search

petoju / terraform-provider-mysql

Terraform MySQL provider – unofficial fork
https://registry.terraform.io/providers/petoju/mysql
Mozilla Public License 2.0
63 stars 40 forks source link

Unable to create user using AWS RDS MySQL 8.0 encrypted instance #64

Closed esteban1983cl closed 2 months ago

esteban1983cl commented 1 year ago

Hi there,

Please help with this issue, unable to create user when use AWS RDS MySQL encrypted instance.

Terraform Version

Terraform v1.3.9
on darwin_amd64
+ provider registry.terraform.io/brainly/redshift v1.0.2
+ provider registry.terraform.io/cyrilgdn/postgresql v1.18.0
+ provider registry.terraform.io/hashicorp/aws v4.56.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.3.2
+ provider registry.terraform.io/hashicorp/dns v3.2.4
+ provider registry.terraform.io/hashicorp/external v2.2.3
+ provider registry.terraform.io/hashicorp/helm v2.9.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.18.1
+ provider registry.terraform.io/hashicorp/local v2.3.0
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.4.3
+ provider registry.terraform.io/hashicorp/template v2.2.0
+ provider registry.terraform.io/hashicorp/tls v4.0.4
+ provider registry.terraform.io/newrelic/newrelic v3.8.0
+ provider registry.terraform.io/petoju/mysql v3.0.30
+ provider registry.terraform.io/terraform-aws-modules/http v2.4.1

Same issue with using linux version.

Affected Resource(s)

Please list the resources as a list, for example:

Terraform Configuration Files


module "platform_bookstack_rds" {
  source                              = "terraform-aws-modules/rds/aws"
  version                             = "5.0.3"
  identifier                          = jsondecode(data.aws_secretsmanager_secret_version.platform_bookstack_master_credentials.secret_string)["dbInstanceIdentifier"]
  allocated_storage                   = 20
  storage_type                        = "gp3"
  iops                                = 3000
  storage_encrypted                   = true
  kms_key_id                          = aws_kms_key.backup_key[local.BU_TXD].arn
  iam_database_authentication_enabled = true
  engine                              = jsondecode(data.aws_secretsmanager_secret_version.platform_bookstack_master_credentials.secret_string)["engine"]
  engine_version                      = "8.0.32"
  copy_tags_to_snapshot               = true
  final_snapshot_identifier_prefix    = jsondecode(data.aws_secretsmanager_secret_version.platform_bookstack_master_credentials.secret_string)["dbInstanceIdentifier"]
  instance_class                      = "db.t4g.micro"
  db_name                             = null
  username                            = jsondecode(data.aws_secretsmanager_secret_version.platform_bookstack_master_credentials.secret_string)["username"]
  password                            = jsondecode(data.aws_secretsmanager_secret_version.platform_bookstack_master_credentials.secret_string)["password"]
  port                                = jsondecode(data.aws_secretsmanager_secret_version.platform_bookstack_master_credentials.secret_string)["port"]
  vpc_security_group_ids              = [module.platform_bookstack_security_group.security_group_id]
  multi_az                            = false
  publicly_accessible                 = false
  monitoring_interval                 = 30
  monitoring_role_arn                 = data.aws_iam_role.rds_monitoring_role.arn
  create_monitoring_role              = false
  allow_major_version_upgrade         = false
  auto_minor_version_upgrade          = true
  apply_immediately                   = true
  maintenance_window                  = var.maintenance_window
  backup_retention_period             = var.backup_retention_period
  backup_window                       = var.backup_window
  create_db_subnet_group              = true
  db_subnet_group_description         = "DB subnet group for Bookstack RDS"
  subnet_ids                          = data.aws_subnets.private.ids
  create_db_parameter_group           = true
  parameter_group_description         = "DB Parameter group for Bookstack RDS"
  family                              = "${jsondecode(data.aws_secretsmanager_secret_version.platform_bookstack_master_credentials.secret_string)["engine"]}8.0"
  parameters = concat(
    local.default_rds_mysql_ssl_parameters,
    local.default_rds_mysql_timezone_parameters,
    local.default_rds_mysql_recommended_parameters,
  )
  create_db_option_group                 = true
  option_group_description               = "DB Option group for Bookstack RDS"
  major_engine_version                   = "8.0"
  options                                = []
  enabled_cloudwatch_logs_exports        = ["audit", "error", "general", "slowquery"]
  deletion_protection                    = true
  performance_insights_enabled           = false
  performance_insights_retention_period  = var.backup_retention_period
  performance_insights_kms_key_id        = aws_kms_key.backup_key[local.BU_TXD].arn
  max_allocated_storage                  = 20
  delete_automated_backups               = false
  create_cloudwatch_log_group            = true
  cloudwatch_log_group_retention_in_days = local.cencosud_cloudwatch_log_group_retention_in_days
  cloudwatch_log_group_kms_key_id        = aws_kms_key.cloudwatch_log_group_encryption.arn
  putin_khuylo                           = true
  create_random_password                 = false
  tags = merge(local.plataforms_txd_generics_tags,
    {
      Name   = jsondecode(data.aws_secretsmanager_secret_version.platform_bookstack_master_credentials.secret_string)["dbInstanceIdentifier"]
      nombre = jsondecode(data.aws_secretsmanager_secret_version.platform_bookstack_master_credentials.secret_string)["dbInstanceIdentifier"]
    }
  )
}

provider "mysql" {
  alias     = "bookstack"
  endpoint  = module.platform_bookstack_rds.db_instance_endpoint
  username  = jsondecode(data.aws_secretsmanager_secret_version.platform_bookstack_master_credentials.secret_string)["username"]
  password  = jsondecode(data.aws_secretsmanager_secret_version.platform_bookstack_master_credentials.secret_string)["password"]
  tls       = true
}

data "aws_secretsmanager_secret" "platform_bookstack_application_credentials" {
  name = "paristech/platform/rds/bookstack/application"
}

data "aws_secretsmanager_secret_version" "platform_bookstack_application_credentials" {
  secret_id = data.aws_secretsmanager_secret.platform_bookstack_application_credentials.id
}

resource "mysql_user" "platform_bookstack_application_user" {
  provider           = mysql.bookstack
  host               = "%"
  user               = jsondecode(data.aws_secretsmanager_secret_version.platform_bookstack_application_credentials.secret_string)["username"]
  plaintext_password = jsondecode(data.aws_secretsmanager_secret_version.platform_bookstack_application_credentials.secret_string)["password"]
  tls_option         = "SSL"
}

Debug Output

I'm sorry, terraform doesn't enable logs https://gist.github.com/esteban1983cl/60d630e7e5ecba5d05f3083402ae928b

Panic Output

N/A

Expected Behavior

Provider creates the user

Actual Behavior

Error about certificate

Error: failed to connect to MySQL: could not connect to server: x509: “Amazon RDS us-east-1 2019 CA” certificate is not trusted

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform plan
  2. terraform apply

Important Factoids

N/A

References

N/A

petoju commented 1 year ago

@esteban1983cl currently, the provider doesn't allow one to specify a custom CA certificate.

That said, importing a certificate to the system could work. You can try running something like mysql with correct ssl-mode (mysql --ssl-mode=VERIFY_IDENTITY -h host -u user -p) with possibly more parameters for debugging and I believe its behavior should match whatever go client is doing.

For a quick fix on a secure network (like from inside AWS), you can even specify tls = "skip-verify" in mysql provider configuration.

petoju commented 2 months ago

@esteban1983cl just running thru the issues and I believe you can specify the certificate now. Just see the docs at https://registry.terraform.io/providers/petoju/mysql/latest/docs