search

terraform-google-modules / terraform-google-sql-db

Creates a Cloud SQL database instance
https://registry.terraform.io/modules/terraform-google-modules/sql-db/google
Apache License 2.0
266 stars 425 forks source link

Dropped support for require_ssl cause disable SSL on instance #645

Closed pawelrosada closed 2 months ago

pawelrosada commented 2 months ago

TL;DR

After upgrading from version 21.0.1 to 22.0.0, enabling SSL on the instance is no longer possible. The sslMode option doesn’t work and consistently disables SSL, regardless of the configuration.

Expected behavior

The sslMode option should enable SSL as configured. When set to the appropriate value (e.g., TRUSTED_CLIENT_CERTIFICATE_REQUIRED), SSL should be activated on the instance, ensuring secure communication between the client and server.

Observed behavior

After upgrading to version 22.0.0, the sslMode option fails to function correctly. Regardless of its setting, SSL is consistently disabled, leading to unsecured connections, contrary to the expected behavior.

Terraform Configuration

module "sql" {
  source            = "GoogleCloudPlatform/sql-db/google//modules/mysql"
  version           = "22.0.0"
  name              = "XXXX"
  backup_configuration = {
    binary_log_enabled             = false
    location                       = "europe-central2"
    retention_unit                 = "COUNT"
    start_time                     = "00:30"
    transaction_log_retention_days = 1
    enabled                        = true
    retained_backups               = 7
  }

  create_timeout                  = "20m"
  database_version                = "MYSQL_8_0"
  disk_autoresize_limit           = 20
  project_id                      = "XXXX"
  zone                            = "XXXX"
  region                          = "XXXX"
  tier                            = "XXXX"
  maintenance_window_update_track = "stable"
  enable_default_db               = true
  maintenance_window_day          = 2
  maintenance_window_hour         = 3

  deletion_protection         = true
  deletion_protection_enabled = true

  ip_configuration = {
    ipv4_enabled        = true
    private_network     = null
    sslMode             = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
    #require_ssl         = true
    allocated_ip_range  = null
  }
}

Terraform Version

Terraform v1.5.7
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/hashicorp/archive v2.6.0
+ provider registry.terraform.io/hashicorp/google v5.44.0
+ provider registry.terraform.io/hashicorp/google-beta v5.44.0
+ provider registry.terraform.io/hashicorp/helm v2.15.0
+ provider registry.terraform.io/hashicorp/http v3.4.5
+ provider registry.terraform.io/hashicorp/kubernetes v2.32.0
+ provider registry.terraform.io/hashicorp/null v3.2.3
+ provider registry.terraform.io/hashicorp/random v3.6.3
+ provider registry.terraform.io/hashicorp/time v0.12.1
+ provider registry.terraform.io/petoju/mysql v3.0.65

Additional information

Plan result
  ~ resource "google_sql_database_instance" "default" {
        id                             = "xxxxx"
        name                           = "xxxx"
        # (14 unchanged attributes hidden)

      ~ settings {
            # (15 unchanged attributes hidden)

          ~ ip_configuration {
              - require_ssl                                   = true -> null
                # (3 unchanged attributes hidden)
            }

            # (3 unchanged blocks hidden)
        }

        # (1 unchanged block hidden)
    }
imrannayer commented 2 months ago

@pawelrosada your code is incorrect variable is ssl_mode. Your code is using sslMode.

pawelrosada commented 2 months ago

@imrannayer, of course... my bad :)
I fixed the initial issue, but it’s still not working as expected.

Error:

Error: Error, failed to update instance settings for : googleapi: Error 400: Invalid request: For a MySQL instance, sslMode value TRUSTED_CLIENT_CERTIFICATE_REQUIRED and requireSsl value false are conflicting. When sslMode=TRUSTED_CLIENT_CERTIFICATE_REQUIRED, requireSsl must be true. When requireSsl=false, sslMode must be ALLOW_UNENCRYPTED_AND_ENCRYPTED or ENCRYPTED_ONLY. It's recommended that you only set sslMode., invalid

Steps I Tried:

  1. Remove ssl_mode and updated the module.
  2. Then, Terraform automatically changed enable_ssl to null:
          ~ ip_configuration {
              - require_ssl                                   = true -> null
  1. After that, I set:
ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"

This resulted in the above warning.

Expected Behavior:
When setting ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED", SSL should be properly configured without conflicting with require_ssl.

Actual Behavior:
The configuration is throwing an error about conflicting settings, even though ssl_mode and require_ssl should work together according to the documentation.

Question:
Any idea on how to resolve this conflict or what configuration might be missing?

giannello commented 2 months ago

We are experiencing the same issue, and we also have to use google v5.44.0 because not all the GCP terraform modules have been updated to support v6.

imrannayer commented 2 months ago

@pawelrosada have you updated provider version >6? Can you run terraform --version and see if you are using provider version > 6.01. If not then u will need to first execute terraform init --upgrade and make sure provider version >= 6.01. If not then u may be using some other code which may be restricting provider upgrade.

pawelrosada commented 2 months ago

@imrannayer, we have updated the version, but we are using multiple different modules that don’t allow us to upgrade further. Our current stack for this project is:

•   provider registry.terraform.io/hashicorp/google v5.44.0
•   provider registry.terraform.io/hashicorp/google-beta v5.44.0

At the moment, we are unable to move past this. However, the terraform-google-sql-db module in the previous version, specifically 21.0.2, works correctly (just showing a deprecation warning).