Skip to content

Commit

Permalink
enable SQL IAM usage for mysql-shard
Browse files Browse the repository at this point in the history 
Signed-off-by: Bob Callaway <bcallaway@google.com>
  • Loading branch information
@bobcallaway
bobcallaway committed Feb 13, 2025
1 parent 9d40cc7 commit 79dbf2f
Show file tree
Hide file tree
Showing 4 changed files with 45 additions and 2 deletions.
29 changes: 29 additions & 0 deletions terraform/gcp/modules/mysql-shard/mysql.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,3 +106,32 @@ resource "google_sql_user" "trillian" {
depends_on = [google_sql_database_instance.trillian]
}

// be sure to manually GRANT SELECT, INSERT, CREATE privileges for this user
resource "google_sql_user" "iam_user" {
name = var.cloud_sql_iam_service_account
instance = google_sql_database_instance.trillian.name
type = "CLOUD_IAM_SERVICE_ACCOUNT"
}

resource "google_project_iam_member" "db_iam_auth" {
project = var.project_id
role = "roles/cloudsql.instanceUser"
member = "serviceAccount:${var.cloud_sql_iam_service_account}"
}

resource "google_sql_user" "breakglass_iam_group" {
count = var.breakglass_iam_group != "" ? 1 : 0
name = var.breakglass_iam_group
instance = google_sql_database_instance.trillian.name
type = "CLOUD_IAM_GROUP"
}

resource "google_project_iam_member" "breakglass_iam_group_permissions" {
for_each = toset([
"roles/cloudsql.client",
"roles/cloudsql.instanceUser"
])
project = var.project_id
role = each.key
member = var.breakglass_iam_group != "" ? "group:${var.breakglass_iam_group}" : null
}
10 changes: 10 additions & 0 deletions terraform/gcp/modules/mysql-shard/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,3 +128,13 @@ variable "collation" {
description = "collation setting for database"
default = "utf8mb3_general_ci"
}

variable "cloud_sql_iam_service_account" {
type = string
description = "name of Cloud SQL IAM service account to create database user for"
}

variable "breakglass_iam_group" {
type = string
description = "name of Cloud IAM group to use for database access in case of emergency"
}
4 changes: 2 additions & 2 deletions terraform/gcp/modules/mysql/mysql.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -261,12 +261,12 @@ resource "google_sql_user" "breakglass_iam_group" {
type = "CLOUD_IAM_GROUP"
}

resource "google_project_iam_binding" "breakglass_iam_group_permissions" {
resource "google_project_iam_member" "breakglass_iam_group_permissions" {
for_each = toset([
"roles/cloudsql.client",
"roles/cloudsql.instanceUser"
])
project = var.project_id
role = each.key
members = var.breakglass_iam_group != "" ? ["group:${var.breakglass_iam_group}"] : []
member = var.breakglass_iam_group != "" ? "group:${var.breakglass_iam_group}" : null
}
4 changes: 4 additions & 0 deletions terraform/gcp/modules/sigstore/sigstore.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -381,6 +381,8 @@ module "ctlog_shards" {
binary_log_backup_enabled = var.mysql_binary_log_backup_enabled
collation = var.mysql_collation

cloud_sql_iam_service_account = module.mysql.trillian_serviceaccount
breakglass_iam_group = var.breakglass_sql_iam_group

depends_on = [
module.gke-cluster,
Expand Down Expand Up @@ -432,6 +434,8 @@ module "standalone_mysqls" {
binary_log_backup_enabled = var.mysql_binary_log_backup_enabled
collation = var.mysql_collation

cloud_sql_iam_service_account = module.mysql.trillian_serviceaccount
breakglass_iam_group = var.breakglass_sql_iam_group

depends_on = [
module.gke-cluster,
Expand Down

0 comments on commit 79dbf2f

Please sign in to comment.