From 5ae445aca708b06c346368b1cb60ff14dc619916 Mon Sep 17 00:00:00 2001 From: Stefano Sibilia Date: Tue, 29 Oct 2024 14:58:50 +0100 Subject: [PATCH 1/4] fix: use environment to avoid exposure of secrets --- main.tf | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/main.tf b/main.tf index 8b63b99..9594a43 100644 --- a/main.tf +++ b/main.tf @@ -61,20 +61,20 @@ resource "google_sql_user" "sql_user" { provisioner "local-exec" { command = templatefile( "${path.module}/scripts/execute_sql.sh", - { - CLOUDSDK_CORE_PROJECT = var.project_id - GCLOUD_PROJECT_REGION = var.region - CLOUDSQL_INSTANCE_NAME = var.cloudsql_instance_name - CLOUDSQL_PROXY_HOST = var.cloudsql_proxy_host - CLOUDSQL_PROXY_PORT = var.cloudsql_proxy_port - CLOUDSQL_PRIVILEGED_USER_NAME = var.cloudsql_privileged_user_name - CLOUDSQL_PRIVILEGED_USER_PASSWORD = var.cloudsql_privileged_user_password - MYSQL_VERSION = data.google_sql_database_instance.cloudsql_instance.database_version - USER = each.value.user - USER_HOST = each.value.user_host - DATABASE = each.value.database - } ) + environment = { + CLOUDSDK_CORE_PROJECT = var.project_id + GCLOUD_PROJECT_REGION = var.region + CLOUDSQL_INSTANCE_NAME = var.cloudsql_instance_name + CLOUDSQL_PROXY_HOST = var.cloudsql_proxy_host + CLOUDSQL_PROXY_PORT = var.cloudsql_proxy_port + CLOUDSQL_PRIVILEGED_USER_NAME = var.cloudsql_privileged_user_name + CLOUDSQL_PRIVILEGED_USER_PASSWORD = var.cloudsql_privileged_user_password + MYSQL_VERSION = data.google_sql_database_instance.cloudsql_instance.database_version + USER = each.value.user + USER_HOST = each.value.user_host + DATABASE = each.value.database + } interpreter = [ "/bin/sh", "-c" ] From 901c74cfaeb8922211e60c4e86576223578ef594 Mon Sep 17 00:00:00 2001 From: Stefano Sibilia Date: Tue, 29 Oct 2024 15:10:58 +0100 Subject: [PATCH 2/4] fix: remove template file --- main.tf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 9594a43..77bcff9 100644 --- a/main.tf +++ b/main.tf @@ -59,9 +59,7 @@ resource "google_sql_user" "sql_user" { host = each.value.user_host provisioner "local-exec" { - command = templatefile( - "${path.module}/scripts/execute_sql.sh", - ) + command = "${path.module}/scripts/execute_sql.sh" environment = { CLOUDSDK_CORE_PROJECT = var.project_id GCLOUD_PROJECT_REGION = var.region From cf6e485bad4c00693693826d97d318f01b41f77c Mon Sep 17 00:00:00 2001 From: Stefano Sibilia Date: Tue, 29 Oct 2024 21:08:57 +0100 Subject: [PATCH 3/4] fix: remove template syntax from script --- scripts/execute_sql.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/execute_sql.sh b/scripts/execute_sql.sh index 86c45b7..d8ecdcc 100755 --- a/scripts/execute_sql.sh +++ b/scripts/execute_sql.sh @@ -20,13 +20,13 @@ for j in $(seq 1 10); do done if [ "$READY" -eq 0 ]; then - %{~ if trimspace(MYSQL_VERSION) == "MYSQL_5_7" } + if [ "$MYSQL_VERSION" = "MYSQL_5_7" ]; then mysql --host=${CLOUDSQL_PROXY_HOST} --port=${CLOUDSQL_PROXY_PORT} --user=${CLOUDSQL_PRIVILEGED_USER_NAME} --password=${CLOUDSQL_PRIVILEGED_USER_PASSWORD} --execute="REVOKE ALL PRIVILEGES, GRANT OPTION FROM '${USER}'@'${USER_HOST}'; GRANT ALL ON ${DATABASE}.* TO ${USER}@'${USER_HOST}';" - %{ endif ~} + fi - %{~ if trimspace(MYSQL_VERSION) == "MYSQL_8_0" } + if [ "$MYSQL_VERSION" = "MYSQL_8_0" ]; then mysql --host=${CLOUDSQL_PROXY_HOST} --port=${CLOUDSQL_PROXY_PORT} --user=${CLOUDSQL_PRIVILEGED_USER_NAME} --password=${CLOUDSQL_PRIVILEGED_USER_PASSWORD} --execute="REVOKE cloudsqlsuperuser FROM '${USER}'@'${USER_HOST}'; GRANT ALL ON ${DATABASE}.* TO ${USER}@'${USER_HOST}';" - %{ endif ~} + fi exit 0 else From 229b12b4d5b470323b2f0249456d976be6cb2ff5 Mon Sep 17 00:00:00 2001 From: Stefano Sibilia Date: Wed, 30 Oct 2024 08:59:02 +0100 Subject: [PATCH 4/4] fix: use of environment in local-exec provisioner --- CHANGELOG.md | 6 ++++++ main.tf | 18 ++++++++---------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e93e4e4..a029b71 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [0.3.2] - 2024-10-30 + +### Changed + +- Fix accidental mysql credential exposure. + ## [0.3.1] - 2023-04-14 ### Changed diff --git a/main.tf b/main.tf index 77bcff9..34be93e 100644 --- a/main.tf +++ b/main.tf @@ -3,16 +3,14 @@ resource "null_resource" "execute_cloud_sql_proxy" { for u in var.database_and_user_list : u.user => u } : {}) provisioner "local-exec" { - command = templatefile( - "${path.module}/scripts/execute_cloud_sql_proxy.sh", - { - CLOUDSDK_CORE_PROJECT = var.project_id - CLOUDSQL_PROXY_HOST = var.cloudsql_proxy_host - CLOUDSQL_PROXY_PORT = var.cloudsql_proxy_port - GCLOUD_PROJECT_REGION = var.region - CLOUDSQL_INSTANCE_NAME = var.cloudsql_instance_name - } - ) + command = "${path.module}/scripts/execute_cloud_sql_proxy.sh" + environment = { + CLOUDSDK_CORE_PROJECT = var.project_id + CLOUDSQL_PROXY_HOST = var.cloudsql_proxy_host + CLOUDSQL_PROXY_PORT = var.cloudsql_proxy_port + GCLOUD_PROJECT_REGION = var.region + CLOUDSQL_INSTANCE_NAME = var.cloudsql_instance_name + } interpreter = [ "/bin/sh", "-c" ]