Add support for Password Validation Policy in cloud sql instance. (#6329) (#4597)

Co-authored-by: Shuya Ma <[email protected]>
Signed-off-by: Modular Magician <[email protected]>

Signed-off-by: Modular Magician <[email protected]>
Co-authored-by: Shuya Ma <[email protected]>

Author: modular-magician

.changelog/6329.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+sql: added `password_validation_policy` field to `google_cloud_sql` resource
+```

google-beta/resource_sql_database_instance.go

@@ -462,6 +462,48 @@ is set to true.`,
 							},
 							Description: `Configuration of Query Insights.`,
 						},
+						"password_validation_policy": {
+							Type:     schema.TypeList,
+							Optional: true,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"min_length": {
+										Type:         schema.TypeInt,
+										Optional:     true,
+										ValidateFunc: validation.IntBetween(0, 2147483647),
+										Description:  `Minimum number of characters allowed.`,
+									},
+									"complexity": {
+										Type:         schema.TypeString,
+										Optional:     true,
+										ValidateFunc: validation.StringInSlice([]string{"COMPLEXITY_DEFAULT", "COMPLEXITY_UNSPECIFIED"}, false),
+										Description:  `Password complexity.`,
+									},
+									"reuse_interval": {
+										Type:         schema.TypeInt,
+										Optional:     true,
+										ValidateFunc: validation.IntBetween(0, 2147483647),
+										Description:  `Number of previous passwords that cannot be reused.`,
+									},
+									"disallow_username_substring": {
+										Type:        schema.TypeBool,
+										Optional:    true,
+										Description: `Disallow username as a part of the password.`,
+									},
+									"password_change_interval": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Description: `Minimum interval after which the password can be changed. This flag is only supported for PostgresSQL.`,
+									},
+									"enable_password_policy": {
+										Type:        schema.TypeBool,
+										Required:    true,
+										Description: `Whether the password policy is enabled or not.`,
+									},
+								},
+							},
+						},
 					},
 				},
 				Description: `The settings to use for the database. The configuration is detailed below.`,
@@ -492,7 +534,7 @@ is set to true.`,
 				Optional:    true,
 				ForceNew:    true,
 				Sensitive:   true,
-				Description: `Initial root password. Required for MS SQL Server, ignored by MySQL and PostgreSQL.`,
+				Description: `Initial root password. Required for MS SQL Server.`,
 			},
 
 			"ip_address": {
@@ -829,10 +871,7 @@ func resourceSqlDatabaseInstanceCreate(d *schema.ResourceData, meta interface{})
 		instance.Settings = desiredSettings
 	}
 
-	// MSSQL Server require rootPassword to be set
-	if strings.Contains(instance.DatabaseVersion, "SQLSERVER") {
-		instance.RootPassword = d.Get("root_password").(string)
-	}
+	instance.RootPassword = d.Get("root_password").(string)
 
