudsql.admin", "roles/compute.admin", "roles/compute.networkAdmin", - "roles/iam.serviceAccountAdmin", - "roles/iam.serviceAccountUser", "roles/monitoring.editor", - "roles/resourcemanager.projectIamAdmin", "roles/storage.admin", "roles/workflows.admin", - ] + ], flatten(values(local.per_module_roles))) } resource "google_service_account" "int_test" { diff --git a/test/setup/main.tf b/test/setup/main.tf index 69a03212..3b1be9af 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -14,6 +14,62 @@ * limitations under the License. */ +locals { + per_module_services = { + backup = [ + "sqladmin.googleapis.com", + "serviceusage.googleapis.com", + ] + mssql = [ + "sqladmin.googleapis.com", + "serviceusage.googleapis.com", + "iam.googleapis.com", + "cloudkms.googleapis.com", + "cloudresourcemanager.googleapis.com", + "compute.googleapis.com", + "monitoring.googleapis.com", + ] + mysql = [ + "sqladmin.googleapis.com", + "serviceusage.googleapis.com", + "servicenetworking.googleapis.com", + "iam.googleapis.com", + "cloudkms.googleapis.com", + "cloudresourcemanager.googleapis.com", + "compute.googleapis.com", + "monitoring.googleapis.com", + ] + postgresql = [ + "sqladmin.googleapis.com", + "serviceusage.googleapis.com", + "servicenetworking.googleapis.com", + "iam.googleapis.com", + "cloudkms.googleapis.com", + "cloudresourcemanager.googleapis.com", + "compute.googleapis.com", + "monitoring.googleapis.com", + ] + private_service_access = [ + "servicenetworking.googleapis.com", + "serviceusage.googleapis.com", + ] + restore = [ + "sqladmin.googleapis.com", + "serviceusage.googleapis.com", + ] + safer_mysql = [ + "sqladmin.googleapis.com", + "serviceusage.googleapis.com", + ] + root = [ + "sqladmin.googleapis.com", + "serviceusage.googleapis.com", + "iam.googleapis.com", + "cloudresourcemanager.googleapis.com", + ] + } +} + module "project" { source = "terraform-google-modules/project-factory/google" version = "~> 18.0" @@ -25,18 +81,13 @@ module "project" { billing_account = var.billing_account deletion_policy = "DELETE" - activate_apis = [ + activate_apis = concat([ "cloudkms.googleapis.com", - "cloudresourcemanager.googleapis.com", "cloudscheduler.googleapis.com", "compute.googleapis.com", - "iam.googleapis.com", "monitoring.googleapis.com", - "servicenetworking.googleapis.com", - "serviceusage.googleapis.com", - "sqladmin.googleapis.com", "workflows.googleapis.com", - ] + ], flatten(values(local.per_module_services))) } resource "google_service_account" "cloudsql_pg_sa" { From e9a7830fc6f3566b62aa18954da32e8b9fe606f4 Mon Sep 17 00:00:00 2001 From: nttarun-719 Date: Thu, 14 Aug 2025 09:50:30 +0530 Subject: [PATCH 06/15] fix: rename app hub service id (#757) --- modules/mssql/outputs.tf | 2 +- modules/mysql/outputs.tf | 2 +- modules/postgresql/outputs.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/mssql/outputs.tf b/modules/mssql/outputs.tf index e44e6e96..4a143876 100644 --- a/modules/mssql/outputs.tf +++ b/modules/mssql/outputs.tf @@ -89,7 +89,7 @@ output "primary" { output "apphub_service_uri" { value = { service_uri = "//cloudsql.googleapis.com/projects${element(split("/projects", google_sql_database_instance.default.self_link), 1)}" - service_id = substr(format("%s-%s", var.name, md5(var.project_id)), 0, 63) + service_id = substr("${var.name}-${md5("mssql-${var.region}-${var.project_id}")}", 0, 63) } description = "Service URI in CAIS style to be used by Apphub." } diff --git a/modules/mysql/outputs.tf b/modules/mysql/outputs.tf index 6e0ec0a2..f3c639b6 100644 --- a/modules/mysql/outputs.tf +++ b/modules/mysql/outputs.tf @@ -158,7 +158,7 @@ output "env_vars" { output "apphub_service_uri" { value = { service_uri = "//sqladmin.googleapis.com/projects${element(split("/projects", google_sql_database_instance.default.self_link), 1)}" - service_id = substr("${var.name}-${md5("${var.region}-${var.project_id}")}", 0, 63) + service_id = substr("${var.name}-${md5("mysql-${var.region}-${var.project_id}")}", 0, 63) location = var.region } description = "Service URI in CAIS style to be used by Apphub." diff --git a/modules/postgresql/outputs.tf b/modules/postgresql/outputs.tf index 2d1b28b0..38b15f05 100644 --- a/modules/postgresql/outputs.tf +++ b/modules/postgresql/outputs.tf @@ -162,7 +162,7 @@ output "env_vars" { output "apphub_service_uri" { value = { service_uri = "//sqladmin.googleapis.com/projects${element(split("/projects", google_sql_database_instance.default.self_link), 1)}" - service_id = substr("${var.name}-${md5("${var.region}-${var.project_id}")}", 0, 63) + service_id = substr("${var.name}-${md5("postgresql-${var.region}-${var.project_id}")}", 0, 63) location = var.region } description = "Service URI in CAIS style to be used by Apphub." From e5446b7c2d8ba5f227aa108b8431f3f082c281a9 Mon Sep 17 00:00:00 2001 From: Yasser Date: Fri, 15 Aug 2025 16:02:42 +0200 Subject: [PATCH 07/15] feat: Output the Service Attachment links for Replicas (#758) Co-authored-by: yasser.rasheed@schibsted.com --- modules/postgresql/README.md | 1 + modules/postgresql/outputs.tf | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/modules/postgresql/README.md b/modules/postgresql/README.md index 8288c664..ea6b273e 100644 --- a/modules/postgresql/README.md +++ b/modules/postgresql/README.md @@ -209,6 +209,7 @@ module "pg" { | replicas | A list of `google_sql_database_instance` resources representing the replicas | | replicas\_instance\_connection\_names | The connection names of the replica instances to be used in connection strings | | replicas\_instance\_first\_ip\_addresses | The first IPv4 addresses of the addresses assigned for the replica instances | +| replicas\_instance\_psc\_attachments | The psc\_service\_attachment\_links created for the replica instances | | replicas\_instance\_self\_links | The URIs of the replica instances | | replicas\_instance\_server\_ca\_certs | The CA certificates information used to connect to the replica instances via SSL | | replicas\_instance\_service\_account\_email\_addresses | The service account email addresses assigned to the replica instances | diff --git a/modules/postgresql/outputs.tf b/modules/postgresql/outputs.tf index 38b15f05..a9607bac 100644 --- a/modules/postgresql/outputs.tf +++ b/modules/postgresql/outputs.tf @@ -88,6 +88,11 @@ output "replicas_instance_server_ca_certs" { sensitive = true } +output "replicas_instance_psc_attachments" { + value = [for r in google_sql_database_instance.replicas : r.psc_service_attachment_link] + description = "The psc_service_attachment_links created for the replica instances" +} + output "replicas_instance_service_account_email_addresses" { value = [for r in google_sql_database_instance.replicas : r.service_account_email_address] description = "The service account email addresses assigned to the replica instances" From 4eb930993faf83cfdbc1b3b282f7389690b69431 Mon Sep 17 00:00:00 2001 From: Yasser Date: Fri, 15 Aug 2025 21:35:56 +0200 Subject: [PATCH 08/15] fix: use local.zone fallback for replica region calculation (#760) Co-authored-by: Imran Nayer --- modules/postgresql/read_replica.