From dd1d75cff8d21c16299a026edb88d3939daf99d1 Mon Sep 17 00:00:00 2001 From: g-awmalik Date: Tue, 27 Dec 2022 12:57:16 -0800 Subject: [PATCH] fix: fixes lint issues and generates metadata (#392) Co-authored-by: Awais Malik --- Makefile | 2 +- build/int.cloudbuild.yaml | 2 +- build/lint.cloudbuild.yaml | 2 +- examples/mssql-public/README.md | 1 - examples/mssql-public/variables.tf | 5 - metadata.yaml | 78 ++++ modules/backup/README.md | 2 +- modules/backup/metadata.yaml | 142 +++++++ modules/backup/outputs.tf | 3 +- modules/backup/variables.tf | 3 + modules/mssql/metadata.yaml | 324 +++++++++++++++ modules/mssql/variables.tf | 1 + modules/mssql/versions.tf | 12 + modules/mysql/main.tf | 4 +- modules/mysql/metadata.yaml | 388 ++++++++++++++++++ modules/postgresql/metadata.yaml | 393 +++++++++++++++++++ modules/postgresql/variables.tf | 1 + modules/private_service_access/metadata.yaml | 108 +++++ modules/restore/README.md | 2 +- modules/restore/metadata.yaml | 100 +++++ modules/restore/outputs.tf | 3 +- modules/safer_mysql/metadata.yaml | 357 +++++++++++++++++ 22 files changed, 1917 insertions(+), 16 deletions(-) create mode 100644 metadata.yaml create mode 100644 modules/backup/metadata.yaml create mode 100644 modules/mssql/metadata.yaml create mode 100644 modules/mysql/metadata.yaml create mode 100644 modules/postgresql/metadata.yaml create mode 100644 modules/private_service_access/metadata.yaml create mode 100644 modules/restore/metadata.yaml create mode 100644 modules/safer_mysql/metadata.yaml diff --git a/Makefile b/Makefile index 359f6b0a..bc7200db 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.8 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.10 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 2da47b57..a3099bbd 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -191,5 +191,5 @@ tags: - 'integration' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.8' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10' _API_ACTIVATION_SECONDS_WAIT: '900' diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index 7a511164..9e1353e2 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -21,4 +21,4 @@ tags: - 'lint' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.8' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10' diff --git a/examples/mssql-public/README.md b/examples/mssql-public/README.md index ad9b09ab..502b26d7 100644 --- a/examples/mssql-public/README.md +++ b/examples/mssql-public/README.md @@ -9,7 +9,6 @@ This example shows how create MS SQL Server database using the Terraform module. |------|-------------|------|---------|:--------:| | name | The name for Cloud SQL instance | `string` | `"tf-mssql-public"` | no | | project\_id | The project to run tests against | `string` | n/a | yes | -| region | n/a | `string` | `"us-central1"` | no | | sql\_server\_audit\_config | SQL server audit config settings. | `map(string)` | `{}` | no | ## Outputs diff --git a/examples/mssql-public/variables.tf b/examples/mssql-public/variables.tf index 700b56b3..a8ca466b 100644 --- a/examples/mssql-public/variables.tf +++ b/examples/mssql-public/variables.tf @@ -25,11 +25,6 @@ variable "name" { default = "tf-mssql-public" } -variable "region" { - default = "us-central1" - type = string -} - variable "sql_server_audit_config" { description = "SQL server audit config settings." type = map(string) diff --git a/metadata.yaml b/metadata.yaml new file mode 100644 index 00000000..a9f93aa8 --- /dev/null +++ b/metadata.yaml @@ -0,0 +1,78 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-sql-db + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: terraform-google-sql + source: + repo: https://github.com/terraform-google-modules/terraform-google-sql-db + sourceType: git + subBlueprints: + - name: backup + location: modules/backup + - name: mssql + location: modules/mssql + - name: mysql + location: modules/mysql + - name: postgresql + location: modules/postgresql + - name: private_service_access + location: modules/private_service_access + - name: restore + location: modules/restore + - name: safer_mysql + location: modules/safer_mysql + examples: + - name: mssql-public + location: examples/mssql-public + - name: mysql-backup-create-service-account + location: examples/mysql-backup-create-service-account + - name: mysql-ha + location: examples/mysql-ha + - name: mysql-private + location: examples/mysql-private + - name: mysql-public + location: examples/mysql-public + - name: postgresql-backup-provided-service-account + location: examples/postgresql-backup-provided-service-account + - name: postgresql-ha + location: examples/postgresql-ha + - name: postgresql-public + location: examples/postgresql-public + - name: postgresql-public-iam + location: examples/postgresql-public-iam + roles: + - level: Project + roles: + - roles/cloudsql.admin + - roles/compute.networkAdmin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/workflows.admin + - roles/cloudscheduler.admin + - roles/iam.serviceAccountUser + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - servicenetworking.googleapis.com + - sqladmin.googleapis.com + - iam.googleapis.com + - workflows.googleapis.com + - cloudscheduler.googleapis.com diff --git a/modules/backup/README.md b/modules/backup/README.md index f2664310..1b90dd0e 100644 --- a/modules/backup/README.md +++ b/modules/backup/README.md @@ -74,7 +74,7 @@ fetch workflows.googleapis.com/Workflow |------|-------------| | backup\_workflow\_name | The name for internal backup workflow | | export\_workflow\_name | The name for export workflow | -| region | n/a | +| region | The region for running the scheduler and workflow | | service\_account | The service account email running the scheduler and workflow | diff --git a/modules/backup/metadata.yaml b/modules/backup/metadata.yaml new file mode 100644 index 00000000..df7790ac --- /dev/null +++ b/modules/backup/metadata.yaml @@ -0,0 +1,142 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-sql-db + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: GCP CloudSQL Backup + source: + repo: https://github.com/terraform-google-modules/terraform-google-sql-db + sourceType: git + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: mssql-public + location: examples/mssql-public + - name: mysql-backup-create-service-account + location: examples/mysql-backup-create-service-account + - name: mysql-ha + location: examples/mysql-ha + - name: mysql-private + location: examples/mysql-private + - name: mysql-public + location: examples/mysql-public + - name: postgresql-backup-provided-service-account + location: examples/postgresql-backup-provided-service-account + - name: postgresql-ha + location: examples/postgresql-ha + - name: postgresql-public + location: examples/postgresql-public + - name: postgresql-public-iam + location: examples/postgresql-public-iam + variables: + - name: backup_retention_time + description: The number of days backups should be kept + type: number + default: 30 + required: false + - name: backup_schedule + description: The cron schedule to execute the internal backup + type: string + default: 45 2 * * * + required: false + - name: compress_export + description: Whether or not to compress the export when storing in the bucket; Only valid for MySQL and PostgreSQL + type: bool + default: true + required: false + - name: enable_export_backup + description: Weather to create exports to GCS Buckets with this module + type: bool + default: true + required: false + - name: enable_internal_backup + description: Wether to create internal backups with this module + type: bool + default: true + required: false + - name: export_databases + description: The list of databases that should be exported - if is an empty set all databases will be exported + type: set(string) + default: [] + required: false + - name: export_schedule + description: The cron schedule to execute the export to GCS + type: string + default: 15 3 * * * + required: false + - name: export_uri + description: The bucket and path uri for exporting to GCS + type: string + required: true + - name: project_id + description: The project ID + type: string + required: true + - name: region + description: The region where to run the workflow + type: string + default: us-central1 + required: false + - name: scheduler_timezone + description: The Timezone in which the Scheduler Jobs are triggered + type: string + default: Etc/GMT + required: false + - name: service_account + description: The service account to use for running the workflow and triggering the workflow by Cloud Scheduler - If empty or null a service account will be created. If you have provided a service account you need to grant the Cloud SQL Admin and the Workflows Invoker role to that + type: string + required: false + - name: sql_instance + description: The name of the SQL instance to backup + type: string + required: true + - name: unique_suffix + description: Unique suffix to add to scheduler jobs and workflows names. + type: string + default: "" + required: false + outputs: + - name: backup_workflow_name + description: The name for internal backup workflow + - name: export_workflow_name + description: The name for export workflow + - name: region + description: The region for running the scheduler and workflow + - name: service_account + description: The service account email running the scheduler and workflow + roles: + - level: Project + roles: + - roles/cloudsql.admin + - roles/compute.networkAdmin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/workflows.admin + - roles/cloudscheduler.admin + - roles/iam.serviceAccountUser + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - servicenetworking.googleapis.com + - sqladmin.googleapis.com + - iam.googleapis.com + - workflows.googleapis.com + - cloudscheduler.googleapis.com diff --git a/modules/backup/outputs.tf b/modules/backup/outputs.tf index ef829fde..23c4ef2f 100644 --- a/modules/backup/outputs.tf +++ b/modules/backup/outputs.tf @@ -30,5 +30,6 @@ output "service_account" { } output "region" { - value = var.region + description = "The region for running the scheduler and workflow" + value = var.region } diff --git a/modules/backup/variables.tf b/modules/backup/variables.tf index 1b3a4c54..d78d0c05 100644 --- a/modules/backup/variables.tf +++ b/modules/backup/variables.tf @@ -44,16 +44,19 @@ variable "backup_retention_time" { variable "scheduler_timezone" { description = "The Timezone in which the Scheduler Jobs are triggered" + type = string default = "Etc/GMT" } variable "backup_schedule" { description = "The cron schedule to execute the internal backup" + type = string default = "45 2 * * *" } variable "export_schedule" { description = "The cron schedule to execute the export to GCS" + type = string default = "15 3 * * *" } diff --git a/modules/mssql/metadata.yaml b/modules/mssql/metadata.yaml new file mode 100644 index 00000000..461822f5 --- /dev/null +++ b/modules/mssql/metadata.yaml @@ -0,0 +1,324 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-sql-db + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: terraform-google-sql for MSSQL Server + source: + repo: https://github.com/terraform-google-modules/terraform-google-sql-db + sourceType: git + version: 13.0.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: mssql-public + location: examples/mssql-public + - name: mysql-backup-create-service-account + location: examples/mysql-backup-create-service-account + - name: mysql-ha + location: examples/mysql-ha + - name: mysql-private + location: examples/mysql-private + - name: mysql-public + location: examples/mysql-public + - name: postgresql-backup-provided-service-account + location: examples/postgresql-backup-provided-service-account + - name: postgresql-ha + location: examples/postgresql-ha + - name: postgresql-public + location: examples/postgresql-public + - name: postgresql-public-iam + location: examples/postgresql-public-iam + variables: + - name: activation_policy + description: The activation policy for the master instance.Can be either `ALWAYS`, `NEVER` or `ON_DEMAND`. + type: string + default: ALWAYS + required: false + - name: active_directory_config + description: Active domain that the SQL instance will join. + type: map(string) + default: {} + required: false + - name: additional_databases + description: A list of databases to be created in your cluster + type: |- + list(object({ + name = string + charset = string + collation = string + })) + default: [] + required: false + - name: additional_users + description: A list of users to be created in your cluster + type: |- + list(object({ + name = string + password = string + })) + default: [] + required: false + - name: availability_type + description: The availability type for the master instance.This is only used to set up high availability for the MSSQL instance. Can be either `ZONAL` or `REGIONAL`. + type: string + default: ZONAL + required: false + - name: backup_configuration + description: The database backup configuration. + type: |- + object({ + binary_log_enabled = bool + enabled = bool + point_in_time_recovery_enabled = bool + start_time = string + transaction_log_retention_days = string + retained_backups = number + retention_unit = string + }) + default: + binary_log_enabled: null + enabled: false + point_in_time_recovery_enabled: null + retained_backups: null + retention_unit: null + start_time: null + transaction_log_retention_days: null + required: false + - name: create_timeout + description: The optional timeout that is applied to limit long database creates. + type: string + default: 15m + required: false + - name: database_flags + description: The database flags for the master instance. See [more details](https://cloud.google.com/sql/docs/sqlserver/flags) + type: |- + list(object({ + name = string + value = string + })) + default: [] + required: false + - name: database_version + description: 'The database version to use: SQLSERVER_2017_STANDARD, SQLSERVER_2017_ENTERPRISE, SQLSERVER_2017_EXPRESS, or SQLSERVER_2017_WEB' + type: string + default: SQLSERVER_2017_STANDARD + required: false + - name: db_charset + description: The charset for the default database + type: string + default: "" + required: false + - name: db_collation + description: 'The collation for the default database. Example: ''en_US.UTF8''' + type: string + default: "" + required: false + - name: db_name + description: The name of the default database to create + type: string + default: default + required: false + - name: delete_timeout + description: The optional timeout that is applied to limit long database deletes. + type: string + default: 30m + required: false + - name: deletion_protection + description: Used to block Terraform from deleting a SQL Instance. + type: bool + default: true + required: false + - name: disk_autoresize + description: Configuration to increase storage size. + type: bool + default: true + required: false + - name: disk_autoresize_limit + description: The maximum size to which storage can be auto increased. + type: number + default: 0 + required: false + - name: disk_size + description: The disk size for the master instance. + type: number + default: 10 + required: false + - name: disk_type + description: The disk type for the master instance. + type: string + default: PD_SSD + required: false + - name: encryption_key_name + description: The full path to the encryption key used for the CMEK disk encryption + type: string + required: false + - name: follow_gae_application + description: A Google App Engine application whose zone to remain in. Must be in the same region as this instance. + type: string + required: false + - name: ip_configuration + description: The ip configuration for the master instances. + type: |- + object({ + authorized_networks = list(map(string)) + ipv4_enabled = bool + private_network = string + require_ssl = bool + allocated_ip_range = string + }) + default: + allocated_ip_range: null + authorized_networks: [] + ipv4_enabled: true + private_network: null + require_ssl: null + required: false + - name: maintenance_window_day + description: The day of week (1-7) for the master instance