 	// Modifying a replica during Create can cause problems if the master is
 	// modified at the same time. Lock the master until we're done in order
@@ -982,24 +1021,25 @@ func expandSqlDatabaseInstanceSettings(configured []interface{}) *sqladmin.Setti
 	_settings := configured[0].(map[string]interface{})
 	settings := &sqladmin.Settings{
 		// Version is unset in Create but is set during update
-		SettingsVersion:       int64(_settings["version"].(int)),
-		Tier:                  _settings["tier"].(string),
-		ForceSendFields:       []string{"StorageAutoResize"},
-		ActivationPolicy:      _settings["activation_policy"].(string),
-		ActiveDirectoryConfig: expandActiveDirectoryConfig(_settings["active_directory_config"].([]interface{})),
-		SqlServerAuditConfig:  expandSqlServerAuditConfig(_settings["sql_server_audit_config"].([]interface{})),
-		AvailabilityType:      _settings["availability_type"].(string),
-		Collation:             _settings["collation"].(string),
-		DataDiskSizeGb:        int64(_settings["disk_size"].(int)),
-		DataDiskType:          _settings["disk_type"].(string),
-		PricingPlan:           _settings["pricing_plan"].(string),
-		UserLabels:            convertStringMap(_settings["user_labels"].(map[string]interface{})),
-		BackupConfiguration:   expandBackupConfiguration(_settings["backup_configuration"].([]interface{})),
-		DatabaseFlags:         expandDatabaseFlags(_settings["database_flags"].([]interface{})),
-		IpConfiguration:       expandIpConfiguration(_settings["ip_configuration"].([]interface{})),
-		LocationPreference:    expandLocationPreference(_settings["location_preference"].([]interface{})),
-		MaintenanceWindow:     expandMaintenanceWindow(_settings["maintenance_window"].([]interface{})),
-		InsightsConfig:        expandInsightsConfig(_settings["insights_config"].([]interface{})),
+		SettingsVersion:          int64(_settings["version"].(int)),
+		Tier:                     _settings["tier"].(string),
+		ForceSendFields:          []string{"StorageAutoResize"},
+		ActivationPolicy:         _settings["activation_policy"].(string),
+		ActiveDirectoryConfig:    expandActiveDirectoryConfig(_settings["active_directory_config"].([]interface{})),
+		SqlServerAuditConfig:     expandSqlServerAuditConfig(_settings["sql_server_audit_config"].([]interface{})),
+		AvailabilityType:         _settings["availability_type"].(string),
+		Collation:                _settings["collation"].(string),
+		DataDiskSizeGb:           int64(_settings["disk_size"].(int)),
+		DataDiskType:             _settings["disk_type"].(string),
+		PricingPlan:              _settings["pricing_plan"].(string),
+		UserLabels:               convertStringMap(_settings["user_labels"].(map[string]interface{})),
+		BackupConfiguration:      expandBackupConfiguration(_settings["backup_configuration"].([]interface{})),
+		DatabaseFlags:            expandDatabaseFlags(_settings["database_flags"].([]interface{})),
+		IpConfiguration:          expandIpConfiguration(_settings["ip_configuration"].([]interface{})),
+		LocationPreference:       expandLocationPreference(_settings["location_preference"].([]interface{})),
+		MaintenanceWindow:        expandMaintenanceWindow(_settings["maintenance_window"].([]interface{})),
+		InsightsConfig:           expandInsightsConfig(_settings["insights_config"].([]interface{})),
+		PasswordValidationPolicy: expandPasswordValidationPolicy(_settings["password_validation_policy"].([]interface{})),
 	}
 
 	resize := _settings["disk_autoresize"].(bool)
@@ -1191,6 +1231,22 @@ func expandInsightsConfig(configured []interface{}) *sqladmin.InsightsConfig {
 	}
 }
 
+func expandPasswordValidationPolicy(configured []interface{}) *sqladmin.PasswordValidationPolicy {
+	if len(configured) == 0 || configured[0] == nil {
+		return nil
+	}
+
+	_passwordValidationPolicy := configured[0].(map[string]interface{})
+	return &sqladmin.PasswordValidationPolicy{
+		MinLength:                 int64(_passwordValidationPolicy["min_length"].(int)),
+		Complexity:                _passwordValidationPolicy["complexity"].(string),
+		ReuseInterval:             int64(_passwordValidationPolicy["reuse_interval"].(int)),
+		DisallowUsernameSubstring: _passwordValidationPolicy["disallow_username_substring"].(bool),
+		PasswordChangeInterval:    _passwordValidationPolicy["password_change_interval"].(string),
+		EnablePasswordPolicy:      _passwordValidationPolicy["enable_password_policy"].(bool),
+	}
+}
+
 func resourceSqlDatabaseInstanceRead(d *schema.ResourceData, meta interface{}) error {
 	config := meta.(*Config)
 	userAgent, err := generateUserAgentString(d, config.userAgent)
@@ -1411,15 +1467,16 @@ func resourceSqlDatabaseInstanceImport(d *schema.ResourceData, meta interface{})
 
 func flattenSettings(settings *sqladmin.Settings) []map[string]interface{} {
 	data := map[string]interface{}{
-		"version":           settings.SettingsVersion,
-		"tier":              settings.Tier,
-		"activation_policy": settings.ActivationPolicy,
-		"availability_type": settings.AvailabilityType,
-		"collation":         settings.Collation,
-		"disk_type":         settings.DataDiskType,
-		"disk_size":         settings.DataDiskSizeGb,
-		"pricing_plan":      settings.PricingPlan,
-		"user_labels":       settings.UserLabels,
+		"version":                    settings.SettingsVersion,
+		"tier":                       settings.Tier,
+		"activation_policy":          settings.ActivationPolicy,
+		"availability_type":          settings.AvailabilityType,
+		"collation":                  settings.Collation,
+		"disk_type":                  settings.DataDiskType,
+		"disk_size":                  settings.DataDiskSizeGb,
+		"pricing_plan":               settings.PricingPlan,
+		"user_labels":                settings.UserLabels,
+		"password_validation_policy": settings.PasswordValidationPolicy,
 	}
 
 	if settings.ActiveDirectoryConfig != nil {
@@ -1461,6 +1518,10 @@ func flattenSettings(settings *sqladmin.Settings) []map[string]interface{} {
 		data["user_labels"] = settings.UserLabels
 	}
 