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/postgresql/read_replica.tf b/modules/postgresql/read_replica.tf index 8a9b2dc4..f2c0bae7 100644 --- a/modules/postgresql/read_replica.tf +++ b/modules/postgresql/read_replica.tf @@ -33,10 +33,10 @@ resource "google_sql_database_instance" "replicas" { project = var.project_id name = each.value.name_override == null || each.value.name_override == "" ? "${local.instance_name}-replica${var.read_replica_name_suffix}${each.value.name}" : each.value.name_override database_version = var.database_version - region = join("-", slice(split("-", lookup(each.value, "zone", var.zone)), 0, 2)) + region = join("-", slice(split("-", lookup(each.value, "zone", local.zone)), 0, 2)) master_instance_name = google_sql_database_instance.default.name deletion_protection = var.read_replica_deletion_protection - encryption_key_name = (join("-", slice(split("-", lookup(each.value, "zone", var.zone)), 0, 2))) == var.region ? null : each.value.encryption_key_name + encryption_key_name = (join("-", slice(split("-", lookup(each.value, "zone", local.zone)), 0, 2))) == var.region ? null : each.value.encryption_key_name settings { tier = lookup(each.value, "tier", null) == null ? var.tier : lookup(each.value, "tier", null) From 1615d7566e8681c7909bad1fbf71fc207e86a185 Mon Sep 17 00:00:00 2001 From: Dadang NH Date: Wed, 20 Aug 2025 01:36:26 +0800 Subject: [PATCH 09/15] fix: correct typos in README and variables.tf descriptions (#753) --- modules/mysql/README.md | 4 ++-- modules/mysql/variables.tf | 4 ++-- modules/postgresql/README.md | 4 ++-- modules/postgresql/variables.tf | 4 ++-- modules/private_service_access/README.md | 2 +- modules/private_service_access/variables.tf | 2 +- modules/safer_mysql/README.md | 2 +- modules/safer_mysql/variables.tf | 2 +- 8 files changed, 12 insertions(+), 12 deletions(-) diff --git a/modules/mysql/README.md b/modules/mysql/README.md index 8b9ed6a1..28a30fdd 100644 --- a/modules/mysql/README.md +++ b/modules/mysql/README.md @@ -49,7 +49,7 @@ module "mysql-db" { | additional\_databases | A list of databases to be created in your cluster | 
list(object({
    name      = string
    charset   = string
    collation = string
  }))
| `[]` | no | | additional\_users | A list of users to be created in your cluster. A random password would be set for the user if the `random_password` variable is set. | 
list(object({
    name            = string
    password        = string
    random_password = bool
    type            = string
    host            = string
  }))
| `[]` | no | | availability\_type | The availability type for the master instance. Can be either `REGIONAL` or `null`. | `string` | `"REGIONAL"` | no | -| backup\_configuration | The backup\_configuration settings subblock for the database setings | 
object({
    binary_log_enabled             = optional(bool, false)
    enabled                        = optional(bool, false)
    start_time                     = optional(string)
    location                       = optional(string)
    transaction_log_retention_days = optional(string)
    retained_backups               = optional(number)
    retention_unit                 = optional(string)
  })
| `{}` | no | +| backup\_configuration | The backup\_configuration settings subblock for the database settings | 
object({
    binary_log_enabled             = optional(bool, false)
    enabled                        = optional(bool, false)
    start_time                     = optional(string)
    location                       = optional(string)
    transaction_log_retention_days = optional(string)
    retained_backups               = optional(number)
    retention_unit                 = optional(string)
  })
| `{}` | no | | connector\_enforcement | Enforce that clients use the connector library | `bool` | `false` | no | | create\_timeout | The optional timout that is applied to limit long database creates. | `string` | `"30m"` | no | | data\_cache\_enabled | Whether data cache is enabled for the instance. Defaults to false. Feature is only available for ENTERPRISE\_PLUS tier and supported database\_versions | `bool` | `false` | no | @@ -100,7 +100,7 @@ module "mysql-db" { | retain\_backups\_on\_delete | When this parameter is set to true, Cloud SQL retains backups of the instance even after the instance is deleted. The ON\_DEMAND backup will be retained until customer deletes the backup or the project. The AUTOMATED backup will be retained based on the backups retention setting. | `bool` | `false` | no | | root\_password | MySQL password for the root user. | `string` | `null` | no | | secondary\_zone | The preferred zone for the secondary/failover instance, it should be something like: `us-central1-a`, `us-east1-c`. | `string` | `null` | no | -| tier | The tier for the master instance, for ADC its defualt value will be db-perf-optimized-N-8 which is tier value for edtion ENTERPRISE\_PLUS, if user wants to change the edition, he should chose compatible tier. | `string` | `"db-n1-standard-1"` | no | +| tier | The tier for the master instance, for ADC its default value will be db-perf-optimized-N-8 which is tier value for edition ENTERPRISE\_PLUS, if user wants to change the edition, he should chose compatible tier. | `string` | `"db-n1-standard-1"` | no | | update\_timeout | The optional timout that is applied to limit long database updates. | `string` | `"30m"` | no | | user\_deletion\_policy | The deletion policy for the user. Setting ABANDON allows the resource to be abandoned rather than deleted. This is useful for Postgres, where users cannot be deleted from the API if they have been granted SQL roles. Possible values are: "ABANDON". | `string` | `null` | no | | user\_host | The host for the default user | `string` | `"%"` | no | diff --git a/modules/mysql/variables.tf b/modules/mysql/variables.tf index db742727..bdb4424e 100644 --- a/modules/mysql/variables.tf +++ b/modules/mysql/variables.tf @@ -185,7 +185,7 @@ variable "instance_type" { // Master variable "tier" { - description = "The tier for the master instance, for ADC its defualt value will be db-perf-optimized-N-8 which is tier value for edtion ENTERPRISE_PLUS, if user wants to change the edition, he should chose compatible tier." + description = "The tier for the master instance, for ADC its default value will be db-perf-optimized-N-8 which is tier value for edition ENTERPRISE_PLUS, if user wants to change the edition, he should chose compatible tier." type = string default = "db-n1-standard-1" } @@ -301,7 +301,7 @@ variable "deny_maintenance_period" { } variable "backup_configuration" { - description = "The backup_configuration settings subblock for the database setings" + description = "The backup_configuration settings subblock for the database settings" type = object({ binary_log_enabled = optional(bool, false) enabled = optional(bool, false) diff --git a/modules/postgresql/README.md b/modules/postgresql/README.md index ea6b273e..dfb85706 100644 --- a/modules/postgresql/README.md +++ b/modules/postgresql/README.md @@ -120,7 +120,7 @@ module "pg" { | additional\_databases | A list of databases to be created in your cluster | 
list(object({
    name      = string
    charset   = string
    collation = string
  }))
| `[]` | no | | additional\_users | A list of users to be created in your cluster. A random password would be set for the user if the `random_password` variable is set. | 
list(object({
    name            = string
    password        = string
    random_password = bool
  }))
| `[]` | no | | availability\_type | The availability type for the Cloud SQL instance.This is only used to set up high availability for the PostgreSQL instance. Can be either `ZONAL` or `REGIONAL`. | `string` | `"ZONAL"` | no | -| backup\_configuration | The backup\_configuration settings subblock for the database setings | 
object({
    enabled                        = optional(bool, false)
    start_time                     = optional(string)
    location                       = optional(string)
    point_in_time_recovery_enabled = optional(bool, false)
    transaction_log_retention_days = optional(string)
    retained_backups               = optional(number)
    retention_unit                 = optional(string)
  })
| `{}` | no | +| backup\_configuration | The backup\_configuration settings subblock for the database settings | 
object({
    enabled                        = optional(bool, false)
    start_time                     = optional(string)
    location                       = optional(string)
    point_in_time_recovery_enabled = optional(bool, false)
    transaction_log_retention_days = optional(string)
    retained_backups               = optional(number)
    retention_unit                 = optional(string)
  })
| `{}` | no | | connector\_enforcement | Enforce that clients use the connector library | `bool` | `false` | no | | create\_kms\_key\_handle | KeyHandles cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed KeyHandle will remove it from state but will not delete the resource from the project. Set this to false if key handle already exists | `bool` | `true` | no | | create\_timeout | The optional timout that is applied to limit long database creates. | `string` | `"30m"` | no | @@ -173,7 +173,7 @@ module "pg" { | retain\_backups\_on\_delete | When this parameter is set to true, Cloud SQL retains backups of the instance even after the instance is deleted. The ON\_DEMAND backup will be retained until customer deletes the backup or the project. The AUTOMATED backup will be retained based on the backups retention setting. | `bool` | `false` | no | | root\_password | Initial root password during creation | `string` | `null` | no | | secondary\_zone | The preferred zone for the replica instance, it should be something like: `us-central1-a`, `us-east1-c`. | `string` | `null` | no | -| tier | The tier for the Cloud SQL instance, for ADC its defualt value will be db-perf-optimized-N-8 which is tier value for edtion ENTERPRISE\_PLUS, if user wants to change the edition, he should chose compatible tier. | `string` | `"db-f1-micro"` | no | +| tier | The tier for the Cloud SQL instance, for ADC its default value will be db-perf-optimized-N-8 which is tier value for edition ENTERPRISE\_PLUS, if user wants to change the edition, he should chose compatible tier. | `string` | `"db-f1-micro"` | no | | update\_timeout | The optional timout that is applied to limit long database updates. | `string` | `"30m"` | no | | use\_autokey | Enable the use of autokeys from Google Cloud KMS for CMEK. This requires autokey already configured in the project | `bool` | `false` | no | | user\_deletion\_policy | The deletion policy for the user. Setting ABANDON allows the resource to be abandoned rather than deleted. This is useful for Postgres, where users cannot be deleted from the API if they have been granted SQL roles. Possible values are: "ABANDON". | `string` | `null` | no | diff --git a/modules/postgresql/variables.tf b/modules/postgresql/variables.tf index 88c2e231..e0976f8c 100644 --- a/modules/postgresql/variables.tf +++ b/modules/postgresql/variables.tf @@ -177,7 +177,7 @@ variable "random_instance_name" { } variable "tier" { - description = "The tier for the Cloud SQL instance, for ADC its defualt value will be db-perf-optimized-N-8 which is tier value for edtion ENTERPRISE_PLUS, if user wants to change the edition, he should chose compatible tier." + description = "The tier for the Cloud SQL instance, for ADC its default value will be db-perf-optimized-N-8 which is tier value for edition ENTERPRISE_PLUS, if user wants to change the edition, he should chose compatible tier." type = string default = "db-f1-micro" } @@ -283,7 +283,7 @@ variable "deny_maintenance_period" { } variable "backup_configuration" { - description = "The backup_configuration settings subblock for the database setings" + description = "The backup_configuration settings subblock for the database settings" type = object({ enabled = optional(bool, false) start_time = optional(string) diff --git a/modules/private_service_access/README.md b/modules/private_service_access/README.md index 96ba0749..f0f0b3cd 100644 --- a/modules/private_service_access/README.md +++ b/modules/private_service_access/README.md @@ -38,7 +38,7 @@ module "test_psa" { | ip\_version | IP Version for the allocation. Can be IPV4 or IPV6. | `string` | `""` | no | | labels | The key/value labels for the IP range allocated to the peered network. | `map(string)` | `{}` | no | | prefix\_length | Prefix length of the IP range reserved for Cloud SQL instances and other Private Service Access services. Defaults to /16. | `number` | `16` | no | -| project\_id | The project ID of the VPC network to peer. This can be a shared VPC host projec. | `string` | n/a | yes | +| project\_id | The project ID of the VPC network to peer. This can be a shared VPC host project. | `string` | n/a | yes | | vpc\_network | Name of the VPC network to peer. | `string` | n/a | yes | ## Outputs diff --git a/modules/private_service_access/variables.tf b/modules/private_service_access/variables.tf index 6129d68f..0010a7cf 100644 --- a/modules/private_service_access/variables.tf +++ b/modules/private_service_access/variables.tf @@ -15,7 +15,7 @@ */ variable "project_id" { - description = "The project ID of the VPC network to peer. This can be a shared VPC host projec." + description = "The project ID of the VPC network to peer. This can be a shared VPC host project." type = string } diff --git a/modules/safer_mysql/README.md b/modules/safer_mysql/README.md index 156a4eb3..cdced0e3 100644 --- a/modules/safer_mysql/README.md +++ b/modules/safer_mysql/README.md @@ -244,7 +244,7 @@ module "safer-mysql-db" { | allocated\_ip\_range | Existing allocated IP range name for the Private IP CloudSQL instance. The networks needs to be configured with https://cloud.google.com/vpc/docs/configure-private-services-access. | `string` | `null` | no | | assign\_public\_ip | Set to true if the master instance should also have a public IP (less secure). | `bool` | `false` | no | | availability\_type | The availability type for the master instance. Can be either `REGIONAL` or `null`. | `string` | `"REGIONAL"` | no | -| backup\_configuration | The backup\_configuration settings subblock for the database setings | 
object({
    binary_log_enabled             = bool
    enabled                        = bool
    start_time                     = string
    location                       = string
    transaction_log_retention_days = string
    retained_backups               = number
    retention_unit                 = string
  })
| 
{
  "binary_log_enabled": false,
  "enabled": false,
  "location": null,
  "retained_backups": null,
  "retention_unit": null,
  "start_time": null,
  "transaction_log_retention_days": null
}
| no | +| backup\_configuration | The backup\_configuration settings subblock for the database settings | 
object({
    binary_log_enabled             = bool
    enabled                        = bool
    start_time                     = string
    location                       = string
    transaction_log_retention_days = string
    retained_backups               = number
    retention_unit                 = string
  })
| 
{
  "binary_log_enabled": false,
  "enabled": false,
  "location": null,
  "retained_backups": null,
  "retention_unit": null,
  "start_time": null,
  "transaction_log_retention_days": null
}
| no | | create\_timeout | The optional timout that is applied to limit long database creates. | `string` | `"30m"` | no | | data\_cache\_enabled | Whether data cache is enabled for the instance. Defaults to false. Feature is only available for ENTERPRISE\_PLUS tier and supported database\_versions | `bool` | `false` | no | | database\_flags | The database flags for the master instance. See [more details](https://cloud.google.com/sql/docs/mysql/flags) | 
list(object({
    name  = string
    value = string
  }))
| `[]` | no | diff --git a/modules/safer_mysql/variables.tf b/modules/safer_mysql/variables.tf index 7b5ff289..058a5d6e 100644 --- a/modules/safer_mysql/variables.tf +++ b/modules/safer_mysql/variables.tf @@ -216,7 +216,7 @@ variable "user_labels" { } variable "backup_configuration" { - description = "The backup_configuration settings subblock for the database setings" + description = "The backup_configuration settings subblock for the database settings" type = object({ binary_log_enabled = bool enabled = bool From 0b757267c216276741c90b080984f0b20f318ad7 Mon Sep 17 00:00:00 2001 From: amrkk123 Date: Thu, 21 Aug 2025 12:27:44 +0530 Subject: [PATCH 10/15] fix: Addng UI validations for MySql and PostgreSQL (#759) --- modules/mysql/metadata.display.yaml | 200 +++++++++++++++++++++++ modules/postgresql/metadata.display.yaml | 152 +++++++++++++++++ 2 files changed, 352 insertions(+) diff --git a/modules/mysql/metadata.display.yaml b/modules/mysql/metadata.display.yaml index 7edb64ad..eb4d3e52 100644 --- a/modules/mysql/metadata.display.yaml +++ b/modules/mysql/metadata.display.yaml @@ -31,12 +31,57 @@ spec: activation_policy: name: activation_policy title: Activation Policy + enumValueLabels: + - label: ALWAYS + value: ALWAYS + - label: NEVER + value: NEVER + - label: ON_DEMAND + value: ON_DEMAND additional_databases: name: additional_databases title: Additional Databases + properties: + name: + name: name + title: Database Name + regexValidation: ^[a-zA-Z][a-zA-Z0-9_]{0,63}$ + validation: Database names must be between 1 and 64 characters long, start with a letter, and can only contain letters, numbers, and underscores. + charset: + name: charset + title: Charset + regexValidation: ^[a-zA-Z0-9]+$ + validation: Database charset should contain only letters and numbers (e.g. 'utf8'). + collation: + name: collation + title: Collation + regexValidation: ^[a-z0-9_]+$ + validation: Database collation should contain only lowercase letters, numbers, and underscores. additional_users: name: additional_users title: Additional Users + properties: + name: + name: name + title: User Name + regexValidation: ^[a-zA-Z][a-zA-Z0-9_]{0,31}$ + validation: User names must be between 1 and 32 characters long, start with a letter, and can only contain letters, numbers, and underscores. + type: + name: type + title: Type + enumValueLabels: + - label: BUILT_IN + value: BUILT_IN + - label: CLOUD_IAM_USER + value: CLOUD_IAM_USER + - label: CLOUD_IAM_SERVICE_ACCOUNT + value: CLOUD_IAM_SERVICE_ACCOUNT + - label: CLOUD_IAM_GROUP + value: CLOUD_IAM_GROUP + - label: CLOUD_IAM_GROUP_USER + value: CLOUD_IAM_GROUP_USER + - label: CLOUD_IAM_GROUP_SERVICE_ACCOUNT + value: CLOUD_IAM_GROUP_SERVICE_ACCOUNT availability_type: name: availability_type title: Availability Type @@ -58,9 +103,21 @@ spec: value: enabled: true binary_log_enabled: true + properties: + retention_unit: + name: retention_unit + title: Retention Unit + enumValueLabels: + - label: COUNT + value: COUNT connector_enforcement: name: connector_enforcement title: Connector Enforcement + enumValueLabels: + - label: REQUIRED + value: REQUIRED + - label: NOT_REQUIRED + value: NOT_REQUIRED create_timeout: name: create_timeout title: Create Timeout @@ -95,9 +152,13 @@ spec: db_charset: name: db_charset title: Db Charset + regexValidation: ^[a-z0-9]+$ + validation: Database charset should contain only lowercase letters and numbers. db_collation: name: db_collation title: Db Collation + regexValidation: ^[a-z0-9_]+$ + validation: Database collation should contain only lowercase letters, numbers, and underscores. db_name: name: db_name title: Db Name @@ -120,6 +181,22 @@ spec: deny_maintenance_period: name: deny_maintenance_period title: Deny Maintenance Period + properties: + end_date: + name: end_date + title: End Date + regexValidation: ^[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])$ + validation: End date must be in YYYY-MM-DD format. + start_date: + name: start_date + title: Start Date + regexValidation: ^[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])$ + validation: Start date must be in YYYY-MM-DD format. + time: + name: time + title: Time + regexValidation: ^([0-1]?[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]$ + validation: Time must be in HH:MM:SS format (24-hour clock). disk_autoresize: name: disk_autoresize title: Disk Autoresize @@ -139,6 +216,13 @@ spec: name: disk_type title: Disk Type level: 1 + enumValueLabels: + - label: PD_SSD + value: PD_SSD + - label: PD_HDD + value: PD_HDD + - label: HYPERDISK_BALANCED + value: HYPERDISK_BALANCED edition: name: edition title: Edition @@ -177,12 +261,43 @@ spec: iam_users: name: iam_users title: Iam Users + properties: + email: + name: email + title: Email + regexValidation: ^([a-zA-Z][a-zA-Z0-9_]{0,15}|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})$ + validation: Must be a valid email address or a Google service account email. + type: + name: type + title: Type + enumValueLabels: + - label: BUILT_IN + value: BUILT_IN + - label: CLOUD_IAM_USER + value: CLOUD_IAM_USER + - label: CLOUD_IAM_SERVICE_ACCOUNT + value: CLOUD_IAM_SERVICE_ACCOUNT + - label: CLOUD_IAM_GROUP + value: CLOUD_IAM_GROUP + - label: CLOUD_IAM_GROUP_USER + value: CLOUD_IAM_GROUP_USER + - label: CLOUD_IAM_GROUP_SERVICE_ACCOUNT + value: CLOUD_IAM_GROUP_SERVICE_ACCOUNT insights_config: name: insights_config title: Insights Config instance_type: name: instance_type title: Instance Type + enumValueLabels: + - label: SQL_INSTANCE_TYPE_UNSPECIFIED + value: SQL_INSTANCE_TYPE_UNSPECIFIED + - label: CLOUD_SQL_INSTANCE + value: CLOUD_SQL_INSTANCE + - label: ON_PREMISES_INSTANCE + value: ON_PREMISES_INSTANCE + - label: READ_REPLICA_INSTANCE + value: READ_REPLICA_INSTANCE ip_configuration: name: ip_configuration title: Ip Configuration @@ -193,6 +308,25 @@ spec: subtext: The VPC network used to enable private IP access to the Cloud SQL instance. Cannot be unset once configured. regexValidation: ^(?:http(?:s)?://.+/)?projects/((?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?)))/global/networks/((?:[a-z](?:[-a-z0-9]*[a-z0-9])?))$ validation: Invalid format. Expected a valid Google Cloud network resource name, e.g. projects/{project}/global/networks/{network}. + ssl_mode: + name: ssl_mode + title: Ssl Mode + enumValueLabels: + - label: ALLOW_UNENCRYPTED_AND_ENCRYPTED + value: ALLOW_UNENCRYPTED_AND_ENCRYPTED + - label: ENCRYPTED_ONLY + value: ENCRYPTED_ONLY + - label: TRUSTED_CLIENT_CERTIFICATE_REQUIRED + value: TRUSTED_CLIENT_CERTIFICATE_REQUIRED + authorized_networks: + name: authorized_networks + title: Authorized Networks + properties: + value: + name: value + title: Value + regexValidation: ^((25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\/(3[0-2]|[1-2]\d|\d)$ + validation: Must be a valid IPv4 address in CIDR format. level: 1 maintenance_window_day: name: maintenance_window_day @@ -221,6 +355,9 @@ spec: name: pricing_plan title: Pricing Plan level: 1 + enumValueLabels: + - label: PER_USE + value: PER_USE project_id: name: project_id title: Project Id @@ -239,6 +376,55 @@ spec: read_replicas: name: read_replicas title: Read Replicas + properties: + name: + name: name + title: Read Replica Name + regexValidation: ^[a-z][a-z0-9-]{0,95}[a-z0-9]$ + validation: Read replica names must be between 1 and 97 characters long, start with a lowercase letter, and end with a lowercase letter or number. Read replica names can only contain lowercase letters, numbers, and hyphens. + edition: + name: edition + title: Edition + enumValueLabels: + - label: ENTERPRISE_PLUS + value: ENTERPRISE_PLUS + - label: ENTERPRISE + value: ENTERPRISE + availability_type: + name: availability_type + title: Availability Type + enumValueLabels: + - label: REGIONAL + value: REGIONAL + - label: ZONAL + value: ZONAL + disk_type: + name: disk_type + title: Disk Type + enumValueLabels: + - label: PD_SSD + value: PD_SSD + - label: PD_HDD + value: PD_HDD + ip_configuration: + name: ip_configuration + title: Ip Configuration + properties: + private_network: + name: private_network + title: Private Network + regexValidation: ^(projects/[a-z0-9-]+/)?global/networks/[a-z0-9-]+$ + validation: Invalid format. Expected a valid Google Cloud network resource name, e.g. projects/{project}/global/networks/{network}. + ssl_mode: + name: ssl_mode + title: Ssl Mode + enumValueLabels: + - label: ALLOW_UNENCRYPTED_AND_ENCRYPTED + value: ALLOW_UNENCRYPTED_AND_ENCRYPTED + - label: ENCRYPTED_ONLY + value: ENCRYPTED_ONLY + - label: TRUSTED_CLIENT_CERTIFICATE_REQUIRED + value: TRUSTED_CLIENT_CERTIFICATE_REQUIRED region: name: region title: Region @@ -246,6 +432,15 @@ spec: replica_database_version: name: replica_database_version title: Replica Database Version + enumValueLabels: + - label: MYSQL_8_4 + value: MYSQL_8_4 + - label: MYSQL_8_0 + value: MYSQL_8_0 + - label: MYSQL_5_6 + value: MYSQL_5_6 + - label: MYSQL_5_7 + value: MYSQL_5_7 root_password: name: root_password title: Root Password @@ -266,6 +461,9 @@ spec: user_deletion_policy: name: user_deletion_policy title: User Deletion Policy + enumValueLabels: + - label: ABANDON + value: ABANDON user_host: name: user_host title: User Host @@ -276,6 +474,8 @@ spec: name: user_name title: User Name level: 1 + regexValidation: ^[a-zA-Z0-9-]{1,16}$ + validation: User names must be between 1 and 16 characters long and can contain lowercase letters, numbers, and hyphens. user_password: name: user_password title: User Password diff --git a/modules/postgresql/metadata.display.yaml b/modules/postgresql/metadata.display.yaml index 366ed34a..2ec266e7 100644 --- a/modules/postgresql/metadata.display.yaml +++ b/modules/postgresql/metadata.display.yaml @@ -31,12 +31,25 @@ spec: activation_policy: name: activation_policy title: Activation Policy + enumValueLabels: + - label: ALWAYS + value: ALWAYS + - label: NEVER + value: NEVER + - label: ON_DEMAND + value: ON_DEMAND additional_databases: name: additional_databases title: Additional Databases additional_users: name: additional_users title: Additional Users + properties: + name: + name: name + title: User Name + regexValidation: ^[a-zA-Z0-9-]{1,16}$ + validation: User names must be between 1 and 16 characters long and can contain lowercase letters, numbers, and hyphens. availability_type: name: availability_type title: Availability Type @@ -44,6 +57,11 @@ spec: altDefaults: - type: ALTERNATE_TYPE_DC value: REGIONAL + enumValueLabels: + - label: REGIONAL + value: REGIONAL + - label: ZONAL + value: ZONAL backup_configuration: name: backup_configuration title: Backup Configuration @@ -53,9 +71,21 @@ spec: value: enabled: true point_in_time_recovery_enabled: true + properties: + retention_unit: + name: retention_unit + title: Retention Unit + enumValueLabels: + - label: COUNT + value: COUNT connector_enforcement: name: connector_enforcement title: Connector Enforcement + enumValueLabels: + - label: REQUIRED + value: REQUIRED + - label: NOT_REQUIRED + value: NOT_REQUIRED create_timeout: name: create_timeout title: Create Timeout @@ -70,6 +100,11 @@ spec: name: database_deletion_policy title: Database Deletion Policy level: 1 + enumValueLabels: + - label: DELETE + value: DELETE + - label: ABANDON + value: ABANDON database_flags: name: database_flags title: Database Flags @@ -103,9 +138,13 @@ spec: db_charset: name: db_charset title: Db Charset + regexValidation: ^[A-Z0-9]+$ + validation: Database charset should contain only uppercase letters and numbers. db_collation: name: db_collation title: Db Collation + regexValidation: ^[a-zA-Z0-9_.-]+$ + validation: Database collation should contain only letters, numbers, underscores, hyphens, and periods. db_name: name: db_name title: Db Name @@ -147,6 +186,13 @@ spec: name: disk_type title: Disk Type level: 1 + enumValueLabels: + - label: PD_SSD + value: PD_SSD + - label: PD_HDD + value: PD_HDD + - label: HYPERDISK_BALANCED + value: HYPERDISK_BALANCED edition: name: edition title: Edition @@ -185,12 +231,43 @@ spec: iam_users: name: iam_users title: Iam Users + properties: + email: + name: email + title: Email + regexValidation: ^([a-zA-Z][a-zA-Z0-9_]{0,15}|[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,})$ + validation: Must be a valid email address or a Google service account email. + type: + name: type + title: Type + enumValueLabels: + - label: BUILT_IN + value: BUILT_IN + - label: CLOUD_IAM_USER + value: CLOUD_IAM_USER + - label: CLOUD_IAM_SERVICE_ACCOUNT + value: CLOUD_IAM_SERVICE_ACCOUNT + - label: CLOUD_IAM_GROUP + value: CLOUD_IAM_GROUP + - label: CLOUD_IAM_GROUP_USER + value: CLOUD_IAM_GROUP_USER + - label: CLOUD_IAM_GROUP_SERVICE_ACCOUNT + value: CLOUD_IAM_GROUP_SERVICE_ACCOUNT insights_config: name: insights_config title: Insights Config instance_type: name: instance_type title: Instance Type + enumValueLabels: + - label: SQL_INSTANCE_TYPE_UNSPECIFIED + value: SQL_INSTANCE_TYPE_UNSPECIFIED + - label: CLOUD_SQL_INSTANCE + value: CLOUD_SQL_INSTANCE + - label: ON_PREMISES_INSTANCE + value: ON_PREMISES_INSTANCE + - label: READ_REPLICA_INSTANCE + value: READ_REPLICA_INSTANCE ip_configuration: name: ip_configuration title: Ip Configuration @@ -201,6 +278,24 @@ spec: subtext: The VPC network used to enable private IP access to the Cloud SQL instance. Cannot be unset once configured. regexValidation: ^(?:http(?:s)?://.+/)?projects/((?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?)))/global/networks/((?:[a-z](?:[-a-z0-9]*[a-z0-9])?))