Add credentials to bigquery connection. (#3546) (#2111)

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/3546.txt

@@ -0,0 +1,3 @@
+```release-note:breaking-change
+bigquery: Add ability to manage credentials to `google_bigquery_connection`.  This field is required as the resource is not useful without them.
+```

google-beta/resource_bigquery_connection_connection.go

@@ -50,6 +50,27 @@ func resourceBigqueryConnectionConnection() *schema.Resource {
 				MaxItems:    1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
+						"credential": {
+							Type:        schema.TypeList,
+							Required:    true,
+							Description: `Cloud SQL properties.`,
+							MaxItems:    1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"password": {
+										Type:        schema.TypeString,
+										Required:    true,
+										Description: `Password for database.`,
+										Sensitive:   true,
+									},
+									"username": {
+										Type:        schema.TypeString,
+										Required:    true,
+										Description: `Username for database.`,
+									},
+								},
+							},
+						},
 						"database": {
 							Type:        schema.TypeString,
 							Required:    true,
@@ -343,6 +364,8 @@ func flattenBigqueryConnectionConnectionCloudSql(v interface{}, d *schema.Resour
 		flattenBigqueryConnectionConnectionCloudSqlInstanceId(original["instanceId"], d, config)
 	transformed["database"] =
 		flattenBigqueryConnectionConnectionCloudSqlDatabase(original["database"], d, config)
+	transformed["credential"] =
+		flattenBigqueryConnectionConnectionCloudSqlCredential(original["credential"], d, config)
 	transformed["type"] =
 		flattenBigqueryConnectionConnectionCloudSqlType(original["type"], d, config)
 	return []interface{}{transformed}
@@ -355,6 +378,15 @@ func flattenBigqueryConnectionConnectionCloudSqlDatabase(v interface{}, d *schem
 	return v
 }
 
+func flattenBigqueryConnectionConnectionCloudSqlCredential(v interface{}, d *schema.ResourceData, config *Config) interface{} {
+	return []interface{}{
+		map[string]interface{}{
+			"username": d.Get("cloud_sql.0.credential.0.username"),
+			"password": d.Get("cloud_sql.0.credential.0.password"),
+		},
+	}
+}
+
 func flattenBigqueryConnectionConnectionCloudSqlType(v interface{}, d *schema.ResourceData, config *Config) interface{} {
 	return v
 }
@@ -390,6 +422,13 @@ func expandBigqueryConnectionConnectionCloudSql(v interface{}, d TerraformResour
 		transformed["database"] = transformedDatabase
 	}
 
+	transformedCredential, err := expandBigqueryConnectionConnectionCloudSqlCredential(original["credential"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedCredential); val.IsValid() && !isEmptyValue(val) {
+		transformed["credential"] = transformedCredential
+	}
+
 	transformedType, err := expandBigqueryConnectionConnectionCloudSqlType(original["type"], d, config)
 	if err != nil {
 		return nil, err
@@ -408,6 +447,40 @@ func expandBigqueryConnectionConnectionCloudSqlDatabase(v interface{}, d Terrafo
 	return v, nil
 }
 
+func expandBigqueryConnectionConnectionCloudSqlCredential(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedUsername, err := expandBigqueryConnectionConnectionCloudSqlCredentialUsername(original["username"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedUsername); val.IsValid() && !isEmptyValue(val) {
+		transformed["username"] = transformedUsername
+	}
+
+	transformedPassword, err := expandBigqueryConnectionConnectionCloudSqlCredentialPassword(original["password"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedPassword); val.IsValid() && !isEmptyValue(val) {
+		transformed["password"] = transformedPassword
+	}
+
+	return transformed, nil
+}
+
+func expandBigqueryConnectionConnectionCloudSqlCredentialUsername(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandBigqueryConnectionConnectionCloudSqlCredentialPassword(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandBigqueryConnectionConnectionCloudSqlType(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
 	return v, nil
 }

google-beta/resource_bigquery_connection_connection_generated_test.go

@@ -60,6 +60,18 @@ resource "google_sql_database" "db" {
     name     = "db"
 }
 
+resource "random_password" "pwd" {
+    length = 16
+    special = false
+}
+
+resource "google_sql_user" "user" {
+    provider = google-beta
+    name = "user%{random_suffix}"
+    instance = google_sql_database_instance.instance.name
+    password = random_password.pwd.result
+}
+
 resource "google_bigquery_connection" "connection" {
     provider      = google-beta
     friendly_name = "👋"
@@ -68,6 +80,10 @@ resource "google_bigquery_connection" "connection" {
         instance_id = google_sql_database_instance.instance.connection_name
         database    = google_sql_database.db.name
         type        = "POSTGRES"
+        credential {
+          username = google_sql_user.user.name
+          password = google_sql_user.user.password
+        }
     }
 }
 `, context)
@@ -110,6 +126,18 @@ resource "google_sql_database" "db" {
     name     = "db"
 }
 
+resource "random_password" "pwd" {
+    length = 16
+    special = false
+}
+
+resource "google_sql_user" "user" {
+    provider = google-beta
+    name = "user%{random_suffix}"
+    instance = google_sql_database_instance.instance.name
+    password = random_password.pwd.result
+}
+
 resource "google_bigquery_connection" "connection" {
     provider      = google-beta
     connection_id = "tf-test-my-connection%{random_suffix}"
@@ -120,6 +148,10 @@ resource "google_bigquery_connection" "connection" {
         instance_id = google_sql_database_instance.instance.connection_name
         database    = google_sql_database.db.name
         type        = "POSTGRES"
+        credential {
+          username = google_sql_user.user.name
+          password = google_sql_user.user.password
+        }
     }
 }
 `, context)

google-beta/resource_bigquery_connection_test.go

@@ -46,6 +46,18 @@ resource "google_sql_database" "db" {
     name     = "db"
 }
 
+resource "random_password" "pwd" {
+    length = 16
+    special = false
+}
+
+resource "google_sql_user" "user" {
+    provider = google-beta
+    name = "username"
+    instance = google_sql_database_instance.instance.name
+    password = random_password.pwd.result
+}
+
 resource "google_bigquery_connection" "connection" {
     provider      = google-beta
     connection_id = "tf-test-my-connection%{random_suffix}"
@@ -56,6 +68,10 @@ resource "google_bigquery_connection" "connection" {
         instance_id = google_sql_database_instance.instance.connection_name
         database    = google_sql_database.db.name
         type        = "POSTGRES"
+        credential {
+            username = google_sql_user.user.name
+            password = google_sql_user.user.password
+        }
     }
 }
 `, context)
@@ -79,6 +95,18 @@ resource "google_sql_database" "db" {
     name     = "db2"
 }
 
+resource "random_password" "pwd" {
+    length = 16
+    special = false
+}
+
+resource "google_sql_user" "user" {
+    provider = google-beta
+    name = "username"
+    instance = google_sql_database_instance.instance.name
+    password = random_password.pwd.result
+}
+
 resource "google_bigquery_connection" "connection" {
     provider      = google-beta
     connection_id = "tf-test-my-connection%{random_suffix}"
@@ -89,6 +117,10 @@ resource "google_bigquery_connection" "connection" {
         instance_id = google_sql_database_instance.instance.connection_name
         database    = google_sql_database.db.name
         type        = "MYSQL"
+        credential {
+            username = google_sql_user.user.name
+            password = google_sql_user.user.password
+        }
     }
 }
 `, context)

website/docs/r/bigquery_connection.html.markdown

@@ -33,6 +33,9 @@ To get more information about Connection, see:
 * How-to Guides
     * [Cloud SQL federated queries](https://cloud.google.com/bigquery/docs/cloud-sql-federated-queries)
 
+~> **Warning:** All arguments including `cloud_sql.credential.password` will be stored in the raw
+state as plain-text. [Read more about sensitive data in state](/docs/state/sensitive-data.html).
+
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
   <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=bigquery_connection_basic&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
@@ -58,6 +61,18 @@ resource "google_sql_database" "db" {
     name     = "db"
 }
 
+resource "random_password" "pwd" {
+    length = 16
+    special = false
+}
+
+resource "google_sql_user" "user" {
+    provider = google-beta
+    name = "user"
+    instance = google_sql_database_instance.instance.name
+    password = random_password.pwd.result
+}
+
 resource "google_bigquery_connection" "connection" {
     provider      = google-beta
     friendly_name = "👋"
@@ -66,6 +81,10 @@ resource "google_bigquery_connection" "connection" {
         instance_id = google_sql_database_instance.instance.connection_name
         database    = google_sql_database.db.name
         type        = "POSTGRES"
+        credential {
+          username = google_sql_user.user.name
+          password = google_sql_user.user.password
+        }
     }
 }
 ```
@@ -94,6 +113,18 @@ resource "google_sql_database" "db" {
     name     = "db"
 }
 
+resource "random_password" "pwd" {
+    length = 16
+    special = false
+}
+
+resource "google_sql_user" "user" {
+    provider = google-beta
+    name = "user"
+    instance = google_sql_database_instance.instance.name
+    password = random_password.pwd.result
+}
+
 resource "google_bigquery_connection" "connection" {
     provider      = google-beta
     connection_id = "my-connection"
@@ -104,6 +135,10 @@ resource "google_bigquery_connection" "connection" {
         instance_id = google_sql_database_instance.instance.connection_name
         database    = google_sql_database.db.name
         type        = "POSTGRES"
+        credential {
+          username = google_sql_user.user.name
+          password = google_sql_user.user.password
+        }
     }
 }
 ```
@@ -128,6 +163,10 @@ The `cloud_sql` block supports:
   (Required)
   Database name.
 
+* `credential` -
+  (Required)
+  Cloud SQL properties.  Structure is documented below.
+
 * `type` -
   (Required)
   Type of the Cloud SQL database.
@@ -137,6 +176,17 @@ The `cloud_sql` block supports:
   * `POSTGRES`
   * `MYSQL`
 
+
+The `credential` block supports:
+
+* `username` -
+  (Required)
+  Username for database.
+
+* `password` -
+  (Required)
+  Password for database.  **Note**: This property is sensitive and will not be displayed in the plan.
+
 - - -