Increase the default complexity of Cloud SQL DB passwords

[lyricnz]

Per #2885

NOTE: this changes the type of root_password variable from a string (default null) to an object with password (same behaviour as old string) and random_password attributes (override password with a randomly-generated password). if value was not previously provided, default behaviour is the same.

---

Checklist

I applicable, I acknowledge that I have:

• Read the contributing guide
• Ran terraform fmt on all modified files
• Regenerated the relevant README.md files using tools/tfdoc.py
• Made sure all relevant tests pass

[lyricnz]

Added code to explicitly generate a root_password also (using the same logic). Otherwise the DB fails to create because the default (Google generated) password doesn't match the password policy.

As mentioned in hashicorp/terraform-provider-google#17265

[lyricnz]

Added code to explicitly generate a root_password also (using the same logic). Otherwise the DB fails to create because the default (Google generated) password doesn't match the password policy.

Maybe the module shouldn't do this? And rely on the caller passing a valid root_password, rather than generating it here? (but that's inconsistent with the pattern for non-root users, which do generate passwords if not provided)

[lyricnz]

Changed the root_password input to an object, as suggested. Here is the results of my testing with this code (the first case is the original bug #2885)

DB with no root_password config

Input:

module "db-none" {
  source     = "SOMEPLACE/lyricnz/cloud-foundation-fabric/modules/cloudsql-instance" # this PR
  # no root_password config
  password_validation_policy = {
    enabled                     = true
    default_complexity          = true
    disallow_username_substring = true
    min_length                  = 20
    reuse_interval              = 5
  }
}

Output:

Fails to create: googleapi: Error 400: Invalid request: Root user's password is not policy compliant: Length of password cannot be less than 20. Password does not meet the complexity criteria. ., invalid

DB with explicit password (too short)

Input:

module "db-explicit-short" {
  root_password = {
    password = "xxx"
  }
  password_validation_policy = { ... as above ... }
}

Output:

Fails to create: googleapi: Error 400: Invalid request: Root user's password is not policy compliant: Length of password cannot be less than 20. ., invalid

DB with explicit password (OK)

Input:

module "db-explicit" {
  root_password = {
    password = "Qy[E7N&Jv49u[F9jf3Ec"
  }
  password_validation_policy = { ... as above ... }
}

Output:

$ terraform state show -show-sensitive module.db-explicit.google_sql_database_instance.primary | grep root
    root_password                  = "Qy[E7N&Jv49u[F9jf3Ec"

DB with random_password

Input:

module "db-random" {
  root_password = {
    random_password = true
  }
  password_validation_policy = { ... as above ... }
}

Output:

$ terraform state show -show-sensitive module.db-random.google_sql_database_instance.primary | grep root
    root_password                  = "K*7bTarLtA-1!W=KK@$c"

DB with both explicit password and random_password (override)

Input:

module "db-override" {
  root_password = {
    password = "Qy[E7N&Jv49u[F9jf3Ec"
    random_password = true
  }
  password_validation_policy = { ... as above ... }
}

Output:

$ terraform state show -show-sensitive module.db-override.google_sql_database_instance.primary | grep root
    root_password                  = "FZ1F4aQ3&qVKM5B<tUrx"

[ludoo]

This is great, thanks for taking the time to run the changes. Can I ask you one last effort

• check the examples in the README to ensure the cases above are explained (if they are missing, a simple paragraph or code block is all we need)
• check that everything works without setting password validation

[lyricnz]

I tested with no password_policy:

module "db-none" {
  source     = "../modules/cloudsql-instance"
  name       = "test-db-no-root-password"
}

module "db-no-policy-password" {
  source     = "../modules/cloudsql-instance"
  name       = "test-db-no-policy-password"
  root_password = {
    password = "Qy[E7N&Jv49u[F9jf3Ec"
  }
}

module "db-no-policy-random" {
  source     = "../modules/cloudsql-instance"
  root_password = {
    random_password = true
  }
}

They all appeared to work fine. The validation caught the following error:

module "db-both" {
  source     = "../modules/cloudsql-instance"
  root_password = {
    password = "xyzzy"
    random_password = true
  }
}

error

│   on main.tf line 93, in module "db-both":
│   93:   root_password = {
│   94:     password = "xyzzy"
│   95:     random_password = true
│   96:   }
│     ├────────────────
│     │ var.root_password.password is "xyzzy"
│     │ var.root_password.random_password is true
│
│ Cannot provide root_password.password and root_password.random_password at the same time
│
│ This was checked by the validation rule at ../modules/cloudsql-instance/variables.tf:259,3-13.

[juliocc]

LGTM.

Thanks @lyricnz!