Add the mysql_user_password resource with support for Keybase/PGP encryption

[joestump]

Attached is a mysql_user_password resource for managing MySQL passwords safely with Terraform. It can be used to assign auto-generated passwords and rotate them. Passwords are stored using PGP encryption in the TF state file.

resource "mysql_user_password" "someone" {
  user    = "${mysql_user.someone.user}"
  pgp_key = "keybase:someuser"
}

You can then output the encrypted_password attribute and decrypt:

terraform output encypted_password | base64 --decode | gpg --decrypt

To rotate the password:

terraform taint mysql_user_password.someone

Here's the main.tf I used for testing:

provider "mysql" {
  endpoint = "localhost:3306"
  username = "root"
}

resource "mysql_user" "jstump" {
  user = "jstump"
}

resource "mysql_user_password" "jstump" {
  user = "${mysql_user.jstump.user}"
  pgp_key = "keybase:joestump"
}

output "encypted_password" {
  value = "${mysql_user_password.jstump.encrypted_password}"
}

Output of make testacc:

$ MYSQL_USERNAME=root MYSQL_ENDPOINT=localhost:3306 MYSQL_PASSWORD='' make testacc
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test $(go list ./... |grep -v 'vendor') -v  -timeout 120m
?       github.com/terraform-providers/terraform-provider-mysql [no test files]
=== RUN   TestProvider
--- PASS: TestProvider (0.00s)
=== RUN   TestProvider_impl
--- PASS: TestProvider_impl (0.00s)
=== RUN   TestAccDatabase
--- PASS: TestAccDatabase (0.04s)
=== RUN   TestAccGrant
--- PASS: TestAccGrant (0.05s)
=== RUN   TestAccUserPassword_basic
--- PASS: TestAccUserPassword_basic (0.94s)
=== RUN   TestAccUser_basic
--- PASS: TestAccUser_basic (0.07s)
=== RUN   TestAccUser_deprecated
--- PASS: TestAccUser_deprecated (0.07s)
PASS
ok      github.com/terraform-providers/terraform-provider-mysql/mysql   1.204s

[joestump]

After much flailing, I got govendor to Do The Thing. Tests pass now and keybase:username works now as well.

To decrypt with Keybase:

terraform output encypted_password | base64 --decode | keybase pgp decrypt

[joestump]

@apparentlymart docs are done. I think this is ready for merge. I might take a stab at imports for users and DBs later. 👍

[willejs]

@joestump this is great! 🎉 😸 @vancluever What do you think of this? Do you think it can get merged?

[willejs]

@thomaschaaf can you approve?

[joestump]

@thomaschaaf @willejs @vancluever anything I can do to help move this PR along? #34 looks like it's ready for merge as well.

[vancluever]

Hey @joestump, very sorry for the radio silence on this one.

I just took a look, and there's a couple of things off the bat that I can see:

• First off, the resource lacks tests - we need basic acceptance tests before we can get this in. These should be placed in a resource_mysql_user_password_test.go file.
• Second, I totally understand your pain with govendor (there have been more than a couple of times where it has frustrated me as well), but it looks like there was too much possibly included (I don't think any of the Rancher stuff was actually needed). If you get the tests done I can take care of this.

Let me know!

[joestump]

@vancluever added a basic acceptance test. Any help on cleaning up dependencies would be greatly appreciated. Thanks!

[davewongillies]

Sorry to be that guy, but @vancluever, I'd love to see this merged

[joestump]

I just got added as a maintainer on this. I've got some cleanup work to do before this will get merged in. More on this soon!

[joestump]

Closing this out in favor of #47, which is based on the go mod dependency management added in PR #44.