Database user host is configurable.

Author: andypanix

CHANGELOG.md

@@ -3,8 +3,16 @@
 All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+and this project adheres
+to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.2] - 2023-01-23
+
+### Changed
+
+- The user host is configurable, and not hardcoded to `%`. This allows to
+  restrict the access to the database to a specific host. If not specified, it
+  will use the default value `%`.
 
 ## [0.2.1] - 2023-01-19
 

README.md

@@ -21,7 +21,7 @@ In addition, the script must be able to connect to the CloudSQL instance. In cas
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2 |
 | <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.47.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.4.3 |
@@ -34,7 +34,7 @@ In addition, the script must be able to connect to the CloudSQL instance. In cas
 | <a name="input_cloudsql_privileged_user_password"></a> [cloudsql\_privileged\_user\_password](#input\_cloudsql\_privileged\_user\_password) | The password of the privileged user of the Cloud SQL instance | `string` | n/a | yes |
 | <a name="input_cloudsql_proxy_host"></a> [cloudsql\_proxy\_host](#input\_cloudsql\_proxy\_host) | The host of the Cloud SQL Auth Proxy; if a value other than localhost or 127.0.0.1 (default) is entered, it is assumed that there is a CloudSQL Auth Proxy instance defined and already configured outside this module, and therefore the proxy will not be launched. | `string` | `"127.0.0.1"` | no |
 | <a name="input_cloudsql_proxy_port"></a> [cloudsql\_proxy\_port](#input\_cloudsql\_proxy\_port) | Port of the Cloud SQL Auth Proxy | `string` | `"1234"` | no |
-| <a name="input_database_and_user_list"></a> [database\_and\_user\_list](#input\_database\_and\_user\_list) | The list with all the databases and the relative user. Please not that you can assign only a database to a single user, the same user cannot be assigned to multiple databases. | <pre>list(object({<br>    user     = string<br>    database = string<br>  }))</pre> | n/a | yes |
+| <a name="input_database_and_user_list"></a> [database\_and\_user\_list](#input\_database\_and\_user\_list) | The list with all the databases and the relative user. Please not that you can assign only a database to a single user, the same user cannot be assigned to multiple databases. `user_host` is optional, has a default value of '%' to allow the user to connect from any host, or you can specify it for the given user for a more restrictive access. | <pre>list(object({<br>    user      = string<br>    user_host = optional(string, "%")<br>    database  = string<br>  }))</pre> | n/a | yes |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The ID of the project in which the resource belongs. | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The region in which the resource belongs. | `string` | n/a | yes |
 | <a name="input_terraform_start_cloud_sql_proxy"></a> [terraform\_start\_cloud\_sql\_proxy](#input\_terraform\_start\_cloud\_sql\_proxy) | If `true` terraform will automatically start the Cloud SQL Proxy instance present in the filesystem at the condition that cloudsql\_proxy\_host is set to a supported value. If `false` you have to start the Cloud SQL Proxy manually. This variable is used to prevent the creation of a Cloud SQL Proxy instance even if cloudsql\_proxy\_host has a supported value. | `bool` | `true` | no |

examples/test.tfvars

@@ -4,15 +4,16 @@ database_and_user_list = [
     user     = "user1"
   },
   {
-    database = "db2"
-    user     = "user2"
+    database  = "db2"
+    user      = "user2"
   },
   {
     database = "db3"
     user     = "user3"
   },
   {
     database = "db4"
+    user_host = "cloudsqlproxy~%"
     user     = "user4"
   }
 ]

main.tf

@@ -56,7 +56,7 @@ resource "google_sql_user" "sql_user" {
   instance = var.cloudsql_instance_name
   name     = each.value.user
   password = random_password.sql_user_password[each.value.user].result
-  host     = "%"
+  host     = each.value.user_host
 
   provisioner "local-exec" {
     command = templatefile(
@@ -71,6 +71,7 @@ resource "google_sql_user" "sql_user" {
         CLOUDSQL_PRIVILEGED_USER_PASSWORD = var.cloudsql_privileged_user_password
         MYSQL_VERSION                     = data.google_sql_database_instance.cloudsql_instance.database_version
         USER                              = each.value.user
+        USER_HOST                         = each.value.user_host
         DATABASE                          = each.value.database
       }
     )

scripts/execute_sql.sh

@@ -21,11 +21,11 @@ done
 
 if [ "$READY" -eq 0 ]; then
     %{~ if trimspace(MYSQL_VERSION) == "MYSQL_5_7" }
-    mysql --host=${CLOUDSQL_PROXY_HOST} --port=${CLOUDSQL_PROXY_PORT} --user=${CLOUDSQL_PRIVILEGED_USER_NAME} --password=${CLOUDSQL_PRIVILEGED_USER_PASSWORD} --execute="REVOKE ALL PRIVILEGES, GRANT OPTION FROM '${USER}'@'%'; GRANT ALL ON ${DATABASE}.* TO ${USER}@'%';"
+    mysql --host=${CLOUDSQL_PROXY_HOST} --port=${CLOUDSQL_PROXY_PORT} --user=${CLOUDSQL_PRIVILEGED_USER_NAME} --password=${CLOUDSQL_PRIVILEGED_USER_PASSWORD} --execute="REVOKE ALL PRIVILEGES, GRANT OPTION FROM '${USER}'@'${USER_HOST}'; GRANT ALL ON ${DATABASE}.* TO ${USER}@'${USER_HOST}';"
     %{ endif ~}
 
     %{~ if trimspace(MYSQL_VERSION) == "MYSQL_8_0" }
-    mysql --host=${CLOUDSQL_PROXY_HOST} --port=${CLOUDSQL_PROXY_PORT} --user=${CLOUDSQL_PRIVILEGED_USER_NAME} --password=${CLOUDSQL_PRIVILEGED_USER_PASSWORD} --execute="REVOKE cloudsqlsuperuser FROM '${USER}'@'%'; GRANT ALL ON ${DATABASE}.* TO ${USER}@'%';"
+    mysql --host=${CLOUDSQL_PROXY_HOST} --port=${CLOUDSQL_PROXY_PORT} --user=${CLOUDSQL_PRIVILEGED_USER_NAME} --password=${CLOUDSQL_PRIVILEGED_USER_PASSWORD} --execute="REVOKE cloudsqlsuperuser FROM '${USER}'@'${USER_HOST}'; GRANT ALL ON ${DATABASE}.* TO ${USER}@'${USER_HOST}';"
     %{ endif ~}
 
     exit 0

variables.tf

@@ -41,11 +41,12 @@ variable "cloudsql_privileged_user_password" {
   description = "The password of the privileged user of the Cloud SQL instance"
 }
 
+# Optional value: refs https://developer.hashicorp.com/terraform/language/expressions/type-constraints#optional-object-type-attributes
 variable "database_and_user_list" {
   type = list(object({
-    user     = string
-    database = string
+    user      = string
+    user_host = optional(string, "%")
+    database  = string
   }))
-  description = "The list with all the databases and the relative user. Please not that you can assign only a database to a single user, the same user cannot be assigned to multiple databases."
+  description = "The list with all the databases and the relative user. Please not that you can assign only a database to a single user, the same user cannot be assigned to multiple databases. `user_host` is optional, has a default value of '%' to allow the user to connect from any host, or you can specify it for the given user for a more restrictive access."
 }
-