feat: enhance MySQL support and improve script logging

Author: filippolmt

README.md

@@ -4,6 +4,8 @@ This module creates database and users on an existing CloudSQL instance. The str
 
 To enforce permissions, the module executes SQL commands with the mysql cli, which is therefore a prerequisite (it must be present in the filesystem where terraform apply is executed).
 
+For MySQL 8.x instances, the module automatically removes the default `cloudsqlsuperuser` role, clears any global privileges and assigns the target database as the only default role so that new users are scoped exclusively to their database.
+
 In addition, the script must be able to connect to the CloudSQL instance. In case this is not easily accessible from the terraform cli, the module is able to:
 
 1. Start an instance of [CloudSQL Auth Proxy](https://cloud.google.com/sql/docs/mysql/sql-proxy), for this purpose two null resources will be created for each user added to the database, enabling this option requires the [presence of the proxy executable](https://cloud.google.com/sql/docs/mysql/sql-proxy) in the filesystem where `terraform apply` is executed.
@@ -33,7 +35,7 @@ CloudSQL Auth Proxy needs the CloudSQL instance to expose a public IP address in
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_cloudsql_instance_name"></a> [cloudsql\_instance\_name](#input\_cloudsql\_instance\_name) | The name of the existing Google CloudSQL Instance name. Actually only a MySQL 5.7 or 8 instance is supported. | `string` | n/a | yes |
+| <a name="input_cloudsql_instance_name"></a> [cloudsql\_instance\_name](#input\_cloudsql\_instance\_name) | The name of the existing Google CloudSQL Instance name. MySQL 5.7, 8.0 and 8.4 are supported. | `string` | n/a | yes |
 | <a name="input_cloudsql_privileged_user_name"></a> [cloudsql\_privileged\_user\_name](#input\_cloudsql\_privileged\_user\_name) | The name of the privileged user of the Cloud SQL instance | `string` | n/a | yes |
 | <a name="input_cloudsql_privileged_user_password"></a> [cloudsql\_privileged\_user\_password](#input\_cloudsql\_privileged\_user\_password) | The password of the privileged user of the Cloud SQL instance | `string` | n/a | yes |
 | <a name="input_cloudsql_proxy_host"></a> [cloudsql\_proxy\_host](#input\_cloudsql\_proxy\_host) | The host of the Cloud SQL Auth Proxy; if a value other than localhost or 127.0.0.1 (default) is entered, it is assumed that there is a CloudSQL Auth Proxy instance defined and already configured outside this module, and therefore the proxy will not be launched. | `string` | `"127.0.0.1"` | no |

scripts/execute_cloud_sql_proxy.sh

@@ -1,31 +1,50 @@
 #!/usr/bin/env sh
 
-if ! [ -x "$(command -v cloud_sql_proxy)" ]; then
-    echo "Error: cannot find the cloud_sql_proxy executable, please install it or add to your path." >&2
+set -eu
+
+# shellcheck disable=SC3040
+if (set -o pipefail 2>/dev/null); then
+    set -o pipefail
+fi
+
+log() {
+    printf '[sql-proxy] %s\n' "${1}"
+}
+
+PROXY_BIN=""
+if command -v cloud_sql_proxy >/dev/null 2>&1; then
+    PROXY_BIN="cloud_sql_proxy"
+else
+    log "Error: cannot find the Cloud SQL Auth Proxy executable cloud_sql_proxy. Please install it or add it to your PATH." >&2
     exit 1
-elif ! [ -x "$(command -v nc)" ]; then
-    echo "Error: Netcat is not installed." >&2
+fi
+
+if ! command -v nc >/dev/null 2>&1; then
+    log "Error: Netcat is not installed." >&2
     exit 1
 fi
 
-SERVICE="cloud_sql_proxy"
+CONNECTION_NAME="${CLOUDSDK_CORE_PROJECT}:${GCLOUD_PROJECT_REGION}:${CLOUDSQL_INSTANCE_NAME}"
 
-if ! pgrep -x "$SERVICE" >/dev/null
-then
-    exec cloud_sql_proxy -instances="${CLOUDSDK_CORE_PROJECT}:${GCLOUD_PROJECT_REGION}:${CLOUDSQL_INSTANCE_NAME}"="tcp:0.0.0.0:${CLOUDSQL_PROXY_PORT}" /dev/null 2>&1 &
+if ! pgrep -x "$PROXY_BIN" >/dev/null; then
+    log "Starting Cloud SQL Auth Proxy (${PROXY_BIN}) for ${CONNECTION_NAME} on localhost:${CLOUDSQL_PROXY_PORT}."
+    "${PROXY_BIN}" "${CONNECTION_NAME}" --port "${CLOUDSQL_PROXY_PORT}" >/dev/null 2>&1 &
+    sleep 1s
+else
+    log "Cloud SQL Auth Proxy already running; skipping start."
 fi
 
 for j in $(seq 1 10); do
     READY=$(sh -c 'nc -v ${CLOUDSQL_PROXY_HOST} ${CLOUDSQL_PROXY_PORT} </dev/null; echo $?;' 2>/dev/null)
     if [ "$READY" -eq 0 ]; then
-        echo "Connection with with CloudSQL Auth Proxy established at ${CLOUDSQL_PROXY_HOST}."
+        log "Connection with Cloud SQL Auth Proxy established at ${CLOUDSQL_PROXY_HOST}:${CLOUDSQL_PROXY_PORT}."
         break
     fi
-    echo "Waiting for Cloud SQL Proxy to start... $j"
+    log "Waiting for Cloud SQL Proxy to start (attempt ${j}/10)..."
     sleep 1s
 done
 
-if [ "$READY" -eq 1 ]; then
-    echo "ERROR: cannot connect to the CloudSQL Auth Proxy at ${CLOUDSQL_PROXY_HOST}, please check your settings."
+if [ "$READY" -ne 0 ]; then
+    log "ERROR: cannot connect to the Cloud SQL Auth Proxy at ${CLOUDSQL_PROXY_HOST}:${CLOUDSQL_PROXY_PORT}, please check your settings." >&2
     exit 1
 fi

scripts/execute_sql.sh

@@ -1,35 +1,65 @@
 #!/usr/bin/env sh
 
+set -eu
+
+# shellcheck disable=SC3040
+if (set -o pipefail 2>/dev/null); then
+    set -o pipefail
+fi
+
+log() {
+    printf '[sql-grant] %s\n' "${1}"
+}
+
 if ! [ -x "$(command -v mysql)" ]; then
-    echo "Error: the mysql client is not installed or is not in your path. Please add the mysql client executable." >&2
+    log "Error: the mysql client is not installed or is not in your path. Please add the mysql client executable." >&2
     exit 1
 elif ! [ -x "$(command -v nc)" ]; then
-    echo "Error: Netcat is not installed." >&2
+    log "Error: Netcat is not installed." >&2
     exit 1
 fi
 
 for j in $(seq 1 10); do
     READY=$(sh -c 'nc -v ${CLOUDSQL_PROXY_HOST} ${CLOUDSQL_PROXY_PORT} </dev/null; echo $?;' 2>/dev/null)
 
     if [ "$READY" -eq 0 ]; then
-        echo "Connection with with CloudSQL Auth Proxy established at ${CLOUDSQL_PROXY_HOST}."
+        log "Connection with CloudSQL Auth Proxy established at ${CLOUDSQL_PROXY_HOST}:${CLOUDSQL_PROXY_PORT}."
         break
     fi
-    echo "Waiting for Cloud SQL Proxy to start... $j"
+    log "Waiting for Cloud SQL Proxy to start (attempt ${j}/10)..."
     sleep 1s
 done
 
 if [ "$READY" -eq 0 ]; then
-    if [ "${MYSQL_VERSION:0:9}" = "MYSQL_5_7" ]; then
-    mysql --host=${CLOUDSQL_PROXY_HOST} --port=${CLOUDSQL_PROXY_PORT} --user=${CLOUDSQL_PRIVILEGED_USER_NAME} --password=${CLOUDSQL_PRIVILEGED_USER_PASSWORD} --execute="REVOKE ALL PRIVILEGES, GRANT OPTION FROM '${USER}'@'${USER_HOST}'; GRANT ALL ON ${DATABASE}.* TO ${USER}@'${USER_HOST}';"
-    fi
+    USER_IDENTIFIER="'${USER}'@'${USER_HOST}'"
+    DATABASE_IDENTIFIER="\`${DATABASE}\`.*"
 
-    if [ "${MYSQL_VERSION:0:9}" = "MYSQL_8_0" ]; then
-    mysql --host=${CLOUDSQL_PROXY_HOST} --port=${CLOUDSQL_PROXY_PORT} --user=${CLOUDSQL_PRIVILEGED_USER_NAME} --password=${CLOUDSQL_PRIVILEGED_USER_PASSWORD} --execute="REVOKE cloudsqlsuperuser FROM '${USER}'@'${USER_HOST}'; GRANT ALL ON ${DATABASE}.* TO ${USER}@'${USER_HOST}';"
+    log "Preparing privilege statements for ${USER_IDENTIFIER} on database \`${DATABASE}\` (MySQL ${MYSQL_VERSION})."
+
+    case "${MYSQL_VERSION}" in
+        MYSQL_5_7*)
+            SQL_COMMANDS="REVOKE ALL PRIVILEGES, GRANT OPTION FROM ${USER_IDENTIFIER}; GRANT ALL PRIVILEGES ON ${DATABASE_IDENTIFIER} TO ${USER_IDENTIFIER};"
+            ;;
+        MYSQL_8_0*|MYSQL_8_4*)
+            SQL_COMMANDS="REVOKE cloudsqlsuperuser FROM ${USER_IDENTIFIER}; SET DEFAULT ROLE NONE TO ${USER_IDENTIFIER}; GRANT ALL PRIVILEGES ON ${DATABASE_IDENTIFIER} TO ${USER_IDENTIFIER};"
+            ;;
+        *)
+            log "ERROR: Unsupported MySQL version ${MYSQL_VERSION}." >&2
+            exit 1
+            ;;
+    esac
+
+    printf '[sql-grant] Executing SQL statements:\n%s\n' "${SQL_COMMANDS}"
+
+    if ! MYSQL_PWD="${CLOUDSQL_PRIVILEGED_USER_PASSWORD}" mysql --host="${CLOUDSQL_PROXY_HOST}" --port="${CLOUDSQL_PROXY_PORT}" --user="${CLOUDSQL_PRIVILEGED_USER_NAME}" --execute="${SQL_COMMANDS}"; then
+        log "ERROR: Failed to apply privileges for ${USER_IDENTIFIER} on ${DATABASE}." >&2
+        exit 1
     fi
 
+    log "Successfully applied privileges for ${USER_IDENTIFIER}."
+
     exit 0
 else
-    echo "ERROR: cannot connect to the CloudSQL Auth Proxy at ${CLOUDSQL_PROXY_HOST}, please check your settings."
+    log "ERROR: cannot connect to the CloudSQL Auth Proxy at ${CLOUDSQL_PROXY_HOST}:${CLOUDSQL_PROXY_PORT}, please check your settings." >&2
     exit 1
 fi

scripts/kill_cloud_sql_proxy.sh

@@ -1,12 +1,23 @@
 #!/usr/bin/env sh
 
-SERVICE="cloud_sql_proxy"
+set -eu
 
-if pgrep -x "$SERVICE" >/dev/null; then
-    # It's better to take some time and to wait for the other tasks to finish
-    # before killing the proxy; do not entering a sleep time, can lead to a
-    # race condition error when simultaneously creating and destroying resources.
+# shellcheck disable=SC3040
+if (set -o pipefail 2>/dev/null); then
+    set -o pipefail
+fi
+
+log() {
+    printf '[sql-proxy] %s\n' "${1}"
+}
+
+PROXY_BIN="cloud_sql_proxy"
+if pgrep -x "$PROXY_BIN" >/dev/null; then
+    log "Detected running ${PROXY_BIN}; waiting 5 seconds before shutdown to avoid race conditions."
     sleep 5s
-    PID_CLOUD_SQL_PROXY=$(pgrep -x ${SERVICE})
-    kill "$PID_CLOUD_SQL_PROXY" || true
+    # Obtain the PID of the running Cloud SQL Auth Proxy and terminate gently.
+    PID="$(pgrep -x "$PROXY_BIN")"
+    log "Stopping ${PROXY_BIN} (PID(s): ${PID})."
+
+    kill "${PID}" || true
 fi

variables.tf

@@ -10,7 +10,7 @@ variable "region" {
 
 variable "cloudsql_instance_name" {
   type        = string
-  description = "The name of the existing Google CloudSQL Instance name. Actually only a MySQL 5.7 or 8 instance is supported."
+  description = "The name of the existing Google CloudSQL Instance name. MySQL 5.7, 8.0 and 8.4 are supported."
 }
 
 variable "terraform_start_cloud_sql_proxy" {

versions.tf

@@ -16,4 +16,3 @@ terraform {
     }
   }
 }
-