$ validation: Invalid format. Expected a valid Google Cloud network resource name, e.g. projects/{project}/global/networks/{network}. + ssl_mode: + name: ssl_mode + title: Ssl Mode + enumValueLabels: + - label: ALLOW_UNENCRYPTED_AND_ENCRYPTED + value: ALLOW_UNENCRYPTED_AND_ENCRYPTED + - label: ENCRYPTED_ONLY + value: ENCRYPTED_ONLY + - label: TRUSTED_CLIENT_CERTIFICATE_REQUIRED + value: TRUSTED_CLIENT_CERTIFICATE_REQUIRED + server_ca_mode: + name: server_ca_mode + title: Server CA Mode + enumValueLabels: + - label: GOOGLE_MANAGED_INTERNAL_CA + value: GOOGLE_MANAGED_INTERNAL_CA + - label: GOOGLE_MANAGED_INTERNAL_CA + value: GOOGLE_MANAGED_INTERNAL_CA level: 1 maintenance_window_day: name: maintenance_window_day @@ -229,6 +324,9 @@ spec: name: pricing_plan title: Pricing Plan level: 1 + enumValueLabels: + - label: PER_USE + value: PER_USE project_id: name: project_id title: Project Id @@ -247,6 +345,55 @@ spec: read_replicas: name: read_replicas title: Read Replicas + properties: + name: + name: name + title: Read Replica Name + regexValidation: ^[a-z][a-z0-9-]{0,95}[a-z0-9]$ + validation: Read replica names must be between 1 and 97 characters long, start with a lowercase letter, and end with a lowercase letter or number. Read replica names can only contain lowercase letters, numbers, and hyphens. + edition: + name: edition + title: Edition + enumValueLabels: + - label: ENTERPRISE_PLUS + value: ENTERPRISE_PLUS + - label: ENTERPRISE + value: ENTERPRISE + availability_type: + name: availability_type + title: Availability Type + enumValueLabels: + - label: REGIONAL + value: REGIONAL + - label: ZONAL + value: ZONAL + disk_type: + name: disk_type + title: Disk Type + enumValueLabels: + - label: PD_SSD + value: PD_SSD + - label: PD_HDD + value: PD_HDD + ip_configuration: + name: ip_configuration + title: Ip Configuration + properties: + private_network: + name: private_network + title: Private Network + regexValidation: ^(projects/[a-z0-9-]+/)?global/networks/[a-z0-9-]+$ + validation: Invalid format. Expected a valid Google Cloud network resource name, e.g. projects/{project}/global/networks/{network}. + ssl_mode: + name: ssl_mode + title: Ssl Mode + enumValueLabels: + - label: ALLOW_UNENCRYPTED_AND_ENCRYPTED + value: ALLOW_UNENCRYPTED_AND_ENCRYPTED + - label: ENCRYPTED_ONLY + value: ENCRYPTED_ONLY + - label: TRUSTED_CLIENT_CERTIFICATE_REQUIRED + value: TRUSTED_CLIENT_CERTIFICATE_REQUIRED region: name: region title: Region @@ -271,6 +418,9 @@ spec: user_deletion_policy: name: user_deletion_policy title: User Deletion Policy + enumValueLabels: + - label: ABANDON + value: ABANDON user_labels: name: user_labels title: User Labels @@ -278,6 +428,8 @@ spec: name: user_name title: User Name level: 1 + regexValidation: ^[a-zA-Z0-9-]{1,16}$ + validation: User names must be between 1 and 16 characters long and can contain lowercase letters, numbers, and hyphens. user_password: name: user_password title: User Password From bfdea928df3b4e6940dcaf945152fc0bf184970a Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Fri, 22 Aug 2025 10:21:11 -0700 Subject: [PATCH 11/15] chore: update .github/conventional-commit-lint.yaml --- .github/conventional-commit-lint.yaml | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 .github/conventional-commit-lint.yaml diff --git a/.github/conventional-commit-lint.yaml b/.github/conventional-commit-lint.yaml deleted file mode 100644 index b1d8d8b8..00000000 --- a/.github/conventional-commit-lint.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2022-2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# NOTE: This file is automatically generated from: -# https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/main/infra/terraform/test-org/github - -enabled: true -always_check_pr_title: true From 5c76c1e5294141756610edb1ee1bc2d44f7681e1 Mon Sep 17 00:00:00 2001 From: CFT Bot Date: Fri, 22 Aug 2025 10:30:01 -0700 Subject: [PATCH 12/15] chore: update .github/workflows/lint.yaml --- .github/workflows/lint.yaml | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index b24662aa..4730bc1b 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -20,8 +20,11 @@ name: 'lint' on: workflow_dispatch: pull_request: - branches: - - main + types: [opened, edited, reopened, synchronize] + branches: [main] + +permissions: + contents: read concurrency: group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}' @@ -52,3 +55,21 @@ jobs: env: ENABLE_BPMETADATA: 1 + commitlint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Setup node + uses: actions/setup-node@v4 + with: + node-version: lts/* + - name: Install commitlint + run: | + npm install -D @commitlint/cli@19.8.1 @commitlint/config-conventional@19.8.1 + echo "module.exports = { extends: ['@commitlint/config-conventional'], rules: {'subject-case': [0]} };" > commitlint.config.js + npx commitlint --version + - name: Validate PR commits with commitlint + if: github.event_name == 'pull_request' + run: 'echo "${{ github.event.pull_request.title }}" | npx commitlint --verbose' From 3eb4c964a06b8786956b8bf5d0c25535083efe1b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 28 Aug 2025 16:05:02 -0500 Subject: [PATCH 13/15] feat(deps): Update Terraform Google Provider to v7 (major) (#767) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- modules/backup/versions.tf | 2 +- modules/mssql/versions.tf | 4 ++-- modules/mysql/versions.tf | 4 ++-- modules/postgresql/versions.tf | 4 ++-- modules/private_service_access/versions.tf | 4 ++-- modules/restore/versions.tf | 2 +- modules/safer_mysql/versions.tf | 2 +- 7 files changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/backup/versions.tf b/modules/backup/versions.tf index d2492885..061cdb48 100644 --- a/modules/backup/versions.tf +++ b/modules/backup/versions.tf @@ -19,7 +19,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 6.11.0, < 7" + version = ">= 6.11.0, < 8" } } } diff --git a/modules/mssql/versions.tf b/modules/mssql/versions.tf index fd74db2e..2e779a9f 100644 --- a/modules/mssql/versions.tf +++ b/modules/mssql/versions.tf @@ -19,11 +19,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.12, < 7" + version = ">= 5.12, < 8" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.12, < 7" + version = ">= 5.12, < 8" } random = { source = "hashicorp/random" diff --git a/modules/mysql/versions.tf b/modules/mysql/versions.tf index cb8c41b6..d3c67245 100644 --- a/modules/mysql/versions.tf +++ b/modules/mysql/versions.tf @@ -27,11 +27,11 @@ terraform { } google = { source = "hashicorp/google" - version = ">= 6.31, < 7" + version = ">= 6.31, < 8" } google-beta = { source = "hashicorp/google-beta" - version = ">= 6.31, < 7" + version = ">= 6.31, < 8" } } diff --git a/modules/postgresql/versions.tf b/modules/postgresql/versions.tf index 4d2d417a..39a8c9f7 100644 --- a/modules/postgresql/versions.tf +++ b/modules/postgresql/versions.tf @@ -27,11 +27,11 @@ terraform { } google = { source = "hashicorp/google" - version = ">= 6.31, < 7" + version = ">= 6.31, < 8" } google-beta = { source = "hashicorp/google-beta" - version = ">= 6.31, < 7" + version = ">= 6.31, < 8" } } diff --git a/modules/private_service_access/versions.tf b/modules/private_service_access/versions.tf index d9fc5113..ce6dcb7b 100644 --- a/modules/private_service_access/versions.tf +++ b/modules/private_service_access/versions.tf @@ -23,11 +23,11 @@ terraform { } google = { source = "hashicorp/google" - version = ">= 5.38, < 7" + version = ">= 5.38, < 8" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.38, < 7" + version = ">= 5.38, < 8" } } diff --git a/modules/restore/versions.tf b/modules/restore/versions.tf index 8fbfeba7..e1e8536d 100644 --- a/modules/restore/versions.tf +++ b/modules/restore/versions.tf @@ -19,7 +19,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.0, < 7" + version = ">= 4.0, < 8" } } } diff --git a/modules/safer_mysql/versions.tf b/modules/safer_mysql/versions.tf index 2a8bd5c3..ddce1efd 100644 --- a/modules/safer_mysql/versions.tf +++ b/modules/safer_mysql/versions.tf @@ -20,7 +20,7 @@ terraform { google = { source = "hashicorp/google" - version = ">= 6.31, < 7" + version = ">= 6.31, < 8" } } From 3b74dd46c92c95dc923025c0d8351f5d5d0623f9 Mon Sep 17 00:00:00 2001 From: amrkk123 Date: Fri, 29 Aug 2025 12:14:53 +0530 Subject: [PATCH 14/15] chore: fixed escape character issue in regular expressions (#765) Co-authored-by: Bharath KKB --- modules/mysql/metadata.display.yaml | 6 +++--- modules/postgresql/metadata.display.yaml | 6 ++---- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/modules/mysql/metadata.display.yaml b/modules/mysql/metadata.display.yaml index eb4d3e52..db34bf49 100644 --- a/modules/mysql/metadata.display.yaml +++ b/modules/mysql/metadata.display.yaml @@ -265,7 +265,7 @@ spec: email: name: email title: Email - regexValidation: ^([a-zA-Z][a-zA-Z0-9_]{0,15}|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})$ + regexValidation: "^([a-zA-Z][a-zA-Z0-9_]{0,15}|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-zA-Z]{2,})$" validation: Must be a valid email address or a Google service account email. type: name: type @@ -306,7 +306,7 @@ spec: name: private_network title: private_network subtext: The VPC network used to enable private IP access to the Cloud SQL instance. Cannot be unset once configured. - regexValidation: ^(?:http(?:s)?://.