3083 bugs terraform google gcp cloud native drupal resources module

CHANGELOG.md

@@ -7,6 +7,12 @@ and this project adheres
 to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 
+## [0.3.2] - 2024-10-30
+
+### Changed
+
+- Fix accidental mysql credential exposure.
+
 ## [0.3.1] - 2023-04-14
 
 ### Changed

main.tf

@@ -3,16 +3,14 @@ resource "null_resource" "execute_cloud_sql_proxy" {
     for u in var.database_and_user_list : u.user => u
   } : {})
   provisioner "local-exec" {
-    command = templatefile(
-      "${path.module}/scripts/execute_cloud_sql_proxy.sh",
-      {
-        CLOUDSDK_CORE_PROJECT  = var.project_id
-        CLOUDSQL_PROXY_HOST    = var.cloudsql_proxy_host
-        CLOUDSQL_PROXY_PORT    = var.cloudsql_proxy_port
-        GCLOUD_PROJECT_REGION  = var.region
-        CLOUDSQL_INSTANCE_NAME = var.cloudsql_instance_name
-      }
-    )
+    command = "${path.module}/scripts/execute_cloud_sql_proxy.sh"
+    environment = {
+      CLOUDSDK_CORE_PROJECT  = var.project_id
+      CLOUDSQL_PROXY_HOST    = var.cloudsql_proxy_host
+      CLOUDSQL_PROXY_PORT    = var.cloudsql_proxy_port
+      GCLOUD_PROJECT_REGION  = var.region
+      CLOUDSQL_INSTANCE_NAME = var.cloudsql_instance_name
+    }
     interpreter = [
       "/bin/sh", "-c"
     ]
@@ -59,22 +57,20 @@ resource "google_sql_user" "sql_user" {
   host     = each.value.user_host
 
   provisioner "local-exec" {
-    command = templatefile(
-      "${path.module}/scripts/execute_sql.sh",
-      {
-        CLOUDSDK_CORE_PROJECT             = var.project_id
-        GCLOUD_PROJECT_REGION             = var.region
-        CLOUDSQL_INSTANCE_NAME            = var.cloudsql_instance_name
-        CLOUDSQL_PROXY_HOST               = var.cloudsql_proxy_host
-        CLOUDSQL_PROXY_PORT               = var.cloudsql_proxy_port
-        CLOUDSQL_PRIVILEGED_USER_NAME     = var.cloudsql_privileged_user_name
-        CLOUDSQL_PRIVILEGED_USER_PASSWORD = var.cloudsql_privileged_user_password
-        MYSQL_VERSION                     = data.google_sql_database_instance.cloudsql_instance.database_version
-        USER                              = each.value.user
-        USER_HOST                         = each.value.user_host
-        DATABASE                          = each.value.database
-      }
-    )
+    command = "${path.module}/scripts/execute_sql.sh"
+    environment = {
+      CLOUDSDK_CORE_PROJECT             = var.project_id
+      GCLOUD_PROJECT_REGION             = var.region
+      CLOUDSQL_INSTANCE_NAME            = var.cloudsql_instance_name
+      CLOUDSQL_PROXY_HOST               = var.cloudsql_proxy_host
+      CLOUDSQL_PROXY_PORT               = var.cloudsql_proxy_port
+      CLOUDSQL_PRIVILEGED_USER_NAME     = var.cloudsql_privileged_user_name
+      CLOUDSQL_PRIVILEGED_USER_PASSWORD = var.cloudsql_privileged_user_password
+      MYSQL_VERSION                     = data.google_sql_database_instance.cloudsql_instance.database_version
+      USER                              = each.value.user
+      USER_HOST                         = each.value.user_host
+      DATABASE                          = each.value.database
+    }
     interpreter = [
       "/bin/sh", "-c"
     ]

scripts/execute_sql.sh

@@ -20,13 +20,13 @@ for j in $(seq 1 10); do
 done
 
 if [ "$READY" -eq 0 ]; then
-    %{~ if trimspace(MYSQL_VERSION) == "MYSQL_5_7" }
+    if [ "$MYSQL_VERSION" = "MYSQL_5_7" ]; then
     mysql --host=${CLOUDSQL_PROXY_HOST} --port=${CLOUDSQL_PROXY_PORT} --user=${CLOUDSQL_PRIVILEGED_USER_NAME} --password=${CLOUDSQL_PRIVILEGED_USER_PASSWORD} --execute="REVOKE ALL PRIVILEGES, GRANT OPTION FROM '${USER}'@'${USER_HOST}'; GRANT ALL ON ${DATABASE}.* TO ${USER}@'${USER_HOST}';"
-    %{ endif ~}
+    fi
 
-    %{~ if trimspace(MYSQL_VERSION) == "MYSQL_8_0" }
+    if [ "$MYSQL_VERSION" = "MYSQL_8_0" ]; then
     mysql --host=${CLOUDSQL_PROXY_HOST} --port=${CLOUDSQL_PROXY_PORT} --user=${CLOUDSQL_PRIVILEGED_USER_NAME} --password=${CLOUDSQL_PRIVILEGED_USER_PASSWORD} --execute="REVOKE cloudsqlsuperuser FROM '${USER}'@'${USER_HOST}'; GRANT ALL ON ${DATABASE}.* TO ${USER}@'${USER_HOST}';"
-    %{ endif ~}
+    fi
 
     exit 0
 else