add support for IAM Group authentication to google_sql_user (#9685) (#6787)

* add support for IAM Group authentication to google_sql_user

* Update resource_sql_user_test.go

Minor formatting changes

* Update documentation and minor formatting changes
[upstream:4d160cb257e40ad9228a94766acfa3b77becb14e]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/9685.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+sql: added support for IAM GROUP authentication in the `type` field of `google_sql_user`
+```

.teamcity/components/generated/packages.kt

@@ -12,11 +12,6 @@ var packages = mapOf(
         "displayName" to "Environment Variables",
         "path" to "./google-beta/envvar"
     ),
-    "fwmodels" to mapOf(
-        "name" to "fwmodels",
-        "displayName" to "Framework Models",
-        "path" to "./google-beta/fwmodels"
-    ),
     "fwprovider" to mapOf(
         "name" to "fwprovider",
         "displayName" to "Framework Provider",

google-beta/services/sql/resource_sql_user.go

@@ -104,8 +104,8 @@ func ResourceSqlUser() *schema.Resource {
 				ForceNew:         true,
 				DiffSuppressFunc: tpgresource.EmptyOrDefaultStringSuppress("BUILT_IN"),
 				Description: `The user type. It determines the method to authenticate the user during login.
-                The default is the database's built-in user type. Flags include "BUILT_IN", "CLOUD_IAM_USER", or "CLOUD_IAM_SERVICE_ACCOUNT".`,
-				ValidateFunc: validation.StringInSlice([]string{"BUILT_IN", "CLOUD_IAM_USER", "CLOUD_IAM_SERVICE_ACCOUNT", ""}, false),
+                The default is the database's built-in user type. Flags include "BUILT_IN", "CLOUD_IAM_USER", "CLOUD_IAM_GROUP" or "CLOUD_IAM_SERVICE_ACCOUNT".`,
+				ValidateFunc: validation.StringInSlice([]string{"BUILT_IN", "CLOUD_IAM_USER", "CLOUD_IAM_GROUP", "CLOUD_IAM_SERVICE_ACCOUNT", ""}, false),
 			},
 			"sql_server_user_details": {
 				Type:     schema.TypeList,
@@ -351,10 +351,9 @@ func resourceSqlUserRead(d *schema.ResourceData, meta interface{}) error {
 	}
 
 	for _, currentUser := range users.Items {
-		if !strings.Contains(databaseInstance.DatabaseVersion, "POSTGRES") {
+		if !(strings.Contains(databaseInstance.DatabaseVersion, "POSTGRES") || currentUser.Type == "CLOUD_IAM_GROUP") {
 			name = strings.Split(name, "@")[0]
 		}
-
 		if currentUser.Name == name {
 			// Host can only be empty for postgres instances,
 			// so don't compare the host if the API host is empty.

google-beta/services/sql/resource_sql_user_test.go

@@ -76,6 +76,34 @@ func TestAccSqlUser_iamUser(t *testing.T) {
 	})
 }
 
+func TestAccSqlUser_iamGroupUser(t *testing.T) {
+	// Multiple fine-grained resources
+	acctest.SkipIfVcr(t)
+	t.Parallel()
+
+	instance := fmt.Sprintf("tf-test-%d", acctest.RandInt(t))
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccSqlUserDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testGoogleSqlUser_iamGroupUser(instance),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckGoogleSqlUserExists(t, "google_sql_user.user"),
+				),
+			},
+			{
+				ResourceName:            "google_sql_user.user",
+				ImportStateId:           fmt.Sprintf("%s/%s/[email protected]", envvar.GetTestProjectFromEnv(), instance),
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"password"},
+			},
+		},
+	})
+}
+
 func TestAccSqlUser_postgres(t *testing.T) {
 	t.Parallel()
 
@@ -507,3 +535,27 @@ resource "google_project_iam_member" "sa_user" {
 }
 `, instance, instance, instance, instance)
 }
+
+func testGoogleSqlUser_iamGroupUser(instance string) string {
+	return fmt.Sprintf(`
+resource "google_sql_database_instance" "instance" {
+  name                = "%s"
+  region              = "us-central1"
+  database_version    = "MYSQL_8_0"
+  deletion_protection = false
+  settings {
+    tier = "db-f1-micro"
+    database_flags {
+      name  = "cloudsql_iam_authentication"
+      value = "on"
+    }
+  }
+}
+
+resource "google_sql_user" "user" {
+  name     = "[email protected]"
+  instance = google_sql_database_instance.instance.name
+  type     = "CLOUD_IAM_GROUP"
+}
+`, instance)
+}

website/docs/r/sql_user.html.markdown

@@ -74,6 +74,34 @@ resource "google_sql_user" "iam_service_account_user" {
 }
 ```
 
+Example using [Cloud SQL IAM Group authentication](https://cloud.google.com/sql/docs/mysql/iam-authentication#iam-group-auth).
+
+```hcl
+resource "random_id" "db_name_suffix" {
+  byte_length = 4
+}
+
+resource "google_sql_database_instance" "main" {
+  name             = "main-instance-${random_id.db_name_suffix.hex}"
+  database_version = "MYSQL_8_0"
+
+  settings {
+    tier = "db-f1-micro"
+
+    database_flags {
+      name  = "cloudsql.iam_authentication"
+      value = "on"
+    }
+  }
+}
+
+resource "google_sql_user" "iam_group_user" {
+  name     = "[email protected]"
+  instance = google_sql_database_instance.main.name
+  type     = "CLOUD_IAM_GROUP"
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
@@ -91,7 +119,7 @@ The following arguments are supported:
 
 * `type` - (Optional) The user type. It determines the method to authenticate the
     user during login. The default is the database's built-in user type. Flags
-    include "BUILT_IN", "CLOUD_IAM_USER", or "CLOUD_IAM_SERVICE_ACCOUNT".
+    include "BUILT_IN", "CLOUD_IAM_USER", "CLOUD_IAM_GROUP" or "CLOUD_IAM_SERVICE_ACCOUNT".
 
 * `deletion_policy` - (Optional) The deletion policy for the user.
     Setting `ABANDON` allows the resource to be abandoned rather than deleted. This is useful