From 2cf6ddac28212894bb9925a3c7515480b72a2896 Mon Sep 17 00:00:00 2001 From: Pete Davids Date: Wed, 15 Jan 2025 21:02:37 +0100 Subject: [PATCH 1/5] feat: added support for ssl_config support for postgresql_profile Fixes https://github.com/hashicorp/terraform-provider-google/issues/20929 --- .../datastream/ConnectionProfile.yaml | 75 +++++++++++++++++++ ...client_verification_ca_certificate.go.tmpl | 16 ++++ ...nt_verification_client_certificate.go.tmpl | 16 ++++ ...and_client_verification_client_key.go.tmpl | 16 ++++ ...server_verification_ca_certificate.go.tmpl | 16 ++++ ...fig_server_and_client_verification.tf.tmpl | 69 +++++++++++++++++ 6 files changed, 208 insertions(+) create mode 100644 mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_ca_certificate.go.tmpl create mode 100644 mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_client_certificate.go.tmpl create mode 100644 mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_client_key.go.tmpl create mode 100644 mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_verification_ca_certificate.go.tmpl create mode 100644 mmv1/templates/terraform/examples/datastream_stream_postgresql_sslconfig_server_and_client_verification.tf.tmpl diff --git a/mmv1/products/datastream/ConnectionProfile.yaml b/mmv1/products/datastream/ConnectionProfile.yaml index bd6c77fe9326..d33de98c7800 100644 --- a/mmv1/products/datastream/ConnectionProfile.yaml +++ b/mmv1/products/datastream/ConnectionProfile.yaml @@ -91,6 +91,18 @@ examples: test_vars_overrides: 'deletion_protection': 'false' exclude_test: true + - name: 'datastream_stream_postgresql_sslconfig_server_and_client_verification' + primary_resource_id: 'default' + vars: + connection_profile_id: 'profile-id' + deletion_protection: 'true' + database_instance_name: 'my-instance' + test_vars_overrides: + 'deletion_protection': 'false' + oics_vars_overrides: + 'deletion_protection': 'false' + external_providers: ["random"] + skip_vcr: true parameters: - name: 'connectionProfileId' type: String @@ -324,6 +336,69 @@ properties: description: | Database for the PostgreSQL connection. required: true + - name: 'sslConfig' + type: NestedObject + description: | + SSL configuration for the PostgreSQL connection. + required: false + properties: + - name: 'serverVerification' + type: NestedObject + description: | + If this field is set, the communication will be encrypted with TLS encryption + and the server identity will be authenticated. + exactly_one_of: + - 'ssl_config.0.server_verification' + - 'ssl_config.0.server_and_client_verification' + properties: + - name: 'caCertificate' + type: String + description: PEM-encoded server root CA certificate. + required: true + immutable: true + sensitive: true + ignore_read: true + - name: 'serverAndClientVerification' + type: NestedObject + description: | + If this field is set, the communication will be encrypted with TLS encryption + and both the server identity and the client identity will be authenticated. + exactly_one_of: + - 'ssl_config.0.server_verification' + - 'ssl_config.0.server_and_client_verification' + properties: + - name: 'clientCertificate' + type: String + description: | + PEM-encoded certificate used by the source database to authenticate the + client identity (i.e., the Datastream's identity). This certificate is + signed by either a root certificate trusted by the server or one or more + intermediate certificates (which is stored with the leaf certificate) to + link to this certificate to the trusted root certificate. + immutable: true + required: true + sensitive: true + ignore_read: true + - name: 'clientKey' + type: String + description: | + PEM-encoded private key associated with the client certificate. + This value will be used during the SSL/TLS handshake, allowing + the PostgreSQL server to authenticate the client's identity, + i.e. identity of the stream. + immutable: true + required: true + sensitive: true + ignore_read: true + - name: 'caCertificate' + type: String + description: | + PEM-encoded server root CA certificate. + immutable: true + required: true + sensitive: true + ignore_read: true + - name: 'sqlServerProfile' type: NestedObject description: | diff --git a/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_ca_certificate.go.tmpl b/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_ca_certificate.go.tmpl new file mode 100644 index 000000000000..571aa803a2d6 --- /dev/null +++ b/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_ca_certificate.go.tmpl @@ -0,0 +1,16 @@ +{{/* + The license inside this block applies to this file + Copyright 2024 Google Inc. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ -}} +{{/* Workaround for https://github.com/hashicorp/terraform-provider-google/issues/12410 */}} +func flatten{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return d.Get("postgresql_profile.0.ssl_config.0.server_and_client_verification.0.ca_certificate") +} diff --git a/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_client_certificate.go.tmpl b/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_client_certificate.go.tmpl new file mode 100644 index 000000000000..cbf392d596cc --- /dev/null +++ b/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_client_certificate.go.tmpl @@ -0,0 +1,16 @@ +{{/* + The license inside this block applies to this file + Copyright 2024 Google Inc. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ -}} +{{/* Workaround for https://github.com/hashicorp/terraform-provider-google/issues/12410 */}} +func flatten{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return d.Get("postgresql_profile.0.ssl_config.0.server_and_client_verification.0.client_certificate") +} diff --git a/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_client_key.go.tmpl b/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_client_key.go.tmpl new file mode 100644 index 000000000000..af44b3f9cd50 --- /dev/null +++ b/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_client_key.go.tmpl @@ -0,0 +1,16 @@ +{{/* + The license inside this block applies to this file + Copyright 2024 Google Inc. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ -}} +{{/* Workaround for https://github.com/hashicorp/terraform-provider-google/issues/12410 */}} +func flatten{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return d.Get("postgresql_profile.0.ssl_config.0.server_and_client_verification.0.client_key") +} diff --git a/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_verification_ca_certificate.go.tmpl b/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_verification_ca_certificate.go.tmpl new file mode 100644 index 000000000000..c26fcb90b5e2 --- /dev/null +++ b/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_verification_ca_certificate.go.tmpl @@ -0,0 +1,16 @@ +{{/* + The license inside this block applies to this file + Copyright 2024 Google Inc. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ -}} +{{/* Workaround for https://github.com/hashicorp/terraform-provider-google/issues/12410 */}} +func flatten{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return d.Get("postgresql_profile.0.ssl_config.0.server_verification.0.ca_certificate") +} diff --git a/mmv1/templates/terraform/examples/datastream_stream_postgresql_sslconfig_server_and_client_verification.tf.tmpl b/mmv1/templates/terraform/examples/datastream_stream_postgresql_sslconfig_server_and_client_verification.tf.tmpl new file mode 100644 index 000000000000..6dc0060cd532 --- /dev/null +++ b/mmv1/templates/terraform/examples/datastream_stream_postgresql_sslconfig_server_and_client_verification.tf.tmpl @@ -0,0 +1,69 @@ +data "google_datastream_static_ips" "datastream_ips" { + location = "us-central1" +} + +resource "google_sql_database_instance" "instance" { + name = "{{index $.Vars "database_instance_name"}}" + database_version = "POSTGRES_15" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + ipv4_enabled = true + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + dynamic "authorized_networks" { + for_each = data.google_datastream_static_ips.datastream_ips.static_ips + iterator = ip + + content { + name = format("datastream-%d", ip.key) + value = ip.value + } + } + } + } + + deletion_protection = {{index $.Vars "deletion_protection"}} +} + +resource "google_sql_database" "db" { + instance = google_sql_database_instance.instance.name + name = "db" +} + +resource "random_password" "pwd" { + length = 16 + special = false +} + +resource "google_sql_user" "user" { + name = "user" + instance = google_sql_database_instance.instance.name + password = random_password.pwd.result +} + +resource "google_sql_ssl_cert" "client_cert" { + common_name = "client-name" + instance = google_sql_database_instance.instance.name +} + +resource "google_datastream_connection_profile" "{{$.PrimaryResourceId}}" { + display_name = "Connection Profile" + location = "us-central1" + connection_profile_id = "{{index $.Vars "connection_profile_id"}}" + + postgresql_profile { + hostname = google_sql_database_instance.instance.public_ip_address + port = 5432 + username = "user" + password = random_password.pwd.result + database = google_sql_database.db.name + ssl_config { + server_and_client_verification { + client_certificate = google_sql_ssl_cert.client_cert.cert + client_key = google_sql_ssl_cert.client_cert.private_key + ca_certificate = google_sql_ssl_cert.client_cert.server_ca_cert + } + } + } +} From 420bd6010d08a6533ad1912c6aa05322c6a5041c Mon Sep 17 00:00:00 2001 From: pete davids Date: Mon, 24 Nov 2025 15:27:23 -0500 Subject: [PATCH 2/5] reapply fixes --- mmv1/products/datastream/ConnectionProfile.yaml | 2 -- ...nd_client_verification_ca_certificate.go.tmpl | 16 ---------------- ...lient_verification_client_certificate.go.tmpl | 16 ---------------- ...er_and_client_verification_client_key.go.tmpl | 16 ---------------- ...ig_server_verification_ca_certificate.go.tmpl | 16 ---------------- 5 files changed, 66 deletions(-) delete mode 100644 mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_ca_certificate.go.tmpl delete mode 100644 mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_client_certificate.go.tmpl delete mode 100644 mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_client_key.go.tmpl delete mode 100644 mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_verification_ca_certificate.go.tmpl diff --git a/mmv1/products/datastream/ConnectionProfile.yaml b/mmv1/products/datastream/ConnectionProfile.yaml index 7a1535919181..d72724e23e6a 100644 --- a/mmv1/products/datastream/ConnectionProfile.yaml +++ b/mmv1/products/datastream/ConnectionProfile.yaml @@ -385,7 +385,6 @@ properties: type: NestedObject description: | SSL configuration for the PostgreSQL connection. - required: false properties: - name: 'serverVerification' type: NestedObject @@ -443,7 +442,6 @@ properties: required: true sensitive: true ignore_read: true - - name: 'salesforceProfile' min_version: beta type: NestedObject diff --git a/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_ca_certificate.go.tmpl b/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_ca_certificate.go.tmpl deleted file mode 100644 index 571aa803a2d6..000000000000 --- a/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_ca_certificate.go.tmpl +++ /dev/null @@ -1,16 +0,0 @@ -{{/* - The license inside this block applies to this file - Copyright 2024 Google Inc. - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ -}} -{{/* Workaround for https://github.com/hashicorp/terraform-provider-google/issues/12410 */}} -func flatten{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { - return d.Get("postgresql_profile.0.ssl_config.0.server_and_client_verification.0.ca_certificate") -} diff --git a/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_client_certificate.go.tmpl b/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_client_certificate.go.tmpl deleted file mode 100644 index cbf392d596cc..000000000000 --- a/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_client_certificate.go.tmpl +++ /dev/null @@ -1,16 +0,0 @@ -{{/* - The license inside this block applies to this file - Copyright 2024 Google Inc. - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ -}} -{{/* Workaround for https://github.com/hashicorp/terraform-provider-google/issues/12410 */}} -func flatten{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { - return d.Get("postgresql_profile.0.ssl_config.0.server_and_client_verification.0.client_certificate") -} diff --git a/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_client_key.go.tmpl b/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_client_key.go.tmpl deleted file mode 100644 index af44b3f9cd50..000000000000 --- a/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_and_client_verification_client_key.go.tmpl +++ /dev/null @@ -1,16 +0,0 @@ -{{/* - The license inside this block applies to this file - Copyright 2024 Google Inc. - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ -}} -{{/* Workaround for https://github.com/hashicorp/terraform-provider-google/issues/12410 */}} -func flatten{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { - return d.Get("postgresql_profile.0.ssl_config.0.server_and_client_verification.0.client_key") -} diff --git a/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_verification_ca_certificate.go.tmpl b/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_verification_ca_certificate.go.tmpl deleted file mode 100644 index c26fcb90b5e2..000000000000 --- a/mmv1/templates/terraform/custom_flatten/datastream_connection_profile_postgresql_profile_ssl_config_server_verification_ca_certificate.go.tmpl +++ /dev/null @@ -1,16 +0,0 @@ -{{/* - The license inside this block applies to this file - Copyright 2024 Google Inc. - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ -}} -{{/* Workaround for https://github.com/hashicorp/terraform-provider-google/issues/12410 */}} -func flatten{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { - return d.Get("postgresql_profile.0.ssl_config.0.server_verification.0.ca_certificate") -} From d7691194afa9601766f3d9500351710463ae00cb Mon Sep 17 00:00:00 2001 From: pete davids Date: Fri, 5 Dec 2025 08:11:58 -0500 Subject: [PATCH 3/5] ignore_read_extra --- mmv1/products/datastream/ConnectionProfile.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mmv1/products/datastream/ConnectionProfile.yaml b/mmv1/products/datastream/ConnectionProfile.yaml index d72724e23e6a..75147f94597e 100644 --- a/mmv1/products/datastream/ConnectionProfile.yaml +++ b/mmv1/products/datastream/ConnectionProfile.yaml @@ -122,6 +122,10 @@ examples: primary_resource_id: 'default' vars: source_connection_profile_id: 'source-profile' + ignore_read_extra: + - 'postgresql_profile.0.ssl_config.0.server_and_client_verification.0.ca_certificate' + - 'postgresql_profile.0.ssl_config.0.server_and_client_verification.0.client_certificate' + - 'postgresql_profile.0.ssl_config.0.server_and_client_verification.0.client_key' - name: 'datastream_connection_profile_mongodb' primary_resource_id: 'default' vars: From beac869f80a59134d9dccc7eec85b7ef00271172 Mon Sep 17 00:00:00 2001 From: pete davids Date: Wed, 17 Dec 2025 17:50:37 -0500 Subject: [PATCH 4/5] just ignore the whole block --- mmv1/products/datastream/ConnectionProfile.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/mmv1/products/datastream/ConnectionProfile.yaml b/mmv1/products/datastream/ConnectionProfile.yaml index 75147f94597e..fc01161bfd8b 100644 --- a/mmv1/products/datastream/ConnectionProfile.yaml +++ b/mmv1/products/datastream/ConnectionProfile.yaml @@ -122,10 +122,6 @@ examples: primary_resource_id: 'default' vars: source_connection_profile_id: 'source-profile' - ignore_read_extra: - - 'postgresql_profile.0.ssl_config.0.server_and_client_verification.0.ca_certificate' - - 'postgresql_profile.0.ssl_config.0.server_and_client_verification.0.client_certificate' - - 'postgresql_profile.0.ssl_config.0.server_and_client_verification.0.client_key' - name: 'datastream_connection_profile_mongodb' primary_resource_id: 'default' vars: @@ -414,6 +410,7 @@ properties: exactly_one_of: - 'ssl_config.0.server_verification' - 'ssl_config.0.server_and_client_verification' + ignore_read: true properties: - name: 'clientCertificate' type: String From 31fb071be8d957d087c37a615e70c1bf055d50c4 Mon Sep 17 00:00:00 2001 From: pete davids Date: Fri, 26 Dec 2025 18:12:10 -0500 Subject: [PATCH 5/5] ignore password too --- mmv1/products/datastream/ConnectionProfile.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mmv1/products/datastream/ConnectionProfile.yaml b/mmv1/products/datastream/ConnectionProfile.yaml index fc01161bfd8b..67c4e0421cf8 100644 --- a/mmv1/products/datastream/ConnectionProfile.yaml +++ b/mmv1/products/datastream/ConnectionProfile.yaml @@ -113,6 +113,8 @@ examples: 'deletion_protection': 'false' external_providers: ["random"] skip_vcr: true + ignore_read_extra: + - 'postgresql_profile.0.password' - name: 'datastream_connection_profile_salesforce' primary_resource_id: 'default' vars: