fix: random password for default user and additional users will also follow password validation policy (#443)

ravisiddhu · bharathkkb · renovate[bot] · web-flow · commit 0ceb0ed1fdd5 · 2023-03-15T10:05:00.000-07:00
Co-authored-by: Bharath KKB &lt;bharathkrishnakb@gmail.com&gt;
Co-authored-by: renovate[bot] &lt;29139614+renovate[bot]@users.noreply.github.com&gt;
Co-authored-by: g-awmalik &lt;malik.awais@gmail.com&gt;
Co-authored-by: Awais Malik &lt;awmalik@google.com&gt;
Co-authored-by: CFT Bot &lt;cloud-foundation-bot@google.com&gt;
diff --git a/modules/mysql/main.tf b/modules/mysql/main.tf
@@ -188,19 +188,27 @@ resource "random_password" "user-password" {
     name = google_sql_database_instance.default.name
   }
 
-  length     = 32
-  special    = var.enable_random_password_special
-  depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
+  min_lower   = 1
+  min_numeric = 1
+  min_upper   = 1
+  length      = var.password_validation_policy_config != null ? (var.password_validation_policy_config.min_length != null ? var.password_validation_policy_config.min_length + 4 : 32) : 32
+  special     = var.enable_random_password_special ? true : (var.password_validation_policy_config != null ? (var.password_validation_policy_config.complexity != "COMPLEXITY_UNSPECIFIED" ? true : false) : false)
+  min_special = var.enable_random_password_special ? 1 : (var.password_validation_policy_config != null ? (var.password_validation_policy_config.complexity != "COMPLEXITY_UNSPECIFIED" ? 1 : 0) : 0)
+  depends_on  = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
 
 resource "random_password" "additional_passwords" {
   for_each = local.users
   keepers = {
     name = google_sql_database_instance.default.name
   }
-  length     = 32
-  special    = var.enable_random_password_special
-  depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
+  min_lower   = 1
+  min_numeric = 1
+  min_upper   = 1
+  length      = var.password_validation_policy_config != null ? (var.password_validation_policy_config.min_length != null ? var.password_validation_policy_config.min_length + 4 : 32) : 32
+  special     = var.enable_random_password_special ? true : (var.password_validation_policy_config != null ? (var.password_validation_policy_config.complexity != "COMPLEXITY_UNSPECIFIED" ? true : false) : false)
+  min_special = var.enable_random_password_special ? 1 : (var.password_validation_policy_config != null ? (var.password_validation_policy_config.complexity != "COMPLEXITY_UNSPECIFIED" ? 1 : 0) : 0)
+  depends_on  = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
 
 resource "google_sql_user" "default" {
diff --git a/modules/postgresql/main.tf b/modules/postgresql/main.tf
@@ -197,20 +197,27 @@ resource "random_password" "user-password" {
   keepers = {
     name = google_sql_database_instance.default.name
   }
-
-  length     = 32
-  special    = var.enable_random_password_special
-  depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
+  min_lower   = 1
+  min_numeric = 1
+  min_upper   = 1
+  length      = var.password_validation_policy_config != null ? (var.password_validation_policy_config.min_length != null ? var.password_validation_policy_config.min_length + 4 : 32) : 32
+  special     = var.enable_random_password_special ? true : (var.password_validation_policy_config != null ? (var.password_validation_policy_config.complexity != "COMPLEXITY_UNSPECIFIED" ? true : false) : false)
+  min_special = var.enable_random_password_special ? 1 : (var.password_validation_policy_config != null ? (var.password_validation_policy_config.complexity != "COMPLEXITY_UNSPECIFIED" ? 1 : 0) : 0)
+  depends_on  = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
 
 resource "random_password" "additional_passwords" {
   for_each = local.users
   keepers = {
     name = google_sql_database_instance.default.name
   }
-  length     = 32
-  special    = var.enable_random_password_special
-  depends_on = [null_resource.module_depends_on, google_sql_database_instance.default]
+  min_lower   = 1
+  min_numeric = 1
+  min_upper   = 1
+  length      = var.password_validation_policy_config != null ? (var.password_validation_policy_config.min_length != null ? var.password_validation_policy_config.min_length + 4 : 32) : 32
+  special     = var.enable_random_password_special ? true : (var.password_validation_policy_config != null ? (var.password_validation_policy_config.complexity != "COMPLEXITY_UNSPECIFIED" ? true : false) : false)
+  min_special = var.enable_random_password_special ? 1 : (var.password_validation_policy_config != null ? (var.password_validation_policy_config.complexity != "COMPLEXITY_UNSPECIFIED" ? 1 : 0) : 0)
+  depends_on  = [null_resource.module_depends_on, google_sql_database_instance.default]
 }
 
 resource "google_sql_user" "default" {
