add support for IAM authentication to google_sql_user for #7512 (#8017)

* add support for IAM authentication to google_sql_user for #7512 * Add documentation for cloud_sql_user.type field
hashicorp · Dec 17, 2020 · 8b83466 · 8b83466
1 parent 898cc33
commit 8b83466
Show file tree

Hide file tree

Showing 3 changed files with 102 additions and 4 deletions.
diff --git a/google/resource_sql_user.go b/google/resource_sql_user.go
@@ -53,10 +53,20 @@ func resourceSqlUser() *schema.Resource {
 			},
 
 			"password": {
-				Type:        schema.TypeString,
-				Optional:    true,
-				Sensitive:   true,
-				Description: `The password for the user. Can be updated. For Postgres instances this is a Required field.`,
+				Type:      schema.TypeString,
+				Optional:  true,
+				Sensitive: true,
+				Description: `The password for the user. Can be updated. For Postgres instances this is a Required field, unless type is set to
+                either CLOUD_IAM_USER or CLOUD_IAM_SERVICE_ACCOUNT.`,
+			},
+
+			"type": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+				Description: `The user type. It determines the method to authenticate the user during login.
+                The default is the database's built-in user type. Flags include "BUILT_IN", "CLOUD_IAM_USER", or "CLOUD_IAM_SERVICE_ACCOUNT".`,
+				ValidateFunc: validation.StringInSlice([]string{"BUILT_IN", "CLOUD_IAM_USER", "CLOUD_IAM_SERVICE_ACCOUNT", ""}, false),
 			},
 
 			"project": {
@@ -95,12 +105,14 @@ func resourceSqlUserCreate(d *schema.ResourceData, meta interface{}) error {
 	instance := d.Get("instance").(string)
 	password := d.Get("password").(string)
 	host := d.Get("host").(string)
+	typ := d.Get("type").(string)
 
 	user := &sqladmin.User{
 		Name:     name,
 		Instance: instance,
 		Password: password,
 		Host:     host,
+		Type:     typ,
 	}
 
 	mutexKV.Lock(instanceMutexKey(project, instance))
@@ -186,6 +198,9 @@ func resourceSqlUserRead(d *schema.ResourceData, meta interface{}) error {
 	if err := d.Set("name", user.Name); err != nil {
 		return fmt.Errorf("Error setting name: %s", err)
 	}
+	if err := d.Set("type", user.Type); err != nil {
+		return fmt.Errorf("Error setting type: %s", err)
+	}
 	if err := d.Set("project", project); err != nil {
 		return fmt.Errorf("Error setting project: %s", err)
 	}

diff --git a/google/resource_sql_user_test.go b/google/resource_sql_user_test.go
@@ -78,6 +78,32 @@ func TestAccSqlUser_postgres(t *testing.T) {
 	})
 }
 
+func TestAccSqlUser_postgresIAM(t *testing.T) {
+	t.Parallel()
+
+	instance := fmt.Sprintf("i-%d", randInt(t))
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccSqlUserDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testGoogleSqlUser_postgresIAM(instance),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleSqlUserExists(t, "google_sql_user.user"),
+				),
+			},
+			{
+				ResourceName:            "google_sql_user.user",
+				ImportStateId:           fmt.Sprintf("%s/%s/admin", getTestProjectFromEnv(), instance),
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"password"},
+			},
+		},
+	})
+}
+
 func TestAccSqlUser_postgresAbandon(t *testing.T) {
 	t.Parallel()
 
@@ -236,6 +262,31 @@ resource "google_sql_user" "user" {
 `, instance, password)
 }
 
+func testGoogleSqlUser_postgresIAM(instance string) string {
+	return fmt.Sprintf(`
+resource "google_sql_database_instance" "instance" {
+  name             = "%s"
+  region           = "us-central1"
+  database_version = "POSTGRES_9_6"
+  deletion_protection = false
+
+  settings {
+    tier = "db-f1-micro"
+    database_flags {
+      name  = "cloudsql.iam_authentication"
+      value = "on"
+    }
+  }
+}
+
+resource "google_sql_user" "user" {
+  name     = "admin"
+  instance = google_sql_database_instance.instance.name
+  type     = "CLOUD_IAM_USER"
+}
+`, instance)
+}
+
 func testGoogleSqlUser_postgresAbandon(instance, name string) string {
 	return fmt.Sprintf(`
 resource "google_sql_database_instance" "instance" {

diff --git a/website/docs/r/sql_user.html.markdown b/website/docs/r/sql_user.html.markdown
@@ -40,6 +40,34 @@ resource "google_sql_user" "users" {
 }
 ```
 
+Example creating a Cloud IAM User.
+
+```hcl
+resource "random_id" "db_name_suffix" {
+  byte_length = 4
+}
+
+resource "google_sql_database_instance" "master" {
+  name             = "master-instance-${random_id.db_name_suffix.hex}"
+  database_version = "POSTGRES_9_6"
+
+  settings {
+    tier = "db-f1-micro"
+
+    datagbase_flags {
+      name  = "cloudsql.iam_authentication"
+      value = "on"
+    }
+  }
+}
+
+resource "google_sql_user" "users" {
+  name     = "me"
+  instance = google_sql_database_instance.master.name
+  type     = "CLOUD_IAM_USER"
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
@@ -53,6 +81,10 @@ The following arguments are supported:
 * `password` - (Optional) The password for the user. Can be updated. For Postgres
     instances this is a Required field.
 
+* `type` - (Optional) The user type. It determines the method to authenticate the
+    user during login. The default is the database's built-in user type. Flags
+    include "BUILT_IN", "CLOUD_IAM_USER", or "CLOUD_IAM_SERVICE_ACCOUNT".
+
 * `deletion_policy` - (Optional) The deletion policy for the user.
     Setting `ABANDON` allows the resource to be abandoned rather than deleted. This is useful
     for Postgres, where users cannot be deleted from the API if they have been granted SQL roles.