feat: config connector_enforcement in postgres (#500)

nissessenap · g-awmalik · web-flow · commit 5789b541a1b7 · 2023-08-23T11:14:27.000+05:30
Signed-off-by: Edvin Norling &lt;edvin.norling@kognic.com&gt;
Co-authored-by: Awais Malik &lt;awmalik@google.com&gt;
diff --git a/modules/mssql/README.md b/modules/mssql/README.md
@@ -15,6 +15,7 @@ The following dependency must be available for SQL Server module:
 | additional\_users | A list of users to be created in your cluster. A random password would be set for the user if the `random_password` variable is set. | <pre>list(object({<br>    name            = string<br>    password        = string<br>    random_password = bool<br>  }))</pre> | `[]` | no |
 | availability\_type | The availability type for the master instance.This is only used to set up high availability for the MSSQL instance. Can be either `ZONAL` or `REGIONAL`. | `string` | `"ZONAL"` | no |
 | backup\_configuration | The database backup configuration. | <pre>object({<br>    binary_log_enabled             = bool<br>    enabled                        = bool<br>    point_in_time_recovery_enabled = bool<br>    start_time                     = string<br>    transaction_log_retention_days = string<br>    retained_backups               = number<br>    retention_unit                 = string<br>  })</pre> | <pre>{<br>  "binary_log_enabled": null,<br>  "enabled": false,<br>  "point_in_time_recovery_enabled": null,<br>  "retained_backups": null,<br>  "retention_unit": null,<br>  "start_time": null,<br>  "transaction_log_retention_days": null<br>}</pre> | no |
+| connector\_enforcement | Enforce that clients use the connector library | `bool` | `false` | no |
 | create\_timeout | The optional timeout that is applied to limit long database creates. | `string` | `"30m"` | no |
 | database\_flags | The database flags for the master instance. See [more details](https://cloud.google.com/sql/docs/sqlserver/flags) | <pre>list(object({<br>    name  = string<br>    value = string<br>  }))</pre> | `[]` | no |
 | database\_version | The database version to use: SQLSERVER\_2017\_STANDARD, SQLSERVER\_2017\_ENTERPRISE, SQLSERVER\_2017\_EXPRESS, or SQLSERVER\_2017\_WEB | `string` | `"SQLSERVER_2017_STANDARD"` | no |
diff --git a/modules/mssql/main.tf b/modules/mssql/main.tf
@@ -25,8 +25,9 @@ locals {
   databases = { for db in var.additional_databases : db.name => db }
   users     = { for u in var.additional_users : u.name => u }
 
-  retained_backups = lookup(var.backup_configuration, "retained_backups", null)
-  retention_unit   = lookup(var.backup_configuration, "retention_unit", null)
+  retained_backups      = lookup(var.backup_configuration, "retained_backups", null)
+  retention_unit        = lookup(var.backup_configuration, "retention_unit", null)
+  connector_enforcement = var.connector_enforcement ? "REQUIRED" : "NOT_REQUIRED"
 }
 
 resource "random_id" "suffix" {
@@ -56,6 +57,8 @@ resource "google_sql_database_instance" "default" {
     activation_policy           = var.activation_policy
     availability_type           = var.availability_type
     deletion_protection_enabled = var.deletion_protection_enabled
+    connector_enforcement       = local.connector_enforcement
+
     dynamic "backup_configuration" {
       for_each = var.backup_configuration.enabled ? [var.backup_configuration] : []
       content {
diff --git a/modules/mssql/variables.tf b/modules/mssql/variables.tf
@@ -313,6 +313,12 @@ variable "deletion_protection" {
   default     = true
 }
 
+variable "connector_enforcement" {
+  description = "Enforce that clients use the connector library"
+  type        = bool
+  default     = false
+}
+
 variable "time_zone" {
   description = "The time zone for SQL instance."
   type        = string
diff --git a/modules/postgresql/README.md b/modules/postgresql/README.md
@@ -12,6 +12,7 @@ Note: CloudSQL provides [disk autoresize](https://cloud.google.com/sql/docs/mysq
 | additional\_users | A list of users to be created in your cluster. A random password would be set for the user if the `random_password` variable is set. | <pre>list(object({<br>    name            = string<br>    password        = string<br>    random_password = bool<br>  }))</pre> | `[]` | no |
 | availability\_type | The availability type for the master instance.This is only used to set up high availability for the PostgreSQL instance. Can be either `ZONAL` or `REGIONAL`. | `string` | `"ZONAL"` | no |
 | backup\_configuration | The backup\_configuration settings subblock for the database setings | <pre>object({<br>    enabled                        = bool<br>    start_time                     = string<br>    location                       = string<br>    point_in_time_recovery_enabled = bool<br>    transaction_log_retention_days = string<br>    retained_backups               = number<br>    retention_unit                 = string<br>  })</pre> | <pre>{<br>  "enabled": false,<br>  "location": null,<br>  "point_in_time_recovery_enabled": false,<br>  "retained_backups": null,<br>  "retention_unit": null,<br>  "start_time": null,<br>  "transaction_log_retention_days": null<br>}</pre> | no |
+| connector\_enforcement | Enforce that clients use the connector library | `bool` | `false` | no |
 | create\_timeout | The optional timout that is applied to limit long database creates. | `string` | `"30m"` | no |
 | database\_deletion\_policy | The deletion policy for the database. Setting ABANDON allows the resource to be abandoned rather than deleted. This is useful for Postgres, where databases cannot be deleted from the API if there are users other than cloudsqlsuperuser with access. Possible values are: "ABANDON". | `string` | `null` | no |
 | database\_flags | The database flags for the master instance. See [more details](https://cloud.google.com/sql/docs/postgres/flags) | <pre>list(object({<br>    name  = string<br>    value = string<br>  }))</pre> | `[]` | no |
diff --git a/modules/postgresql/main.tf b/modules/postgresql/main.tf
@@ -39,6 +39,9 @@ locals {
 
   retained_backups = lookup(var.backup_configuration, "retained_backups", null)
   retention_unit   = lookup(var.backup_configuration, "retention_unit", null)
+
+  // Force the usage of connector_enforcement
+  connector_enforcement = var.connector_enforcement ? "REQUIRED" : "NOT_REQUIRED"
 }
 
 resource "random_id" "suffix" {
@@ -62,6 +65,7 @@ resource "google_sql_database_instance" "default" {
     activation_policy           = var.activation_policy
     availability_type           = var.availability_type
     deletion_protection_enabled = var.deletion_protection_enabled
+    connector_enforcement       = local.connector_enforcement
 
     dynamic "backup_configuration" {
       for_each = [var.backup_configuration]
diff --git a/modules/postgresql/variables.tf b/modules/postgresql/variables.tf
@@ -409,3 +409,9 @@ variable "enable_random_password_special" {
   type        = bool
   default     = false
 }
+
+variable "connector_enforcement" {
+  description = "Enforce that clients use the connector library"
+  type        = bool
+  default     = false
+}
