From 3d339fe8caf5d27d605d03be2025c8d5e1a63554 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Wed, 11 Sep 2024 16:30:19 -0400 Subject: [PATCH] read pwd from gcp SM instead of TF random variable Signed-off-by: Bob Callaway --- terraform/gcp/modules/mysql/mysql.tf | 15 +++++---------- terraform/gcp/modules/mysql/outputs.tf | 2 +- 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/terraform/gcp/modules/mysql/mysql.tf b/terraform/gcp/modules/mysql/mysql.tf index 5e7453477..8b50ec4e7 100644 --- a/terraform/gcp/modules/mysql/mysql.tf +++ b/terraform/gcp/modules/mysql/mysql.tf @@ -200,20 +200,11 @@ resource "google_sql_database" "searchindexes" { depends_on = [google_sql_database_instance.sigstore] } -resource "random_id" "user-password" { - keepers = { - name = google_sql_database_instance.sigstore.name - } - - byte_length = 8 - depends_on = [google_sql_database_instance.sigstore] -} - resource "google_sql_user" "trillian" { name = "trillian" project = var.project_id instance = google_sql_database_instance.sigstore.name - password = random_id.user-password.hex + password = data.google_secret_manager_secret_version_access.mysql-password.secret_data host = "%" depends_on = [google_sql_database_instance.sigstore] } @@ -260,3 +251,7 @@ resource "google_secret_manager_secret_version" "mysql-database" { secret = google_secret_manager_secret.mysql-database.id secret_data = google_sql_database.trillian.name } + +data "google_secret_manager_secret_version_access" "mysql-password" { + secret = google_secret_manager_secret.mysql-password.id +} diff --git a/terraform/gcp/modules/mysql/outputs.tf b/terraform/gcp/modules/mysql/outputs.tf index 40bc9c513..03b05f428 100644 --- a/terraform/gcp/modules/mysql/outputs.tf +++ b/terraform/gcp/modules/mysql/outputs.tf @@ -40,6 +40,6 @@ output "mysql_user" { // MySQL DB password. output "mysql_pass" { sensitive = true - description = "The Cloud SQL Instance Password (Generated)" + description = "The Cloud SQL Instance Password" value = google_sql_user.trillian.password }