Feature/40 tls options (petoju#41)

Add SSL options to user/grant resources
pendo-io · Oct 20, 2018 · 538e0f8 · 538e0f8
1 parent 9064bf7
commit 538e0f8
Show file tree

Hide file tree

Showing 7 changed files with 107 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,13 @@
 ## 1.1.1 (Unreleased)
+
+IMPROVEMENTS:
+
+* `resource/user`: Added the `tls_option` attribute, which allows to restrict
+  the MySQL users to a specific MySQL-TLS-Encryption. ([#26](https://github.com/terraform-providers/terraform-provider-mysql/issues/40))
+
+* `resource/gant`: Added the `tls_option` attribute, which allows to restrict
+  the MySQL grant to a specific MySQL-TLS-Encryption. ([#26](https://github.com/terraform-providers/terraform-provider-mysql/issues/40))
+
 ## 1.1.0 (March 28, 2018)
 
 IMPROVEMENTS:

diff --git a/mysql/resource_grant.go b/mysql/resource_grant.go
@@ -51,6 +51,13 @@ func resourceGrant() *schema.Resource {
 				ForceNew: true,
 				Default:  false,
 			},
+
+			"tls_option": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+				Default:  "NONE",
+			},
 		},
 	}
 }
@@ -73,6 +80,8 @@ func CreateGrant(d *schema.ResourceData, meta interface{}) error {
 		d.Get("user").(string),
 		d.Get("host").(string))
 
+	stmtSQL += fmt.Sprintf(" REQUIRE %s", d.Get("tls_option").(string))
+
 	if d.Get("grant").(bool) {
 		stmtSQL += " WITH GRANT OPTION"
 	}

diff --git a/mysql/resource_grant_test.go b/mysql/resource_grant_test.go
@@ -24,6 +24,17 @@ func TestAccGrant(t *testing.T) {
 					resource.TestCheckResourceAttr("mysql_grant.test", "user", "jdoe"),
 					resource.TestCheckResourceAttr("mysql_grant.test", "host", "example.com"),
 					resource.TestCheckResourceAttr("mysql_grant.test", "database", "foo"),
+					resource.TestCheckResourceAttr("mysql_grant.test", "tls_option", "NONE"),
+				),
+			},
+			resource.TestStep{
+				Config: testAccGrantConfig_ssl,
+				Check: resource.ComposeTestCheckFunc(
+					testAccPrivilegeExists("mysql_grant.test", "SELECT"),
+					resource.TestCheckResourceAttr("mysql_grant.test", "user", "jdoe"),
+					resource.TestCheckResourceAttr("mysql_grant.test", "host", "example.com"),
+					resource.TestCheckResourceAttr("mysql_grant.test", "database", "foo"),
+					resource.TestCheckResourceAttr("mysql_grant.test", "tls_option", "SSL"),
 				),
 			},
 		},
@@ -125,3 +136,19 @@ resource "mysql_grant" "test" {
         privileges = ["UPDATE", "SELECT"]
 }
 `
+
+const testAccGrantConfig_ssl = `
+resource "mysql_user" "test" {
+        user = "jdoe"
+				host = "example.com"
+				password = "password"
+}
+
+resource "mysql_grant" "test" {
+        user = "${mysql_user.test.user}"
+        host = "${mysql_user.test.host}"
+        database = "foo"
+		privileges = ["UPDATE", "SELECT"]
+		tls_option = "SSL"
+}
+`
diff --git a/mysql/resource_user.go b/mysql/resource_user.go
@@ -5,6 +5,7 @@ import (
 	"log"
 
 	"errors"
+
 	"github.com/hashicorp/go-version"
 	"github.com/hashicorp/terraform/helper/schema"
 )
@@ -51,11 +52,19 @@ func resourceUser() *schema.Resource {
 				ForceNew:      true,
 				ConflictsWith: []string{"plaintext_password", "password"},
 			},
+
+			"tls_option": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+				Default:  "NONE",
+			},
 		},
 	}
 }
 
 func CreateUser(d *schema.ResourceData, meta interface{}) error {
+	conf := meta.(*providerConfiguration)
 	db := meta.(*providerConfiguration).DB
 
 	var authStm string
@@ -94,6 +103,11 @@ func CreateUser(d *schema.ResourceData, meta interface{}) error {
 		stmtSQL = stmtSQL + fmt.Sprintf(" IDENTIFIED BY '%s'", password)
 	}
 
