diff --git a/mmv1/products/datastream/ConnectionProfile.yaml b/mmv1/products/datastream/ConnectionProfile.yaml index 0e040b8f3074..67c4e0421cf8 100644 --- a/mmv1/products/datastream/ConnectionProfile.yaml +++ b/mmv1/products/datastream/ConnectionProfile.yaml @@ -101,6 +101,20 @@ examples: test_vars_overrides: 'deletion_protection': 'false' exclude_test: true + - name: 'datastream_stream_postgresql_sslconfig_server_and_client_verification' + primary_resource_id: 'default' + vars: + connection_profile_id: 'profile-id' + deletion_protection: 'true' + database_instance_name: 'my-instance' + test_vars_overrides: + 'deletion_protection': 'false' + oics_vars_overrides: + 'deletion_protection': 'false' + external_providers: ["random"] + skip_vcr: true + ignore_read_extra: + - 'postgresql_profile.0.password' - name: 'datastream_connection_profile_salesforce' primary_resource_id: 'default' vars: @@ -369,6 +383,68 @@ properties: description: | Database for the PostgreSQL connection. required: true + - name: 'sslConfig' + type: NestedObject + description: | + SSL configuration for the PostgreSQL connection. + properties: + - name: 'serverVerification' + type: NestedObject + description: | + If this field is set, the communication will be encrypted with TLS encryption + and the server identity will be authenticated. + exactly_one_of: + - 'ssl_config.0.server_verification' + - 'ssl_config.0.server_and_client_verification' + properties: + - name: 'caCertificate' + type: String + description: PEM-encoded server root CA certificate. + required: true + immutable: true + sensitive: true + ignore_read: true + - name: 'serverAndClientVerification' + type: NestedObject + description: | + If this field is set, the communication will be encrypted with TLS encryption + and both the server identity and the client identity will be authenticated. + exactly_one_of: + - 'ssl_config.0.server_verification' + - 'ssl_config.0.server_and_client_verification' + ignore_read: true + properties: + - name: 'clientCertificate' + type: String + description: | + PEM-encoded certificate used by the source database to authenticate the + client identity (i.e., the Datastream's identity). This certificate is + signed by either a root certificate trusted by the server or one or more + intermediate certificates (which is stored with the leaf certificate) to + link to this certificate to the trusted root certificate. + immutable: true + required: true + sensitive: true + ignore_read: true + - name: 'clientKey' + type: String + description: | + PEM-encoded private key associated with the client certificate. + This value will be used during the SSL/TLS handshake, allowing + the PostgreSQL server to authenticate the client's identity, + i.e. identity of the stream. + immutable: true + required: true + sensitive: true + ignore_read: true + - name: 'caCertificate' + type: String + description: | + PEM-encoded server root CA certificate. + immutable: true + required: true + sensitive: true + ignore_read: true - name: 'salesforceProfile' min_version: beta type: NestedObject diff --git a/mmv1/templates/terraform/examples/datastream_stream_postgresql_sslconfig_server_and_client_verification.tf.tmpl b/mmv1/templates/terraform/examples/datastream_stream_postgresql_sslconfig_server_and_client_verification.tf.tmpl new file mode 100644 index 000000000000..6dc0060cd532 --- /dev/null +++ b/mmv1/templates/terraform/examples/datastream_stream_postgresql_sslconfig_server_and_client_verification.tf.tmpl @@ -0,0 +1,69 @@ +data "google_datastream_static_ips" "datastream_ips" { + location = "us-central1" +} + +resource "google_sql_database_instance" "instance" { + name = "{{index $.Vars "database_instance_name"}}" + database_version = "POSTGRES_15" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + ipv4_enabled = true + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + dynamic "authorized_networks" { + for_each = data.google_datastream_static_ips.datastream_ips.static_ips + iterator = ip + + content { + name = format("datastream-%d", ip.key) + value = ip.value + } + } + } + } + + deletion_protection = {{index $.Vars "deletion_protection"}} +} + +resource "google_sql_database" "db" { + instance = google_sql_database_instance.instance.name + name = "db" +} + +resource "random_password" "pwd" { + length = 16 + special = false +} + +resource "google_sql_user" "user" { + name = "user" + instance = google_sql_database_instance.instance.name + password = random_password.pwd.result +} + +resource "google_sql_ssl_cert" "client_cert" { + common_name = "client-name" + instance = google_sql_database_instance.instance.name +} + +resource "google_datastream_connection_profile" "{{$.PrimaryResourceId}}" { + display_name = "Connection Profile" + location = "us-central1" + connection_profile_id = "{{index $.Vars "connection_profile_id"}}" + + postgresql_profile { + hostname = google_sql_database_instance.instance.public_ip_address + port = 5432 + username = "user" + password = random_password.pwd.result + database = google_sql_database.db.name + ssl_config { + server_and_client_verification { + client_certificate = google_sql_ssl_cert.client_cert.cert + client_key = google_sql_ssl_cert.client_cert.private_key + ca_certificate = google_sql_ssl_cert.client_cert.server_ca_cert + } + } + } +}