maintenance. + type: number + default: 1 + required: false + - name: maintenance_window_hour + description: The hour of day (0-23) maintenance window for the master instance maintenance. + type: number + default: 23 + required: false + - name: maintenance_window_update_track + description: The update track of maintenance window for the master instance maintenance.Can be either `canary` or `stable`. + type: string + default: canary + required: false + - name: module_depends_on + description: List of modules or resources this module depends on. + type: list(any) + default: [] + required: false + - name: name + description: The name of the Cloud SQL resources + type: string + required: true + - name: pricing_plan + description: The pricing plan for the master instance. + type: string + default: PER_USE + required: false + - name: project_id + description: The project ID to manage the Cloud SQL resources + type: string + required: true + - name: random_instance_name + description: Sets random suffix at the end of the Cloud SQL resource name + type: bool + default: false + required: false + - name: region + description: The region of the Cloud SQL resources + type: string + default: us-central1 + required: false + - name: root_password + description: MSSERVER password for the root user. If not set, a random one will be generated and available in the root_password output variable. + type: string + default: "" + required: false + - name: secondary_zone + description: 'The preferred zone for the secondary/failover instance, it should be something like: `us-central1-a`, `us-east1-c`.' + type: string + required: false + - name: sql_server_audit_config + description: SQL server audit config settings. + type: map(string) + default: {} + required: false + - name: tier + description: The tier for the master instance. + type: string + default: db-custom-2-3840 + required: false + - name: update_timeout + description: The optional timeout that is applied to limit long database updates. + type: string + default: 15m + required: false + - name: user_labels + description: The key/value labels for the master instances. + type: map(string) + default: {} + required: false + - name: user_name + description: The name of the default user + type: string + default: default + required: false + - name: user_password + description: The password for the default user. If not set, a random one will be generated and available in the generated_user_password output variable. + type: string + default: "" + required: false + - name: zone + description: The zone for the master instance. + type: string + default: us-central1-a + required: false + outputs: + - name: additional_users + description: List of maps of additional users and passwords + - name: generated_user_password + description: The auto generated default user password if not input password was provided + - name: instance_address + description: The IPv4 addesses assigned for the master instance + - name: instance_connection_name + description: The connection name of the master instance to be used in connection strings + - name: instance_first_ip_address + description: The first IPv4 address of the addresses assigned. + - name: instance_name + description: The instance name for the master instance + - name: instance_self_link + description: The URI of the master instance + - name: instance_server_ca_cert + description: The CA certificate information used to connect to the SQL instance via SSL + - name: instance_service_account_email_address + description: The service account email address assigned to the master instance + - name: primary + description: The `google_sql_database_instance` resource representing the primary instance + - name: private_address + description: The private IP address assigned for the master instance + - name: root_password + description: MSSERVER password for the root user. If not set, a random one will be generated and available in the root_password output variable. + roles: + - level: Project + roles: + - roles/cloudsql.admin + - roles/compute.networkAdmin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/workflows.admin + - roles/cloudscheduler.admin + - roles/iam.serviceAccountUser + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - servicenetworking.googleapis.com + - sqladmin.googleapis.com + - iam.googleapis.com + - workflows.googleapis.com + - cloudscheduler.googleapis.com diff --git a/modules/mssql/variables.tf b/modules/mssql/variables.tf index df365081..ceb1c0ea 100644 --- a/modules/mssql/variables.tf +++ b/modules/mssql/variables.tf @@ -94,6 +94,7 @@ variable "disk_autoresize_limit" { variable "disk_size" { description = "The disk size for the master instance." + type = number default = 10 } diff --git a/modules/mssql/versions.tf b/modules/mssql/versions.tf index 7bab339c..4af131f5 100644 --- a/modules/mssql/versions.tf +++ b/modules/mssql/versions.tf @@ -18,10 +18,22 @@ terraform { required_version = ">= 0.13" required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.28.0, < 5.0" + } google-beta = { source = "hashicorp/google-beta" version = ">= 4.28.0, < 5.0" } + random = { + source = "hashicorp/random" + version = "~> 3.4" + } + null = { + source = "hashicorp/null" + version = "~> 3.2" + } } provider_meta "google-beta" { diff --git a/modules/mysql/main.tf b/modules/mysql/main.tf index 106ab493..967af67d 100644 --- a/modules/mysql/main.tf +++ b/modules/mysql/main.tf @@ -15,9 +15,7 @@ */ locals { - master_instance_name = var.random_instance_name ? "${var.name}-${random_id.suffix[0].hex}" : var.name - - default_user_host = "%" + master_instance_name = var.random_instance_name ? "${var.name}-${random_id.suffix[0].hex}" : var.name ip_configuration_enabled = length(keys(var.ip_configuration)) > 0 ? true : false ip_configurations = { diff --git a/modules/mysql/metadata.yaml b/modules/mysql/metadata.yaml new file mode 100644 index 00000000..d21db7a8 --- /dev/null +++ b/modules/mysql/metadata.yaml @@ -0,0 +1,388 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-sql-db + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: terraform-google-sql for MySQL + source: + repo: https://github.com/terraform-google-modules/terraform-google-sql-db + sourceType: git + version: 13.0.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: mssql-public + location: examples/mssql-public + - name: mysql-backup-create-service-account + location: examples/mysql-backup-create-service-account + - name: mysql-ha + location: examples/mysql-ha + - name: mysql-private + location: examples/mysql-private + - name: mysql-public + location: examples/mysql-public + - name: postgresql-backup-provided-service-account + location: examples/postgresql-backup-provided-service-account + - name: postgresql-ha + location: examples/postgresql-ha + - name: postgresql-public + location: examples/postgresql-public + - name: postgresql-public-iam + location: examples/postgresql-public-iam + variables: + - name: activation_policy + description: The activation policy for the master instance. Can be either `ALWAYS`, `NEVER` or `ON_DEMAND`. + type: string + default: ALWAYS + required: false + - name: additional_databases + description: A list of databases to be created in your cluster + type: |- + list(object({ + name = string + charset = string + collation = string + })) + default: [] + required: false + - name: additional_users + description: A list of users to be created in your cluster + type: list(map(any)) + default: [] + required: false + - name: availability_type + description: The availability type for the master instance. Can be either `REGIONAL` or `null`. + type: string + default: REGIONAL + required: false + - name: backup_configuration + description: The backup_configuration settings subblock for the database setings + type: |- + object({ + binary_log_enabled = bool + enabled = bool + start_time = string + location = string + transaction_log_retention_days = string + retained_backups = number + retention_unit = string + }) + default: + binary_log_enabled: false + enabled: false + location: null + retained_backups: null + retention_unit: null + start_time: null + transaction_log_retention_days: null + required: false + - name: create_timeout + description: The optional timout that is applied to limit long database creates. + type: string + default: 10m + required: false + - name: database_flags + description: List of Cloud SQL flags that are applied to the database server. See [more details](https://cloud.google.com/sql/docs/mysql/flags) + type: |- + list(object({ + name = string + value = string + })) + default: [] + required: false + - name: database_version + description: The database version to use + type: string + required: true + - name: db_charset + description: The charset for the default database + type: string + default: "" + required: false + - name: db_collation + description: 'The collation for the default database. Example: ''utf8_general_ci''' + type: string + default: "" + required: false + - name: db_name + description: The name of the default database to create + type: string + default: default + required: false + - name: delete_timeout + description: The optional timout that is applied to limit long database deletes. + type: string + default: 10m + required: false + - name: deletion_protection + description: Used to block Terraform from deleting a SQL Instance. + type: bool + default: true + required: false + - name: disk_autoresize + description: Configuration to increase storage size + type: bool + default: true + required: false + - name: disk_autoresize_limit + description: The maximum size to which storage can be auto increased. + type: number + default: 0 + required: false + - name: disk_size + description: The disk size for the master instance + type: number + default: 10 + required: false + - name: disk_type + description: The disk type for the master instance. + type: string + default: PD_SSD + required: false + - name: enable_default_db + description: Enable or disable the creation of the default database + type: bool + default: true + required: false + - name: enable_default_user + description: Enable or disable the creation of the default user + type: bool + default: true + required: false + - name: encryption_key_name + description: The full path to the encryption key used for the CMEK disk encryption + type: string + required: false + - name: follow_gae_application + description: A Google App Engine application whose zone to remain in. Must be in the same region as this instance. + type: string + required: false + - name: insights_config + description: The insights_config settings for the database. + type: |- + object({ + query_string_length = number + record_application_tags = bool + record_client_address = bool + }) + required: false + - name: ip_configuration + description: The ip_configuration settings subblock + type: |- + object({ + authorized_networks = list(map(string)) + ipv4_enabled = bool + private_network = string + require_ssl = bool + allocated_ip_range = string + }) + default: + allocated_ip_range: null + authorized_networks: [] + ipv4_enabled: true + private_network: null + require_ssl: null + required: false + - name: maintenance_window_day + description: The day of week (1-7) for the master instance maintenance. + type: number + default: 1 + required: false + - name: maintenance_window_hour + description: The hour of day (0-23) maintenance window for the master instance maintenance. + type: number + default: 23 + required: false + - name: maintenance_window_update_track + description: The update track of maintenance window for the master instance maintenance. Can be either `canary` or `stable`. + type: string + default: canary + required: false + - name: module_depends_on + description: List of modules or resources this module depends on. + type: list(any) + default: [] + required: false + - name: name + description: The name of the Cloud SQL resources + type: string + required: true + - name: pricing_plan + description: The pricing plan for the master instance. + type: string + default: PER_USE + required: false + - name: project_id + description: The project ID to manage the Cloud SQL resources + type: string + required: true + - name: random_instance_name + description: Sets random suffix at the end of the Cloud SQL resource name + type: bool + default: false + required: false + - name: read_replica_deletion_protection + description: Used to block Terraform from deleting replica SQL Instances. + type: bool + default: false + required: false + - name: read_replica_name_suffix + description: The optional suffix to add to the read instance name + type: string + default: "" + required: false + - name: read_replicas + description: List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption_key_name = null + type: |- + list(object({ + name = string + tier = string + zone = string + availability_type = string + disk_type = string + disk_autoresize = bool + disk_autoresize_limit = number + disk_size = string + user_labels = map(string) + database_flags = list(object({ + name = string + value = string + })) + ip_configuration = object({ + authorized_networks = list(map(string)) + ipv4_enabled = bool + private_network = string + require_ssl = bool + allocated_ip_range = string + }) + encryption_key_name = string + })) + default: [] + required: false + - name: region + description: The region of the Cloud SQL resources + type: string + default: us-central1 + required: false + - name: replica_database_version + description: The read replica database version to use. This var should only be used during a database update. The update sequence 1. read-replica 2. master, setting this to an updated version will cause the replica to update, then you may update the master with the var database_version and remove this field after update is complete + type: string + default: "" + required: false + - name: secondary_zone + description: 'The preferred zone for the secondary/failover instance, it should be something like: `us-central1-a`, `us-east1-c`.' + type: string + required: false + - name: tier + description: The tier for the master instance. + type: string + default: db-n1-standard-1 + required: false + - name: update_timeout + description: The optional timout that is applied to limit long database updates. + type: string + default: 10m + required: false + - name: user_host + description: The host for the default user + type: string + default: '%' + required: false + - name: user_labels + description: The key/value labels for the master instances. + type: map(string) + default: {} + required: false + - name: user_name + description: The name of the default user + type: string + default: default + required: false + - name: user_password + description: The password for the default user. If not set, a random one will be generated and available in the generated_user_password output variable. + type: string + default: "" + required: false + - name: zone + description: 'The zone for the master instance, it should be something like: `us-central1-a`, `us-east1-c`.' + type: string + required: true + outputs: + - name: additional_users + description: List of maps of additional users and passwords + - name: generated_user_password + description: The auto generated default user password if not input password was provided + - name: instance_connection_name + description: The connection name of the master instance to be used in connection strings + - name: instance_first_ip_address + description: The first IPv4 address of the addresses assigned for the master instance. + - name: instance_ip_address + description: The IPv4 address assigned for the master instance + - name: instance_name + description: The instance name for the master instance + - name: instance_self_link + description: The URI of the master instance + - name: instance_server_ca_cert + description: The CA certificate information used to connect to the SQL instance via SSL + - name: instance_service_account_email_address + description: The service account email address assigned to the master instance + - name: instances + description: A list of all `google_sql_database_instance` resources we've created + - name: primary + description: The `google_sql_database_instance` resource representing the primary instance + - name: private_address + description: The private IP address assigned for the master instance + - name: private_ip_address + description: The first private (PRIVATE) IPv4 address assigned for the master instance + - name: public_ip_address + description: The first public (PRIMARY) IPv4 address assigned for the master instance + - name: read_replica_instance_names + description: The instance names for the read replica instances + - name: replicas + description: A list of `google_sql_database_instance` resources representing the replicas + - name: replicas_instance_connection_names + description: The connection names of the replica instances to be used in connection strings + - name: replicas_instance_first_ip_addresses + description: The first IPv4 addresses of the addresses assigned for the replica instances + - name: replicas_instance_self_links + description: The URIs of the replica instances + - name: replicas_instance_server_ca_certs + description: The CA certificates information used to connect to the replica instances via SSL + - name: replicas_instance_service_account_email_addresses + description: The service account email addresses assigned to the replica instances + roles: + - level: Project + roles: + - roles/cloudsql.admin + - roles/compute.networkAdmin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/workflows.admin + - roles/cloudscheduler.admin + - roles/iam.serviceAccountUser + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - servicenetworking.googleapis.com + - sqladmin.googleapis.com + - iam.googleapis.com + - workflows.googleapis.com + - cloudscheduler.googleapis.com diff --git a/modules/postgresql/metadata.yaml b/modules/postgresql/metadata.yaml new file mode 100644 index 00000000..bd3581f6 --- /dev/null +++ b/modules/postgresql/metadata.yaml @@ -0,0 +1,393 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-sql-db + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: terraform-google-sql for PostgreSQL + source: + repo: https://github.com/terraform-google-modules/terraform-google-sql-db + sourceType: git + version: 13.0.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: mssql-public + location: examples/mssql-public + - name: mysql-backup-create-service-account + location: examples/mysql-backup-create-service-account + - name: mysql-ha + location: examples/mysql-ha + - name: mysql-private + location: examples/mysql-private + - name: mysql-public + location: examples/mysql-public + - name: postgresql-backup-provided-service-account + location: examples/postgresql-backup-provided-service-account + - name: postgresql-ha + location: examples/postgresql-ha + - name: postgresql-public + location: examples/postgresql-public + - name: postgresql-public-iam + location: examples/postgresql-public-iam + variables: + - name: activation_policy + description: The activation policy for the master instance.Can be either `ALWAYS`, `NEVER` or `ON_DEMAND`. + type: string + default: ALWAYS + required: false + - name: additional_databases + description: A list of databases to be created in your cluster + type: |- + list(object({ + name = string + charset = string + collation = string + })) + default: [] + required: false + - name: additional_users + description: A list of users to be created in your cluster + type: |- + list(object({ + name = string + password = string + })) + default: [] + required: false + - name: availability_type + description: The availability type for the master instance.This is only used to set up high availability for the PostgreSQL instance. Can be either `ZONAL` or `REGIONAL`. + type: string + default: ZONAL + required: false + - name: backup_configuration + description: The backup_configuration settings subblock for the database setings + type: |- + object({ + enabled = bool + start_time = string + location = string + point_in_time_recovery_enabled = bool + transaction_log_retention_days = string + retained_backups = number + retention_unit = string + }) + default: + enabled: false + location: null + point_in_time_recovery_enabled: false + retained_backups: null + retention_unit: null + start_time: null + transaction_log_retention_days: null + required: false + - name: create_timeout + description: The optional timout that is applied to limit long database creates. + type: string + default: 15m + required: false + - name: database_deletion_policy + description: 'The deletion policy for the database. Setting ABANDON allows the resource to be abandoned rather than deleted. This is useful for Postgres, where databases cannot be deleted from the API if there are users other than cloudsqlsuperuser with access. Possible values are: "ABANDON".' + type: string + required: false + - name: database_flags + description: The database flags for the master instance. See [more details](https://cloud.google.com/sql/docs/postgres/flags) + type: |- + list(object({ + name = string + value = string + })) + default: [] + required: false + - name: database_version + description: The database version to use + type: string + required: true + - name: db_charset + description: The charset for the default database + type: string + default: "" + required: false + - name: db_collation + description: 'The collation for the default database. Example: ''en_US.UTF8''' + type: string + default: "" + required: false + - name: db_name + description: The name of the default database to create + type: string + default: default + required: false + - name: delete_timeout + description: The optional timout that is applied to limit long database deletes. + type: string + default: 15m + required: false + - name: deletion_protection + description: Used to block Terraform from deleting a SQL Instance. + type: bool + default: true + required: false + - name: disk_autoresize + description: Configuration to increase storage size. + type: bool + default: true + required: false + - name: disk_autoresize_limit + description: The maximum size to which storage can be auto increased. + type: number + default: 0 + required: false + - name: disk_size + description: The disk size for the master instance. + type: number + default: 10 + required: false + - name: disk_type + description: The disk type for the master instance. + type: string + default: PD_SSD + required: false + - name: enable_default_db + description: Enable or disable the creation of the default database + type: bool + default: true + required: false + - name: enable_default_user + description: Enable or disable the creation of the default user + type: bool + default: true + required: false + - name: encryption_key_name + description: The full path to the encryption key used for the CMEK disk encryption + type: string + required: false + - name: follow_gae_application + description: A Google App Engine application whose zone to remain in. Must be in the same region as this instance. + type: string + required: false + - name: iam_user_emails + description: A list of IAM users to be created in your cluster + type: list(string) + default: [] + required: false + - name: insights_config + description: The insights_config settings for the database. + type: |- + object({ + query_string_length = number + record_application_tags = bool + record_client_address = bool + }) + required: false + - name: ip_configuration + description: The ip configuration for the master instances. + type: |- + object({ + authorized_networks = list(map(string)) + ipv4_enabled = bool + private_network = string + require_ssl = bool + allocated_ip_range = string + }) + default: + allocated_ip_range: null + authorized_networks: [] + ipv4_enabled: true + private_network: null + require_ssl: null + required: false + - name: maintenance_window_day + description: The day of week (1-7) for the master instance maintenance. + type: number + default: 1 + required: false + - name: maintenance_window_hour + description: The hour of day (0-23) maintenance window for the master instance maintenance. + type: number + default: 23 + required: false + - name: maintenance_window_update_track + description: The update track of maintenance window for the master instance maintenance.Can be either `canary` or `stable`. + type: string + default: canary + required: false + - name: module_depends_on + description: List of modules or resources this module depends on. + type: list(any) + default: [] + required: false + - name: name + description: The name of the Cloud SQL resources + type: string + required: true + - name: pricing_plan + description: The pricing plan for the master instance. + type: string + default: PER_USE + required: false + - name: project_id + description: The project ID to manage the Cloud SQL resources + type: string + required: true + - name: random_instance_name + description: Sets random suffix at the end of the Cloud SQL resource name + type: bool + default: false + required: false + - name: read_replica_deletion_protection + description: Used to block Terraform from deleting replica SQL Instances. + type: bool + default: false + required: false + - name: read_replica_name_suffix + description: The optional suffix to add to the read instance name + type: string + default: "" + required: false + - name: read_replicas + description: List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption_key_name = null + type: |- + list(object({ + name = string + tier = string + availability_type = string + zone = string + disk_type = string + disk_autoresize = bool + disk_autoresize_limit = number + disk_size = string + user_labels = map(string) + database_flags = list(object({ + name = string + value = string + })) + ip_configuration = object({ + authorized_networks = list(map(string)) + ipv4_enabled = bool + private_network = string + require_ssl = bool + allocated_ip_range = string + }) + encryption_key_name = string + })) + default: [] + required: false + - name: region + description: The region of the Cloud SQL resources + type: string + default: us-central1 + required: false + - name: secondary_zone + description: 'The preferred zone for the secondary/failover instance, it should be something like: `us-central1-a`, `us-east1-c`.' + type: string + required: false + - name: tier + description: The tier for the master instance. + type: string + default: db-f1-micro + required: false + - name: update_timeout + description: The optional timout that is applied to limit long database updates. + type: string + default: 15m + required: false + - name: user_deletion_policy + description: 'The deletion policy for the user. Setting ABANDON allows the resource to be abandoned rather than deleted. This is useful for Postgres, where users cannot be deleted from the API if they have been granted SQL roles. Possible values are: "ABANDON".' + type: string + required: false + - name: user_labels + description: The key/value labels for the master instances. + type: map(string) + default: {} + required: false + - name: user_name + description: The name of the default user + type: string + default: default + required: false + - name: user_password + description: The password for the default user. If not set, a random one will be generated and available in the generated_user_password output variable. + type: string + default: "" + required: false + - name: zone + description: 'The zone for the master instance, it should be something like: `us-central1-a`, `us-east1-c`.' + type: string + required: true + outputs: + - name: additional_users + description: List of maps of additional users and passwords + - name: generated_user_password + description: The auto generated default user password if not input password was provided + - name: instance_connection_name + description: The connection name of the master instance to be used in connection strings + - name: instance_first_ip_address + description: The first IPv4 address of the addresses assigned. + - name: instance_ip_address + description: The IPv4 address assigned for the master instance + - name: instance_name + description: The instance name for the master instance + - name: instance_self_link + description: The URI of the master instance + - name: instance_server_ca_cert + description: The CA certificate information used to connect to the SQL instance via SSL + - name: instance_service_account_email_address + description: The service account email address assigned to the master instance + - name: instances + description: A list of all `google_sql_database_instance` resources we've created + - name: primary + description: The `google_sql_database_instance` resource representing the primary instance + - name: private_ip_address + description: The first private (PRIVATE) IPv4 address assigned for the master instance + - name: public_ip_address + description: The first public (PRIMARY) IPv4 address assigned for the master instance + - name: read_replica_instance_names + description: The instance names for the read replica instances + - name: replicas + description: A list of `google_sql_database_instance` resources representing the replicas + - name: replicas_instance_connection_names + description: The connection names of the replica instances to be used in connection strings + - name: replicas_instance_first_ip_addresses + description: The first IPv4 addresses of the addresses assigned for the replica instances + - name: replicas_instance_self_links + description: The URIs of the replica instances + - name: replicas_instance_server_ca_certs + description: The CA certificates information used to connect to the replica instances via SSL + - name: replicas_instance_service_account_email_addresses + description: The service account email addresses assigned to the replica instances + roles: + - level: Project + roles: + - roles/cloudsql.admin + - roles/compute.networkAdmin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/workflows.admin + - roles/cloudscheduler.admin + - roles/iam.serviceAccountUser + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - servicenetworking.googleapis.com + - sqladmin.googleapis.com + - iam.googleapis.com + - workflows.googleapis.com + - cloudscheduler.googleapis.com diff --git a/modules/postgresql/variables.tf b/modules/postgresql/variables.tf index 7deb19d5..5da3e358 100644 --- a/modules/postgresql/variables.tf +++ b/modules/postgresql/variables.tf @@ -97,6 +97,7 @@ variable "disk_autoresize_limit" { variable "disk_size" { description = "The disk size for the master instance." + type = number default = 10 } diff --git a/modules/private_service_access/metadata.yaml b/modules/private_service_access/metadata.yaml new file mode 100644 index 00000000..a871f513 --- /dev/null +++ b/modules/private_service_access/metadata.yaml @@ -0,0 +1,108 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-sql-db + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Submodule for VPC peering Cloud SQL services + source: + repo: https://github.com/terraform-google-modules/terraform-google-sql-db + sourceType: git + version: 13.0.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: mssql-public + location: examples/mssql-public + - name: mysql-backup-create-service-account + location: examples/mysql-backup-create-service-account + - name: mysql-ha + location: examples/mysql-ha + - name: mysql-private + location: examples/mysql-private + - name: mysql-public + location: examples/mysql-public + - name: postgresql-backup-provided-service-account + location: examples/postgresql-backup-provided-service-account + - name: postgresql-ha + location: examples/postgresql-ha + - name: postgresql-public + location: examples/postgresql-public + - name: postgresql-public-iam + location: examples/postgresql-public-iam + variables: + - name: address + description: First IP address of the IP range to allocate to CLoud SQL instances and other Private Service Access services. If not set, GCP will pick a valid one for you. + type: string + default: "" + required: false + - name: description + description: An optional description of the Global Address resource. + type: string + default: "" + required: false + - name: ip_version + description: IP Version for the allocation. Can be IPV4 or IPV6. + type: string + default: "" + required: false + - name: labels + description: The key/value labels for the IP range allocated to the peered network. + type: map(string) + default: {} + required: false + - name: prefix_length + description: Prefix length of the IP range reserved for Cloud SQL instances and other Private Service Access services. Defaults to /16. + type: number + default: 16 + required: false + - name: project_id + description: The project ID of the VPC network to peer. This can be a shared VPC host projec. + type: string + required: true + - name: vpc_network + description: Name of the VPC network to peer. + type: string + required: true + outputs: + - name: address + description: First IP of the reserved range. + - name: google_compute_global_address_name + description: URL of the reserved range. + - name: peering_completed + description: Use for enforce ordering between resource creation + roles: + - level: Project + roles: + - roles/cloudsql.admin + - roles/compute.networkAdmin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/workflows.admin + - roles/cloudscheduler.admin + - roles/iam.serviceAccountUser + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - servicenetworking.googleapis.com + - sqladmin.googleapis.com + - iam.googleapis.com + - workflows.googleapis.com + - cloudscheduler.googleapis.com diff --git a/modules/restore/README.md b/modules/restore/README.md index 0659e9b2..bfb74cfd 100644 --- a/modules/restore/README.md +++ b/modules/restore/README.md @@ -46,7 +46,7 @@ gcloud workflows run my-import-workflow --data='{"exportTimestamp": "1658779617" | Name | Description | |------|-------------| | import\_workflow\_name | The name for import workflow | -| region | n/a | +| region | The region for running the scheduler and workflow | | service\_account | The service account email running the scheduler and workflow | diff --git a/modules/restore/metadata.yaml b/modules/restore/metadata.yaml new file mode 100644 index 00000000..b77b2206 --- /dev/null +++ b/modules/restore/metadata.yaml @@ -0,0 +1,100 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-sql-db + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: GCP CloudSQL Restore + source: + repo: https://github.com/terraform-google-modules/terraform-google-sql-db + sourceType: git + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: mssql-public + location: examples/mssql-public + - name: mysql-backup-create-service-account + location: examples/mysql-backup-create-service-account + - name: mysql-ha + location: examples/mysql-ha + - name: mysql-private + location: examples/mysql-private + - name: mysql-public + location: examples/mysql-public + - name: postgresql-backup-provided-service-account + location: examples/postgresql-backup-provided-service-account + - name: postgresql-ha + location: examples/postgresql-ha + - name: postgresql-public + location: examples/postgresql-public + - name: postgresql-public-iam + location: examples/postgresql-public-iam + variables: + - name: import_databases + description: The list of databases that should be imported - if is an empty set all databases will be imported + type: set(string) + default: [] + required: false + - name: import_uri + description: The bucket and path uri of GCS backup file for importing + type: string + required: true + - name: project_id + description: The project ID + type: string + required: true + - name: region + description: The region to run the workflow + type: string + default: us-central1 + required: false + - name: service_account + description: The service account to use for running the workflow and triggering the workflow by Cloud Scheduler - If empty or null a service account will be created. If you have provided a service account you need to grant the Cloud SQL Admin and the Workflows Invoker role to that + type: string + required: false + - name: sql_instance + description: The name of the SQL instance to backup + type: string + required: true + outputs: + - name: import_workflow_name + description: The name for import workflow + - name: region + description: The region for running the scheduler and workflow + - name: service_account + description: The service account email running the scheduler and workflow + roles: + - level: Project + roles: + - roles/cloudsql.admin + - roles/compute.networkAdmin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/workflows.admin + - roles/cloudscheduler.admin + - roles/iam.serviceAccountUser + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - servicenetworking.googleapis.com + - sqladmin.googleapis.com + - iam.googleapis.com + - workflows.googleapis.com + - cloudscheduler.googleapis.com diff --git a/modules/restore/outputs.tf b/modules/restore/outputs.tf index b9ead5cd..daaf6dea 100644 --- a/modules/restore/outputs.tf +++ b/modules/restore/outputs.tf @@ -25,5 +25,6 @@ output "service_account" { } output "region" { - value = var.region + description = "The region for running the scheduler and workflow" + value = var.region } diff --git a/modules/safer_mysql/metadata.yaml b/modules/safer_mysql/metadata.yaml new file mode 100644 index 00000000..3b7f954c --- /dev/null +++ b/modules/safer_mysql/metadata.yaml @@ -0,0 +1,357 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-sql-db + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: terraform-google-sql for a safer MySQL + source: + repo: https://github.com/terraform-google-modules/terraform-google-sql-db + sourceType: git + version: 13.0.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: mssql-public + location: examples/mssql-public + - name: mysql-backup-create-service-account + location: examples/mysql-backup-create-service-account + - name: mysql-ha + location: examples/mysql-ha + - name: mysql-private + location: examples/mysql-private + - name: mysql-public + location: examples/mysql-public + - name: postgresql-backup-provided-service-account + location: examples/postgresql-backup-provided-service-account + - name: postgresql-ha + location: examples/postgresql-ha + - name: postgresql-public + location: examples/postgresql-public + - name: postgresql-public-iam + location: examples/postgresql-public-iam + variables: + - name: activation_policy + description: The activation policy for the master instance. Can be either `ALWAYS`, `NEVER` or `ON_DEMAND`. + type: string + default: ALWAYS + required: false + - name: additional_databases + description: A list of databases to be created in your cluster + type: |- + list(object({ + name = string + charset = string + collation = string + })) + default: [] + required: false + - name: additional_users + description: A list of users to be created in your cluster + type: |- + list(object({ + name = string + password = string + host = string + type = string + })) + default: [] + required: false + - name: allocated_ip_range + description: Existing allocated IP range name for the Private IP CloudSQL instance. The networks needs to be configured with https://cloud.google.com/vpc/docs/configure-private-services-access. + type: string + required: true + - name: assign_public_ip + description: Set to true if the master instance should also have a public IP (less secure). + type: string + default: false + required: false + - name: availability_type + description: The availability type for the master instance. Can be either `REGIONAL` or `null`. + type: string + default: REGIONAL + required: false + - name: backup_configuration + description: The backup_configuration settings subblock for the database setings + type: |- + object({ + binary_log_enabled = bool + enabled = bool + start_time = string + location = string + transaction_log_retention_days = string + retained_backups = number + retention_unit = string + }) + default: + binary_log_enabled: false + enabled: false + location: null + retained_backups: null + retention_unit: null + start_time: null + transaction_log_retention_days: null + required: false + - name: create_timeout + description: The optional timout that is applied to limit long database creates. + type: string + default: 15m + required: false + - name: database_flags + description: The database flags for the master instance. See [more details](https://cloud.google.com/sql/docs/mysql/flags) + type: |- + list(object({ + name = string + value = string + })) + default: [] + required: false + - name: database_version + description: The database version to use + type: string + required: true + - name: db_charset + description: The charset for the default database + type: string + default: "" + required: false + - name: db_collation + description: 'The collation for the default database. Example: ''utf8_general_ci''' + type: string + default: "" + required: false + - name: db_name + description: The name of the default database to create + type: string + default: default + required: false + - name: delete_timeout + description: The optional timout that is applied to limit long database deletes. + type: string + default: 15m + required: false + - name: deletion_protection + description: Used to block Terraform from deleting a SQL Instance. + type: bool + default: true + required: false + - name: disk_autoresize + description: Configuration to increase storage size + type: bool + default: true + required: false + - name: disk_autoresize_limit + description: The maximum size to which storage can be auto increased. + type: number + default: 0 + required: false + - name: disk_size + description: The disk size for the master instance + type: number + default: 10 + required: false + - name: disk_type + description: The disk type for the master instance. + type: string + default: PD_SSD + required: false + - name: encryption_key_name + description: The full path to the encryption key used for the CMEK disk encryption + type: string + required: false + - name: follow_gae_application + description: A Google App Engine application whose zone to remain in. Must be in the same region as this instance. + type: string + required: false + - name: insights_config + description: The insights_config settings for the database. + type: |- + object({ + query_string_length = number + record_application_tags = bool + record_client_address = bool + }) + required: false + - name: maintenance_window_day + description: The day of week (1-7) for the master instance maintenance. + type: number + default: 1 + required: false + - name: maintenance_window_hour + description: The hour of day (0-23) maintenance window for the master instance maintenance. + type: number + default: 23 + required: false + - name: maintenance_window_update_track + description: The update track of maintenance window for the master instance maintenance. Can be either `canary` or `stable`. + type: string + default: stable + required: false + - name: module_depends_on + description: List of modules or resources this module depends on. + type: list(any) + default: [] + required: false + - name: name + description: The name of the Cloud SQL resources + type: string + required: true + - name: pricing_plan + description: The pricing plan for the master instance. + type: string + default: PER_USE + required: false + - name: project_id + description: The project ID to manage the Cloud SQL resources + type: string + required: true + - name: random_instance_name + description: Sets random suffix at the end of the Cloud SQL resource name + type: bool + default: false + required: false + - name: read_replica_deletion_protection + description: Used to block Terraform from deleting replica SQL Instances. + type: bool + default: false + required: false + - name: read_replica_name_suffix + description: The optional suffix to add to the read instance name + type: string + default: "" + required: false + - name: read_replicas + description: List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption_key_name = null + type: |- + list(object({ + name = string + tier = string + availability_type = string + zone = string + disk_type = string + disk_autoresize = bool + disk_autoresize_limit = number + disk_size = string + user_labels = map(string) + database_flags = list(object({ + name = string + value = string + })) + ip_configuration = object({ + authorized_networks = list(map(string)) + ipv4_enabled = bool + private_network = string + require_ssl = bool + allocated_ip_range = string + }) + encryption_key_name = string + })) + default: [] + required: false + - name: region + description: The region of the Cloud SQL resources + type: string + required: true + - name: secondary_zone + description: 'The preferred zone for the secondary/failover instance, it should be something like: `us-central1-a`, `us-east1-c`.' + type: string + required: false + - name: tier + description: The tier for the master instance. + type: string + default: db-n1-standard-1 + required: false + - name: update_timeout + description: The optional timout that is applied to limit long database updates. + type: string + default: 15m + required: false + - name: user_labels + description: The key/value labels for the master instances. + type: map(string) + default: {} + required: false + - name: user_name + description: The name of the default user + type: string + default: default + required: false + - name: user_password + description: The password for the default user. If not set, a random one will be generated and available in the generated_user_password output variable. + type: string + default: "" + required: false + - name: vpc_network + description: Existing VPC network to which instances are connected. The networks needs to be configured with https://cloud.google.com/vpc/docs/configure-private-services-access. + type: string + required: true + - name: zone + description: 'The zone for the master instance, it should be something like: `a`, `c`.' + type: string + required: true + outputs: + - name: generated_user_password + description: The auto generated default user password if not input password was provided + - name: instance_connection_name + description: The connection name of the master instance to be used in connection strings + - name: instance_ip_address + description: The IPv4 address assigned for the master instance + - name: instance_name + description: The instance name for the master instance + - name: instance_self_link + description: The URI of the master instance + - name: instance_service_account_email_address + description: The service account email address assigned to the master instance + - name: instances + description: A list of all `google_sql_database_instance` resources we've created + - name: primary + description: The `google_sql_database_instance` resource representing the primary instance + - name: private_ip_address + description: The first private (PRIVATE) IPv4 address assigned for the master instance + - name: public_ip_address + description: The first public (PRIMARY) IPv4 address assigned for the master instance + - name: read_replica_instance_names + description: The instance names for the read replica instances + - name: replicas + description: A list of `google_sql_database_instance` resources representing the replicas + - name: replicas_instance_connection_names + description: The connection names of the replica instances to be used in connection strings + - name: replicas_instance_self_links + description: The URIs of the replica instances + - name: replicas_instance_service_account_email_addresses + description: The service account email addresses assigned to the replica instances + roles: + - level: Project + roles: + - roles/cloudsql.admin + - roles/compute.networkAdmin + - roles/iam.serviceAccountAdmin + - roles/resourcemanager.projectIamAdmin + - roles/storage.admin + - roles/workflows.admin + - roles/cloudscheduler.admin + - roles/iam.serviceAccountUser + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - servicenetworking.googleapis.com + - sqladmin.googleapis.com + - iam.googleapis.com + - workflows.googleapis.com + - cloudscheduler.googleapis.com