+	ver, _ := version.NewVersion("5.7.0")
+	if conf.ServerVersion.GreaterThan(ver) {
+		stmtSQL += fmt.Sprintf(" REQUIRE %s", d.Get("tls_option").(string))
+	}
+
 	log.Println("Executing statement:", stmtSQL)
 	_, err := db.Exec(stmtSQL)
 	if err != nil {
@@ -152,6 +166,22 @@ func UpdateUser(d *schema.ResourceData, meta interface{}) error {
 		}
 	}
 
+	ver, _ := version.NewVersion("5.7.0")
+	if d.HasChange("tls_option") && conf.ServerVersion.GreaterThan(ver) {
+		var stmtSQL string
+
+		stmtSQL = fmt.Sprintf("ALTER USER '%s'@'%s'  REQUIRE %s",
+			d.Get("user").(string),
+			d.Get("host").(string),
+			fmt.Sprintf(" REQUIRE %s", d.Get("tls_option").(string)))
+
+		log.Println("Executing query:", stmtSQL)
+		_, err := conf.DB.Exec(stmtSQL)
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 

diff --git a/mysql/resource_user_test.go b/mysql/resource_user_test.go
@@ -23,6 +23,17 @@ func TestAccUser_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("mysql_user.test", "user", "jdoe"),
 					resource.TestCheckResourceAttr("mysql_user.test", "host", "example.com"),
 					resource.TestCheckResourceAttr("mysql_user.test", "plaintext_password", hashSum("password")),
+					resource.TestCheckResourceAttr("mysql_user.test", "tls_option", "NONE"),
+				),
+			},
+			resource.TestStep{
+				Config: testAccUserConfig_ssl,
+				Check: resource.ComposeTestCheckFunc(
+					testAccUserExists("mysql_user.test"),
+					resource.TestCheckResourceAttr("mysql_user.test", "user", "jdoe"),
+					resource.TestCheckResourceAttr("mysql_user.test", "host", "example.com"),
+					resource.TestCheckResourceAttr("mysql_user.test", "plaintext_password", hashSum("password")),
+					resource.TestCheckResourceAttr("mysql_user.test", "tls_option", "SSL"),
 				),
 			},
 			resource.TestStep{
@@ -32,6 +43,7 @@ func TestAccUser_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("mysql_user.test", "user", "jdoe"),
 					resource.TestCheckResourceAttr("mysql_user.test", "host", "example.com"),
 					resource.TestCheckResourceAttr("mysql_user.test", "plaintext_password", hashSum("password2")),
+					resource.TestCheckResourceAttr("mysql_user.test", "tls_option", "NONE"),
 				),
 			},
 		},
@@ -169,6 +181,15 @@ resource "mysql_user" "test" {
 }
 `
 
+const testAccUserConfig_ssl = `
+resource "mysql_user" "test" {
+    user = "jdoe"
+    host = "example.com"
+	plaintext_password = "password"
+	tls_option = "SSL"
+}
+`
+
 const testAccUserConfig_newPass = `
 resource "mysql_user" "test" {
     user = "jdoe"

diff --git a/website/docs/r/grant.html.markdown b/website/docs/r/grant.html.markdown
@@ -44,6 +44,11 @@ The following arguments are supported:
   [here](https://dev.mysql.com/doc/refman/5.5/en/grant.html)) for applicable
   privileges.
 
+* `tls_option` - (Optional) An TLS-Option for the GRANT-Statement
+  The Value is suffixed to REQUIRE. F.e. the value 'SSL' will
+  gernate an SQL like this: `GRANT ..... REQUIRE SSL`
+  See https://dev.mysql.com/doc/refman/5.7/en/grant.html
+
 * `grant` - (Optional) Whether to also give the user privileges to grant
   the same privileges to other users.
 

diff --git a/website/docs/r/user.html.markdown b/website/docs/r/user.html.markdown
@@ -59,6 +59,12 @@ The following arguments are supported:
   Description of the fields allowed in the block below. Conflicts with
   `password` and `plaintext_password`.
 
+* `tls_option` - (Optional) An TLS-Option for the CREATE USER-Statement or ALTER USER
+  The Value is suffixed to REQUIRE. F.e. the value 'SSL' will
+  gernate an SQL like this: `CREATE USER ..... REQUIRE SSL`
+  See https://dev.mysql.com/doc/refman/5.7/en/create-user.html
+  For MySql-Server-Versions less than 5.7 this options will be ignored.
+
 [ref-auth-plugins]: https://dev.mysql.com/doc/refman/5.7/en/authentication-plugins.html
 
 The `auth_plugin` value supports: