From 79fe2cac53eba153279d8adc47563e998d4c9914 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gast=C3=B3n=20Rial=20Saibene?= <19420029+rialg@users.noreply.github.com> Date: Thu, 1 Feb 2024 17:53:05 +0100 Subject: [PATCH] Enable automatic IAM database authN for Cloud SQL (#109) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Pass OAuth token in password field * Using WithIAMAuthNTokenSources for authentication instead * Enabling automatic IAM was missing * Update website/docs/index.html.markdown Co-authored-by: petoju --------- Co-authored-by: Gastón Rial Saibene Co-authored-by: petoju --- go.mod | 2 +- mysql/provider.go | 13 +++++++++++-- website/docs/index.html.markdown | 3 ++- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index f45f256f..93e4116e 100644 --- a/go.mod +++ b/go.mod @@ -11,6 +11,7 @@ require ( github.com/hashicorp/terraform-plugin-sdk/v2 v2.31.0 github.com/tidwall/gjson v1.17.0 golang.org/x/net v0.20.0 + golang.org/x/oauth2 v0.16.0 google.golang.org/api v0.157.0 ) @@ -76,7 +77,6 @@ require ( go.opentelemetry.io/otel/trace v1.22.0 // indirect golang.org/x/crypto v0.18.0 // indirect golang.org/x/mod v0.14.0 // indirect - golang.org/x/oauth2 v0.16.0 // indirect golang.org/x/sys v0.16.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.5.0 // indirect diff --git a/mysql/provider.go b/mysql/provider.go index 9edc9cff..9d71ed31 100644 --- a/mysql/provider.go +++ b/mysql/provider.go @@ -23,6 +23,7 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" "golang.org/x/net/proxy" + "golang.org/x/oauth2" cloudsqlconn "cloud.google.com/go/cloudsqlconn" cloudsql "cloud.google.com/go/cloudsqlconn/mysql/mysql" @@ -182,8 +183,16 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{} proto = "cloudsql" endpoint = strings.ReplaceAll(endpoint, "cloudsql://", "") var err error - if iam_auth { - _, err = cloudsql.RegisterDriver("cloudsql", cloudsqlconn.WithIAMAuthN()) + if iam_auth { // Access token will be in the password field + + var opts []cloudsqlconn.Option + + token := oauth2.StaticTokenSource(&oauth2.Token{ + AccessToken: password, + }) + opts = append(opts, cloudsqlconn.WithIAMAuthN()) + opts = append(opts, cloudsqlconn.WithIAMAuthNTokenSources(token, token)) + _, err = cloudsql.RegisterDriver("cloudsql", opts...) } else { _, err = cloudsql.RegisterDriver("cloudsql") } diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown index 7ff2030a..d5e3b8eb 100644 --- a/website/docs/index.html.markdown +++ b/website/docs/index.html.markdown @@ -119,4 +119,5 @@ The following arguments are supported: * `max_conn_lifetime_sec` - (Optional) Sets the maximum amount of time a connection may be reused. If d <= 0, connections are reused forever. * `max_open_conns` - (Optional) Sets the maximum number of open connections to the database. If n <= 0, then there is no limit on the number of open connections. * `conn_params` - (Optional) Sets extra mysql connection parameters (ODBC parameters). Most useful for session variables such as `default_storage_engine`, `foreign_key_checks` or `sql_log_bin`. -* `authentication_plugin` - (Optional) Sets the authentication plugin, it can be one of the following: `native` or `cleartext`. Defaults to `native`. \ No newline at end of file +* `authentication_plugin` - (Optional) Sets the authentication plugin, it can be one of the following: `native` or `cleartext`. Defaults to `native`. +* `iam_database_authentication` - (Optional) For Cloud SQL databases, it enabled the use of IAM authentication. Make sure to declare the `password` field with a temporary OAuth2 token of the user that will connect to the MySQL server.