Skip to content

Commit 9d9ef7f

Browse files
StevesibiliaStevesibilia
authored
Merge pull request #10 from sparkfabrik/3083-bugs-terraform-google-gcp-cloud-native-drupal-resources-module
3083 bugs terraform google gcp cloud native drupal resources module
2 parents 65bfc47 + 229b12b commit 9d9ef7f

File tree

3 files changed

+32
-30
lines changed

3 files changed

+32
-30
lines changed

CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,12 @@ and this project adheres
77
to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
88

99

10+
## [0.3.2] - 2024-10-30
11+
12+
### Changed
13+
14+
- Fix accidental mysql credential exposure.
15+
1016
## [0.3.1] - 2023-04-14
1117

1218
### Changed

main.tf

Lines changed: 22 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -3,16 +3,14 @@ resource "null_resource" "execute_cloud_sql_proxy" {
33
for u in var.database_and_user_list : u.user => u
44
} : {})
55
provisioner "local-exec" {
6-
command = templatefile(
7-
"${path.module}/scripts/execute_cloud_sql_proxy.sh",
8-
{
9-
CLOUDSDK_CORE_PROJECT = var.project_id
10-
CLOUDSQL_PROXY_HOST = var.cloudsql_proxy_host
11-
CLOUDSQL_PROXY_PORT = var.cloudsql_proxy_port
12-
GCLOUD_PROJECT_REGION = var.region
13-
CLOUDSQL_INSTANCE_NAME = var.cloudsql_instance_name
14-
}
15-
)
6+
command = "${path.module}/scripts/execute_cloud_sql_proxy.sh"
7+
environment = {
8+
CLOUDSDK_CORE_PROJECT = var.project_id
9+
CLOUDSQL_PROXY_HOST = var.cloudsql_proxy_host
10+
CLOUDSQL_PROXY_PORT = var.cloudsql_proxy_port
11+
GCLOUD_PROJECT_REGION = var.region
12+
CLOUDSQL_INSTANCE_NAME = var.cloudsql_instance_name
13+
}
1614
interpreter = [
1715
"/bin/sh", "-c"
1816
]
@@ -59,22 +57,20 @@ resource "google_sql_user" "sql_user" {
5957
host = each.value.user_host
6058

6159
provisioner "local-exec" {
62-
command = templatefile(
63-
"${path.module}/scripts/execute_sql.sh",
64-
{
65-
CLOUDSDK_CORE_PROJECT = var.project_id
66-
GCLOUD_PROJECT_REGION = var.region
67-
CLOUDSQL_INSTANCE_NAME = var.cloudsql_instance_name
68-
CLOUDSQL_PROXY_HOST = var.cloudsql_proxy_host
69-
CLOUDSQL_PROXY_PORT = var.cloudsql_proxy_port
70-
CLOUDSQL_PRIVILEGED_USER_NAME = var.cloudsql_privileged_user_name
71-
CLOUDSQL_PRIVILEGED_USER_PASSWORD = var.cloudsql_privileged_user_password
72-
MYSQL_VERSION = data.google_sql_database_instance.cloudsql_instance.database_version
73-
USER = each.value.user
74-
USER_HOST = each.value.user_host
75-
DATABASE = each.value.database
76-
}
77-
)
60+
command = "${path.module}/scripts/execute_sql.sh"
61+
environment = {
62+
CLOUDSDK_CORE_PROJECT = var.project_id
63+
GCLOUD_PROJECT_REGION = var.region
64+
CLOUDSQL_INSTANCE_NAME = var.cloudsql_instance_name
65+
CLOUDSQL_PROXY_HOST = var.cloudsql_proxy_host
66+
CLOUDSQL_PROXY_PORT = var.cloudsql_proxy_port
67+
CLOUDSQL_PRIVILEGED_USER_NAME = var.cloudsql_privileged_user_name
68+
CLOUDSQL_PRIVILEGED_USER_PASSWORD = var.cloudsql_privileged_user_password
69+
MYSQL_VERSION = data.google_sql_database_instance.cloudsql_instance.database_version
70+
USER = each.value.user
71+
USER_HOST = each.value.user_host
72+
DATABASE = each.value.database
73+
}
7874
interpreter = [
7975
"/bin/sh", "-c"
8076
]

scripts/execute_sql.sh

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,13 +20,13 @@ for j in $(seq 1 10); do
2020
done
2121

2222
if [ "$READY" -eq 0 ]; then
23-
%{~ if trimspace(MYSQL_VERSION) == "MYSQL_5_7" }
23+
if [ "$MYSQL_VERSION" = "MYSQL_5_7" ]; then
2424
mysql --host=${CLOUDSQL_PROXY_HOST} --port=${CLOUDSQL_PROXY_PORT} --user=${CLOUDSQL_PRIVILEGED_USER_NAME} --password=${CLOUDSQL_PRIVILEGED_USER_PASSWORD} --execute="REVOKE ALL PRIVILEGES, GRANT OPTION FROM '${USER}'@'${USER_HOST}'; GRANT ALL ON ${DATABASE}.* TO ${USER}@'${USER_HOST}';"
25-
%{ endif ~}
25+
fi
2626

27-
%{~ if trimspace(MYSQL_VERSION) == "MYSQL_8_0" }
27+
if [ "$MYSQL_VERSION" = "MYSQL_8_0" ]; then
2828
mysql --host=${CLOUDSQL_PROXY_HOST} --port=${CLOUDSQL_PROXY_PORT} --user=${CLOUDSQL_PRIVILEGED_USER_NAME} --password=${CLOUDSQL_PRIVILEGED_USER_PASSWORD} --execute="REVOKE cloudsqlsuperuser FROM '${USER}'@'${USER_HOST}'; GRANT ALL ON ${DATABASE}.* TO ${USER}@'${USER_HOST}';"
29-
%{ endif ~}
29+
fi
3030

3131
exit 0
3232
else

0 commit comments

Comments
 (0)