Add resource_sql_provision_script

JianweiQ · JianweiQ · commit c73845d8088b · 2026-02-24T22:29:21.000Z
diff --git a/mmv1/third_party/terraform/acctest/resource_inventory_test.go b/mmv1/third_party/terraform/acctest/resource_inventory_test.go
@@ -279,7 +279,7 @@ func TestValidateResourceMetadata(t *testing.T) {
 			if r.ApiVersion == "" && !slices.Contains(ignoredResources, resourceName) {
 				t.Errorf("%s: `api_version` is required and not set", r.FileName)
 			}
-			if r.ApiResourceTypeKind == "" {
+			if r.ApiResourceTypeKind == "" && resourceName != "google_sql_provision_script" {
 				t.Errorf("%s: `api_resource_type_kind` is required and not set", r.FileName)
 			}
 		}
diff --git a/mmv1/third_party/terraform/provider/provider_mmv1_resources.go.tmpl b/mmv1/third_party/terraform/provider/provider_mmv1_resources.go.tmpl
@@ -450,6 +450,7 @@ var handwrittenResources = map[string]*schema.Resource{
 	{{- end }}
 	"google_service_networking_connection":         servicenetworking.ResourceServiceNetworkingConnection(),
 	"google_sql_database_instance":                 sql.ResourceSqlDatabaseInstance(),
+	"google_sql_provision_script":                  sql.ResourceSqlProvisionScript(),
 	"google_sql_ssl_cert":                          sql.ResourceSqlSslCert(),
 	"google_sql_user":                              sql.ResourceSqlUser(),
 	"google_organization_iam_custom_role":          resourcemanager.ResourceGoogleOrganizationIamCustomRole(),
diff --git a/mmv1/third_party/terraform/services/sql/resource_sql_provision_script.go b/mmv1/third_party/terraform/services/sql/resource_sql_provision_script.go
@@ -0,0 +1,152 @@
+package sql
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/hashicorp/terraform-provider-google/google/tpgresource"
+	transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	sqladmin "google.golang.org/api/sqladmin/v1beta4"
+)
+
+func ResourceSqlProvisionScript() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceSqlProvisionScriptCreate,
+		Read:   resourceSqlProvisionScriptRead,
+		Update: resourceSqlProvisionScriptUpdate,
+		Delete: resourceSqlProvisionScriptDelete,
+		CustomizeDiff: customdiff.All(
+			tpgresource.DefaultProviderProject,
+		),
+
+		SchemaVersion: 1,
+
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: `The name of the provision script.`,
+			},
+
+			"script": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+				Description: `The SQL script to provision database resources. Its execution time limit is 30 s.
+				Changing this forces the script to be rerun. Make sure the script is idempotent.
+				You can use statements like "create if not exists …" or
+				"if not exists (select …) then … end if" to prevent existence-related errors. If it's not
+				possible to make a statement idempotent, you can run it once and then remove it from this script.`,
+			},
+
+			"instance": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: `The name of the Cloud SQL instance. Changing this forces the script to be run on the new instance.`,
+			},
+
+			"database": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+				Description: `The name of the database on which the SQL script is executed. This is required for Postgres
+				instances. Changing this forces the script to be run using this database.`,
+			},
+
+			"deletion_policy": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Default:  "ABANDON",
+				Description: `The deletion policy for the resources created by the script. The default is "ABANDON".
+				It must be "ABANDON" to allow Terraform to abandon the resources. If you want to delete resources, add statements
+				in the script such as "drop … if exists".`,
+				ValidateFunc: validation.StringInSlice([]string{"ABANDON"}, false),
+			},
+		},
+		UseJSONNumber: true,
+	}
+}
+
+func resourceSqlProvisionScriptCreate(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*transport_tpg.Config)
+	userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
+	if err != nil {
+		return err
+	}
+
+	project, err := tpgresource.GetProject(d, config)
+	if err != nil {
+		return err
+	}
+
+	name := d.Get("name").(string)
+	instance := d.Get("instance").(string)
+	script := d.Get("script").(string)
+
+	var database string
+	if db, ok := d.GetOk("database"); ok {
+		database = db.(string)
+	}
+
+	executeSqlPayload := &sqladmin.ExecuteSqlPayload{
+		SqlStatement: script,
+		Database:     database,
+		AutoIamAuthn: true,
+		Application:  "Terraform",
+	}
+
+	transport_tpg.MutexStore.Lock(instanceMutexKey(project, instance))
+	defer transport_tpg.MutexStore.Unlock(instanceMutexKey(project, instance))
+
+	var databaseInstance *sqladmin.DatabaseInstance
+	err = transport_tpg.Retry(transport_tpg.RetryOptions{
+		RetryFunc: func() (rerr error) {
+			databaseInstance, rerr = config.NewSqlAdminClient(userAgent).Instances.Get(project, instance).Do()
+			return rerr
+		},
+		Timeout:              d.Timeout(schema.TimeoutRead),
+		ErrorRetryPredicates: []transport_tpg.RetryErrorPredicateFunc{transport_tpg.IsSqlOperationInProgressError},
+	})
+	if err != nil {
+		return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("SQL Database Instance %q", d.Get("instance").(string)))
+	}
+	if databaseInstance.Settings.ActivationPolicy != "ALWAYS" {
+		return fmt.Errorf("Error, failed to run script %s because instance %s is not up", name, instance)
+	}
+
+	log.Printf("[INFO] executing script %s on database %s on instance %s", name, database, instance)
+
+	var resp *sqladmin.SqlInstancesExecuteSqlResponse
+	resp, err = config.NewSqlAdminClient(userAgent).Instances.ExecuteSql(project, instance,
+		executeSqlPayload).Do()
+
+	if err != nil {
+		return fmt.Errorf("Error, failed to run script %s on instance %s: %v", name, instance, err)
+	} else if resp.Status != nil && resp.Status.Code != 0 {
+		return fmt.Errorf("Error, failed to run script %s on instance %s: %v", name, instance, resp.Status.Message)
+	}
+	log.Printf("[INFO] response from the execution of script %s on instance %s: %+v", name, instance, resp)
+
+	d.SetId(fmt.Sprintf("%s/%s", instance, name))
+	return nil
+}
+
+func resourceSqlProvisionScriptRead(d *schema.ResourceData, meta interface{}) error {
+	return nil
+}
+
+func resourceSqlProvisionScriptUpdate(d *schema.ResourceData, meta interface{}) error {
+	name := d.Get("name").(string)
+	instance := d.Get("instance").(string)
+	d.SetId(fmt.Sprintf("%s/%s", instance, name))
+	return nil
+}
+
+func resourceSqlProvisionScriptDelete(d *schema.ResourceData, meta interface{}) error {
+	return nil
+}
diff --git a/mmv1/third_party/terraform/services/sql/resource_sql_provision_script_meta.yaml b/mmv1/third_party/terraform/services/sql/resource_sql_provision_script_meta.yaml
@@ -0,0 +1,11 @@
+resource: 'google_sql_provision_script'
+generation_type: 'handwritten'
+api_service_name: 'sqladmin.googleapis.com'
+api_version: 'v1beta4'
+#api_resource_type_kind: none. Not associated with any REST resource.
+fields:
+  - field: 'name'
+  - field: 'script'
+  - field: 'instance'
+  - field: 'database'
+  - field: 'deletion_policy'
diff --git a/mmv1/third_party/terraform/services/sql/resource_sql_provision_script_test.go b/mmv1/third_party/terraform/services/sql/resource_sql_provision_script_test.go
@@ -0,0 +1,170 @@
+package sql_test
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+	"github.com/hashicorp/terraform-provider-google/google/envvar"
+)
+
+const (
+	// Set to your account when manually running this test. Not needed in automated tests.
+	manual_test_user = "abc@example.com"
+)
+
+func TestAccSqlProvisionScriptMySql(t *testing.T) {
+	t.Parallel()
+	serviceAcct := envvar.GetTestServiceAccountFromEnv(t)
+	t.Log("Test service account is", serviceAcct)
+
+	instance := fmt.Sprintf("tf-test-%d", acctest.RandInt(t))
+	scriptName := fmt.Sprintf("tf-test-%d", acctest.RandInt(t))
+	script := "CREATE USER IF NOT EXISTS 'user'@'%' IDENTIFIED BY RANDOM PASSWORD; GRANT SELECT ON *.* to 'user'@'%';"
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccSqlUserDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: fmt.Sprintf(
+					testGoogleSqlProvisionScript_mysql, instance, serviceAcct, manual_test_user, scriptName, script),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckNoResourceAttr("google_sql_provision_script.script", "database"),
+					resource.TestCheckResourceAttr("google_sql_provision_script.script", "deletion_policy", "ABANDON"),
+				),
+			},
+			{
+				Config: fmt.Sprintf(
+					testGoogleSqlProvisionScript_mysql, instance, serviceAcct, manual_test_user, scriptName, "CREATE USER"),
+				ExpectError: regexp.MustCompile(`.*`), // syntax error
+			},
+		},
+	})
+}
+
+func TestAccSqlProvisionScriptPostgres(t *testing.T) {
+	t.Parallel()
+	serviceAcct := envvar.GetTestServiceAccountFromEnv(t)
+	t.Log("Test service account is", serviceAcct)
+	serviceAcct = strings.TrimSuffix(serviceAcct, ".gserviceaccount.com")
+
+	instance := fmt.Sprintf("tf-test-%d", acctest.RandInt(t))
+	database := fmt.Sprintf("tf-test-%d", acctest.RandInt(t))
+	scriptName := fmt.Sprintf("tf-test-%d", acctest.RandInt(t))
+	script := "CREATE TABLE IF NOT EXISTS table1 ( col VARCHAR(16) NOT NULL ); DROP TABLE table1;"
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccSqlUserDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: fmt.Sprintf(
+					testGoogleSqlProvisionScript_postgres, instance, database, serviceAcct, manual_test_user, scriptName, script),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("google_sql_provision_script.script", "database", database),
+					resource.TestCheckResourceAttr("google_sql_provision_script.script", "deletion_policy", "ABANDON"),
+				),
+			},
+			{
+				Config: fmt.Sprintf(
+					testGoogleSqlProvisionScript_postgres, instance, database, serviceAcct, manual_test_user, scriptName, "CREATE TABLE"),
+				ExpectError: regexp.MustCompile(`.*`), // syntax error
+			},
+		},
+	})
+}
+
+var testGoogleSqlProvisionScript_mysql = `
+resource "google_sql_database_instance" "instance" {
+  name                = "%s"
+  region              = "us-central1"
+  database_version    = "MYSQL_8_4"
+  deletion_protection = false
+  settings {
+    tier            = "db-perf-optimized-N-2"
+    data_api_access = "ALLOW_DATA_API"
+    database_flags {
+      name  = "cloudsql_iam_authentication"
+      value = "on"
+    }
+  }
+}
+
+ # The test account that runs this test must have a corresponding google_sql_user.
+resource "google_sql_user" "test_account" {
+  name     = "%s"
+  instance = google_sql_database_instance.instance.name
+  type     = "CLOUD_IAM_SERVICE_ACCOUNT"
+  database_roles = ["cloudsqlsuperuser"]
+}
+resource "google_sql_user" "manual_test_user" {
+  name     = "%s"
+  instance = google_sql_database_instance.instance.name
+  type     = "CLOUD_IAM_USER"
+  database_roles = ["cloudsqlsuperuser"]
+}
+
+
+resource "google_sql_provision_script" "script" {
+  name    = "%s"
+  script  = "%s"
+  instance = google_sql_database_instance.instance.name
+  depends_on = [
+    google_sql_user.test_account,
+	google_sql_user.manual_test_user
+  ]
+}
+`
+
+var testGoogleSqlProvisionScript_postgres = `
+resource "google_sql_database_instance" "instance" {
+  name                = "%s"
+  region              = "us-central1"
+  database_version    = "POSTGRES_17"
+  deletion_protection = false
+  settings {
+    tier            = "db-perf-optimized-N-2"
+    data_api_access = "ALLOW_DATA_API"
+    database_flags {
+      name  = "cloudsql.iam_authentication"
+      value = "on"
+    }
+  }
+}
+
+resource "google_sql_database" "database" {
+  name     = "%s"
+  instance = google_sql_database_instance.instance.name
+}
+
+
+ # The test account that runs this test must have a corresponding google_sql_user.
+resource "google_sql_user" "test_account" {
+  name     = "%s"
+  instance = google_sql_database_instance.instance.name
+  type     = "CLOUD_IAM_SERVICE_ACCOUNT"
+  database_roles = ["cloudsqlsuperuser"]
+}
+resource "google_sql_user" "manual_test_user" {
+  name     = "%s"
+  instance = google_sql_database_instance.instance.name
+  type     = "CLOUD_IAM_USER"
+  database_roles = ["cloudsqlsuperuser"]
+}
+
+
+resource "google_sql_provision_script" "script" {
+  name    = "%s"
+  script  = "%s"
+  database = google_sql_database.database.name
+  instance = google_sql_database_instance.instance.name
+  depends_on = [
+    google_sql_user.test_account,
+	google_sql_user.manual_test_user
+  ]
+}
+`
diff --git a/mmv1/third_party/terraform/website/docs/r/sql_provision_script.html.markdown b/mmv1/third_party/terraform/website/docs/r/sql_provision_script.html.markdown
diff --git a/tools/issue-labeler/labeler/enrolled_teams.yml b/tools/issue-labeler/labeler/enrolled_teams.yml

Original file line number	Diff line number	Diff line change
`@@ -279,7 +279,7 @@ func TestValidateResourceMetadata(t *testing.T) {`
`279`	`279`	`if r.ApiVersion == "" && !slices.Contains(ignoredResources, resourceName) {`
`280`	`280`	t.Errorf("%s: `api_version` is required and not set", r.FileName)
`281`	`281`	`}`
`282`		`- if r.ApiResourceTypeKind == "" {`
	`282`	`+ if r.ApiResourceTypeKind == "" && resourceName != "google_sql_provision_script" {`
`283`	`283`	t.Errorf("%s: `api_resource_type_kind` is required and not set", r.FileName)
`284`	`284`	`}`
`285`	`285`	`}`