+/)?projects/((?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?)))/global/networks/((?:[a-z](?:[-a-z0-9]*[a-z0-9])?))$ + regexValidation: "^(?:http(?:s)?://.+/)?projects/((?:(?:[-a-z0-9]{1,63}.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?)))/global/networks/((?:[a-z](?:[-a-z0-9]*[a-z0-9])?))$" validation: Invalid format. Expected a valid Google Cloud network resource name, e.g. projects/{project}/global/networks/{network}. ssl_mode: name: ssl_mode @@ -325,7 +325,7 @@ spec: value: name: value title: Value - regexValidation: ^((25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\/(3[0-2]|[1-2]\d|\d)$ + regexValidation: "^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9][0-9]|[0-9])\\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9][0-9]|[0-9])\\/(3[0-2]|[1-2][0-9]|[0-9])$" validation: Must be a valid IPv4 address in CIDR format. level: 1 maintenance_window_day: diff --git a/modules/postgresql/metadata.display.yaml b/modules/postgresql/metadata.display.yaml index 2ec266e7..a9ff5111 100644 --- a/modules/postgresql/metadata.display.yaml +++ b/modules/postgresql/metadata.display.yaml @@ -235,7 +235,7 @@ spec: email: name: email title: Email - regexValidation: ^([a-zA-Z][a-zA-Z0-9_]{0,15}|[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,})$ + regexValidation: "^([a-zA-Z][a-zA-Z0-9_]{0,15}|[a-z0-9._%+-]+@[a-z0-9.-]+.[a-z]{2,})$" validation: Must be a valid email address or a Google service account email. type: name: type @@ -276,7 +276,7 @@ spec: name: private_network title: private_network subtext: The VPC network used to enable private IP access to the Cloud SQL instance. Cannot be unset once configured. - regexValidation: ^(?:http(?:s)?://.+/)?projects/((?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?)))/global/networks/((?:[a-z](?:[-a-z0-9]*[a-z0-9])?))$ + regexValidation: "^(?:http(?:s)?://.+/)?projects/((?:(?:[-a-z0-9]{1,63}.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?)))/global/networks/((?:[a-z](?:[-a-z0-9]*[a-z0-9])?))$" validation: Invalid format. Expected a valid Google Cloud network resource name, e.g. projects/{project}/global/networks/{network}. ssl_mode: name: ssl_mode @@ -294,8 +294,6 @@ spec: enumValueLabels: - label: GOOGLE_MANAGED_INTERNAL_CA value: GOOGLE_MANAGED_INTERNAL_CA - - label: GOOGLE_MANAGED_INTERNAL_CA - value: GOOGLE_MANAGED_INTERNAL_CA level: 1 maintenance_window_day: name: maintenance_window_day From f0a257102f28d10169cb3d5126e938361922161b Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Fri, 29 Aug 2025 08:18:32 +0000 Subject: [PATCH 15/15] chore(main): release 26.2.0 (#756) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 18 ++++++++++++++++++ README.md | 2 +- examples/mssql-failover-replica/README.md | 2 +- .../README.md | 2 +- modules/mssql/README.md | 2 +- modules/mssql/metadata.yaml | 2 +- modules/mssql/versions.tf | 2 +- modules/mysql/README.md | 2 +- modules/mysql/metadata.yaml | 2 +- modules/mysql/versions.tf | 4 ++-- modules/postgresql/README.md | 2 +- modules/postgresql/metadata.yaml | 2 +- modules/postgresql/versions.tf | 4 ++-- modules/private_service_access/README.md | 2 +- modules/private_service_access/metadata.yaml | 2 +- modules/private_service_access/versions.tf | 4 ++-- modules/safer_mysql/README.md | 2 +- modules/safer_mysql/metadata.yaml | 2 +- modules/safer_mysql/versions.tf | 2 +- 19 files changed, 39 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index de071629..26aa621b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,24 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## [26.2.0](https://github.com/terraform-google-modules/terraform-google-sql-db/compare/v26.1.1...v26.2.0) (2025-08-29) + + +### Features + +* **deps:** Update Terraform Google Provider to v7 (major) ([#767](https://github.com/terraform-google-modules/terraform-google-sql-db/issues/767)) ([3eb4c96](https://github.com/terraform-google-modules/terraform-google-sql-db/commit/3eb4c964a06b8786956b8bf5d0c25535083efe1b)) +* Output the Service Attachment links for Replicas ([#758](https://github.com/terraform-google-modules/terraform-google-sql-db/issues/758)) ([e5446b7](https://github.com/terraform-google-modules/terraform-google-sql-db/commit/e5446b7c2d8ba5f227aa108b8431f3f082c281a9)) +* per module requirements ([#749](https://github.com/terraform-google-modules/terraform-google-sql-db/issues/749)) ([0475973](https://github.com/terraform-google-modules/terraform-google-sql-db/commit/0475973f7cf91e815dd176f2c2d8e8951aac4434)) + + +### Bug Fixes + +* Addng UI validations for MySql and PostgreSQL ([#759](https://github.com/terraform-google-modules/terraform-google-sql-db/issues/759)) ([0b75726](https://github.com/terraform-google-modules/terraform-google-sql-db/commit/0b757267c216276741c90b080984f0b20f318ad7)) +* correct typos in README and variables.tf descriptions ([#753](https://github.com/terraform-google-modules/terraform-google-sql-db/issues/753)) ([1615d75](https://github.com/terraform-google-modules/terraform-google-sql-db/commit/1615d7566e8681c7909bad1fbf71fc207e86a185)) +* rename app hub service id ([#757](https://github.com/terraform-google-modules/terraform-google-sql-db/issues/757)) ([e9a7830](https://github.com/terraform-google-modules/terraform-google-sql-db/commit/e9a7830fc6f3566b62aa18954da32e8b9fe606f4)) +* revert psc_config workaround - causes permanent drift ([#754](https://github.com/terraform-google-modules/terraform-google-sql-db/issues/754)) ([3cb3eee](https://github.com/terraform-google-modules/terraform-google-sql-db/commit/3cb3eeea08525d3d2829b546b8219f30fffa51af)) +* use local.zone fallback for replica region calculation ([#760](https://github.com/terraform-google-modules/terraform-google-sql-db/issues/760)) ([4eb9309](https://github.com/terraform-google-modules/terraform-google-sql-db/commit/4eb930993faf83cfdbc1b3b282f7389690b69431)) + ## [26.1.1](https://github.com/terraform-google-modules/terraform-google-sql-db/compare/v26.1.0...v26.1.1) (2025-07-11) diff --git a/README.md b/README.md index f504bb25..96fd0148 100644 --- a/README.md +++ b/README.md @@ -87,7 +87,7 @@ For MySQL : ``` module "sql-db" { source = "GoogleCloudPlatform/sql-db/google//modules/mysql" - version = "~> 26.1" + version = "~> 26.2" } ``` diff --git a/examples/mssql-failover-replica/README.md b/examples/mssql-failover-replica/README.md index e9d9c72d..837c9f5f 100644 --- a/examples/mssql-failover-replica/README.md +++ b/examples/mssql-failover-replica/README.md @@ -23,7 +23,7 @@ Promote instance 2 as primary and change instance 1 as failover replica ```diff module "mssql2" { source = "terraform-google-modules/sql-db/google//modules/mssql" - version = "~> 26.1" + version = "~> 26.2" - master_instance_name = module.mssql1.instance_name diff --git a/examples/postgresql-with-cross-region-failover/README.md b/examples/postgresql-with-cross-region-failover/README.md index 88644fb8..9633072b 100644 --- a/examples/postgresql-with-cross-region-failover/README.md +++ b/examples/postgresql-with-cross-region-failover/README.md @@ -26,7 +26,7 @@ Promote instance 2 as primary and change instance 1 as failover replica ```diff module "pg2" { source = "terraform-google-modules/sql-db/google//modules/postgresql" - version = "~> 26.1" + version = "~> 26.2" - master_instance_name = module.pg1.instance_name diff --git a/modules/mssql/README.md b/modules/mssql/README.md index f2a47c53..f304edea 100644 --- a/modules/mssql/README.md +++ b/modules/mssql/README.md @@ -12,7 +12,7 @@ Basic usage of this module is as follows: ```hcl module "mssql" { source = "terraform-google-modules/sql-db/google//modules/mssql" - version = "~> 26.1" + version = "~> 26.2" name = var.name random_instance_name = true diff --git a/modules/mssql/metadata.yaml b/modules/mssql/metadata.yaml index 30cbf5e1..e958e760 100644 --- a/modules/mssql/metadata.yaml +++ b/modules/mssql/metadata.yaml @@ -25,7 +25,7 @@ spec: repo: https://github.com/terraform-google-modules/terraform-google-sql-db.git sourceType: git dir: /modules/mssql - version: 26.1.1 + version: 26.2.0 actuationTool: flavor: Terraform version: ">= 1.3" diff --git a/modules/mssql/versions.tf b/modules/mssql/versions.tf index 2e779a9f..7d34b62c 100644 --- a/modules/mssql/versions.tf +++ b/modules/mssql/versions.tf @@ -36,7 +36,7 @@ terraform { } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-sql-db:mssql/v26.1.1" + module_name = "blueprints/terraform/terraform-google-sql-db:mssql/v26.2.0" } } diff --git a/modules/mysql/README.md b/modules/mysql/README.md index 28a30fdd..e6f4e5d2 100644 --- a/modules/mysql/README.md +++ b/modules/mysql/README.md @@ -10,7 +10,7 @@ Functional examples are included in the [examples](../../examples/) directory. B ```hcl module "mysql-db" { source = "terraform-google-modules/sql-db/google//modules/mysql" - version = "~> 26.1" + version = "~> 26.2" name = var.db_name random_instance_name = true diff --git a/modules/mysql/metadata.yaml b/modules/mysql/metadata.yaml index 8a5f0386..83692796 100644 --- a/modules/mysql/metadata.yaml +++ b/modules/mysql/metadata.yaml @@ -25,7 +25,7 @@ spec: repo: https://github.com/terraform-google-modules/terraform-google-sql-db.git sourceType: git dir: /modules/mysql - version: 26.1.1 + version: 26.2.0 actuationTool: flavor: Terraform version: ">= 1.3" diff --git a/modules/mysql/versions.tf b/modules/mysql/versions.tf index d3c67245..16458527 100644 --- a/modules/mysql/versions.tf +++ b/modules/mysql/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-sql-db:mysql/v26.1.1" + module_name = "blueprints/terraform/terraform-google-sql-db:mysql/v26.2.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-sql-db:mysql/v26.1.1" + module_name = "blueprints/terraform/terraform-google-sql-db:mysql/v26.2.0" } } diff --git a/modules/postgresql/README.md b/modules/postgresql/README.md index dfb85706..cb40cb82 100644 --- a/modules/postgresql/README.md +++ b/modules/postgresql/README.md @@ -13,7 +13,7 @@ Basic usage of this module is as follows: ```hcl module "pg" { source = "terraform-google-modules/sql-db/google//modules/postgresql" - version = "~> 26.1" + version = "~> 26.2" name = var.pg_ha_name random_instance_name = true diff --git a/modules/postgresql/metadata.yaml b/modules/postgresql/metadata.yaml index 73a69453..99699297 100644 --- a/modules/postgresql/metadata.yaml +++ b/modules/postgresql/metadata.yaml @@ -25,7 +25,7 @@ spec: repo: https://github.com/terraform-google-modules/terraform-google-sql-db.git sourceType: git dir: /modules/postgresql - version: 26.1.1 + version: 26.2.0 actuationTool: flavor: Terraform version: ">= 1.3" diff --git a/modules/postgresql/versions.tf b/modules/postgresql/versions.tf index 39a8c9f7..35d0f5a1 100644 --- a/modules/postgresql/versions.tf +++ b/modules/postgresql/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-sql-db:postgresql/v26.1.1" + module_name = "blueprints/terraform/terraform-google-sql-db:postgresql/v26.2.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-sql-db:postgresql/v26.1.1" + module_name = "blueprints/terraform/terraform-google-sql-db:postgresql/v26.2.0" } } diff --git a/modules/private_service_access/README.md b/modules/private_service_access/README.md index f0f0b3cd..43b3794d 100644 --- a/modules/private_service_access/README.md +++ b/modules/private_service_access/README.md @@ -16,7 +16,7 @@ Basic usage of this module is as follows: ``` module "test_psa" { source = "terraform-google-modules/sql-db/google//modules/private_service_access" - version = "~> 26.1" + version = "~> 26.2" project_id = var.project_id vpc_network = google_compute_network.default.name diff --git a/modules/private_service_access/metadata.yaml b/modules/private_service_access/metadata.yaml index 7eb1f6f9..56b1a336 100644 --- a/modules/private_service_access/metadata.yaml +++ b/modules/private_service_access/metadata.yaml @@ -25,7 +25,7 @@ spec: repo: https://github.com/terraform-google-modules/terraform-google-sql-db.git sourceType: git dir: /modules/private_service_access - version: 26.1.1 + version: 26.2.0 actuationTool: flavor: Terraform version: ">= 1.3" diff --git a/modules/private_service_access/versions.tf b/modules/private_service_access/versions.tf index ce6dcb7b..7798a30a 100644 --- a/modules/private_service_access/versions.tf +++ b/modules/private_service_access/versions.tf @@ -32,11 +32,11 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-sql-db:private_service_access/v26.1.1" + module_name = "blueprints/terraform/terraform-google-sql-db:private_service_access/v26.2.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-sql-db:private_service_access/v26.1.1" + module_name = "blueprints/terraform/terraform-google-sql-db:private_service_access/v26.2.0" } } diff --git a/modules/safer_mysql/README.md b/modules/safer_mysql/README.md index cdced0e3..42e80c24 100644 --- a/modules/safer_mysql/README.md +++ b/modules/safer_mysql/README.md @@ -167,7 +167,7 @@ Functional examples are included in the [examples](../../examples/) directory. B ```hcl module "safer-mysql-db" { source = "terraform-google-modules/sql-db/google//modules/safer_mysql" - version = "~> 26.1" + version = "~> 26.2" name = var.db_name diff --git a/modules/safer_mysql/metadata.yaml b/modules/safer_mysql/metadata.yaml index 2dac8ee8..8f516c5a 100644 --- a/modules/safer_mysql/metadata.yaml +++ b/modules/safer_mysql/metadata.yaml @@ -25,7 +25,7 @@ spec: repo: https://github.com/terraform-google-modules/terraform-google-sql-db.git sourceType: git dir: /modules/safer_mysql - version: 26.1.1 + version: 26.2.0 actuationTool: flavor: Terraform version: ">= 1.3" diff --git a/modules/safer_mysql/versions.tf b/modules/safer_mysql/versions.tf index ddce1efd..6b361d2e 100644 --- a/modules/safer_mysql/versions.tf +++ b/modules/safer_mysql/versions.tf @@ -25,7 +25,7 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-sql-db:safer_mysql/v26.1.1" + module_name = "blueprints/terraform/terraform-google-sql-db:safer_mysql/v26.2.0" } }