search

terraform-google-modules / terraform-google-sql-db

Creates a Cloud SQL database instance
https://registry.terraform.io/modules/terraform-google-modules/sql-db/google
Apache License 2.0
263 stars 422 forks source link

Expose an output for replica private IP addresses #588

Closed OscarVanL closed 2 months ago

OscarVanL commented 5 months ago

TL;DR

I want to create internal DNS records pointing to the private IP addresses of my replica instances. Unfortunately this is not possible because the replicas output is marked as sensitive.

Terraform Resources

google_sql_database_instance

Detailed design

To do this I tried the following, accessing the data I need from the replicas output:

resource "google_dns_record_set" "replicas_dns" {
  for_each = {for r in module.database.replicas : r.name => r.private_ip_address}

  project      = var.dns_project_id
  type         = "A"
  managed_zone = var.internal_domain_zone_name
  ttl          = var.dns_ttl
  name         = "${each.key}.${var.internal_domain}."
  rrdatas      = [each.value]
}

However, this is not possible because the replicas output is marked as sensitive in this module. I get this error when running the terraform plan:

│ Error: Invalid for_each argument
│ 
│   on ../base/dns.tf line 12, in resource "google_dns_record_set" "replicas":
│   12:   for_each =  {for r in module.database.replicas : r.name => r.private_ip_address}
│     ├────────────────
│     │ module.database.replicas has a sensitive value
│ 
│ Sensitive values, or values derived from sensitive values, cannot be used
│ as for_each arguments. If used, the sensitive value could be exposed as a
│ resource instance key.

Suggested fix

I see that the module has non-sensitive outputs like replicas_instance_first_ip_addresses and read_replica_instance_names, but sadly there is no output for the replica instance private IP addresses.

An additional output like replicas that contains only the non-sensitive values would be most convenient. Or perhaps a similar output called replicas_instance_private_ip_addresses could be added to expose the private IPs.

OscarVanL commented 5 months ago

As a workaround, it looks like I can use the sensitive outputs by marking them as nonsensitive.

resource "google_dns_record_set" "replicas" {
  for_each = {for r in nonsensitive(module.database.replicas) : r.name => r.private_ip_address}

  project      = var.dns_project_id
  type         = "A"
  managed_zone = var.internal_domain_zone_name
  ttl          = var.dns_ttl
  name         = "${each.key}.${var.internal_domain}."
  rrdatas      = [each.value]
}
github-actions[bot] commented 2 months ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days