+	if settings.PasswordValidationPolicy != nil {
+		data["password_validation_policy"] = flattenPasswordValidationPolicy(settings.PasswordValidationPolicy)
+	}
+
 	return []map[string]interface{}{data}
 }
 
@@ -1655,6 +1716,18 @@ func flattenInsightsConfig(insightsConfig *sqladmin.InsightsConfig) interface{}
 	return []map[string]interface{}{data}
 }
 
+func flattenPasswordValidationPolicy(passwordValidationPolicy *sqladmin.PasswordValidationPolicy) interface{} {
+	data := map[string]interface{}{
+		"min_length":                  passwordValidationPolicy.MinLength,
+		"complexity":                  passwordValidationPolicy.Complexity,
+		"reuse_interval":              passwordValidationPolicy.ReuseInterval,
+		"disallow_username_substring": passwordValidationPolicy.DisallowUsernameSubstring,
+		"password_change_interval":    passwordValidationPolicy.PasswordChangeInterval,
+		"enable_password_policy":      passwordValidationPolicy.EnablePasswordPolicy,
+	}
+	return []map[string]interface{}{data}
+}
+
 func instanceMutexKey(project, instance_name string) string {
 	return fmt.Sprintf("google-sql-database-instance-%s-%s", project, instance_name)
 }

google-beta/resource_sql_database_instance_test.go

@@ -1195,6 +1195,53 @@ func TestAccSqlDatabaseInstance_SqlServerAuditConfig(t *testing.T) {
 	})
 }
 
+func TestAccSqlDatabaseInstance_sqlMysqlInstancePvpExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"deletion_protection": false,
+		"random_suffix":       randString(t, 10),
+	}
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccSqlDatabaseInstance_sqlMysqlInstancePvpExample(context),
+			},
+			{
+				ResourceName:            "google_sql_database_instance.mysql_pvp_instance_name",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection", "root_password"},
+			},
+		},
+	})
+}
+
+func testAccSqlDatabaseInstance_sqlMysqlInstancePvpExample(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_sql_database_instance" "mysql_pvp_instance_name" {
+  name             = "tf-test-mysql-pvp-instance-name%{random_suffix}"
+  region           = "asia-northeast1"
+  database_version = "MYSQL_8_0"
+  root_password = "abcABC123!"
+  settings {
+    tier              = "db-f1-micro"
+    password_validation_policy {
+      min_length  = 6
+      complexity  =  "COMPLEXITY_DEFAULT"
+      reuse_interval = 2
+      disallow_username_substring = true
+      enable_password_policy = true
+    }
+  }
+  deletion_protection =  "%{deletion_protection}"
+}
+`, context)
+}
+
 var testGoogleSqlDatabaseInstance_basic2 = `
 resource "google_sql_database_instance" "instance" {
   region              = "us-central1"

website/docs/r/sql_database_instance.html.markdown

@@ -194,7 +194,7 @@ includes an up-to-date reference of supported versions.
 * `replica_configuration` - (Optional) The configuration for replication. The
     configuration is detailed below. Valid only for MySQL instances.
 
-* `root_password` - (Optional) Initial root password. Required for MS SQL Server, ignored by MySQL and PostgreSQL.
+* `root_password` - (Optional) Initial root password. Required for MS SQL Server.
 
 * `encryption_key_name` - (Optional)
     The full path to the encryption key used for the CMEK disk encryption.  Setting
@@ -349,6 +349,20 @@ The optional `settings.insights_config` subblock for instances declares [Query I
 
 * `record_client_address` - True if Query Insights will record client address when enabled.
 
+The optional `settings.passward_validation_policy` subblock for instances declares [Password Validation Policy](https://cloud.google.com/sql/docs/postgres/built-in-authentication) configuration. It contains:
+
+* `min_length` - Specifies the minimum number of characters that the password must have.
+
+* `complexity` - Checks if the password is a combination of lowercase, uppercase, numeric, and non-alphanumeric characters.
+
+* `reuse_interval` - Specifies the number of previous passwords that you can't reuse.
+
+* `disallow_username_substring` - Prevents the use of the username in the password.
+
+* `password_change_interval` - Specifies the minimum duration after which you can change the password.
+
+* `enable_password_policy` - Enables or disable the password validation policy.
+
 The optional `replica_configuration` block must have `master_instance_name` set
 to work, cannot be updated, and supports: