feat: Add functionality to prevent deletion of databases across all s…

…urfaces, enable Query Insight, and set maintenance window. (#34) * feat: update the broken functionaity of delete protection settings * fix: resolve conflict
honestbank · Sep 8, 2023 · c399ab5 · c399ab5
1 parent 7a2fc8d
commit c399ab5
Show file tree

Hide file tree

Showing 4 changed files with 75 additions and 53 deletions.
diff --git a/.github/workflows/shiftleft-terraform.yml b/.github/workflows/shiftleft-terraform.yml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -13,7 +13,7 @@ repos:
       - id: check-yaml
       - id: check-added-large-files
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.81.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    rev: v1.83.2 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
@@ -24,7 +24,7 @@ repos:
       - id: terraform_checkov
         exclude: (test/|examples/)
   - repo: https://github.com/gitguardian/ggshield
-    rev: v1.16.0 # Update to latest version by running `pre-commit autoupdate`
+    rev: v1.18.1 # Update to latest version by running `pre-commit autoupdate`
     hooks:
       - id: ggshield
         language: python

diff --git a/modules/google_sql_database_instance/main.tf b/modules/google_sql_database_instance/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 4.0"
+      version = "~> 4.48"
     }
   }
 }
@@ -17,21 +17,16 @@ locals {
 
   postgres_database_flags = {
     "cloudsql.enable_pgaudit" = "on"
+    log_hostname              = "on"
+    log_duration              = "on"
+    log_temp_files            = "0"
+    log_connections           = "on"
+    log_lock_waits            = "on"
+    log_disconnections        = "on"
+    log_checkpoints           = "on"
     "pgaudit.log"             = "all"
     "pgaudit.log_client"      = "on"
     "pgaudit.log_level"       = "notice"
-    log_hostname              = "on"
-    log_duration              = "on"
-    # google-sql-enable-pg-temp-file-logging
-    log_temp_files = "0"
-    # google-sql-pg-log-connections
-    log_connections = "on"
-    # google-sql-pg-log-lock-waits
-    log_lock_waits = "on"
-    # google-sql-pg-log-disconnections
-    log_disconnections = "on"
-    # google-sql-pg-log-checkpoints
-    log_checkpoints = "on"
   }
 
   settings_backup_configuration_binary_log_enabled             = local.is_postgres ? false : var.settings_backup_configuration_binary_log_enabled
@@ -69,13 +64,13 @@ resource "google_sql_database_instance" "instance" {
   master_instance_name = var.master_instance_name
 
   settings {
-
-    tier                  = var.settings_tier
-    disk_size             = var.settings_disk_size
-    disk_autoresize       = var.settings_disk_autoresize
-    disk_type             = var.settings_disk_type
-    availability_type     = var.settings_availability_type
-    disk_autoresize_limit = var.settings_disk_autoresize_limit
+    availability_type           = var.settings_availability_type
+    deletion_protection_enabled = var.deletion_protection
+    disk_autoresize             = var.settings_disk_autoresize
+    disk_autoresize_limit       = var.settings_disk_autoresize_limit
+    disk_type                   = var.settings_disk_type
+    disk_size                   = var.settings_disk_size
+    tier                        = var.settings_tier
 
     backup_configuration {
       enabled            = var.settings_backup_configuration_enabled
@@ -103,6 +98,14 @@ resource "google_sql_database_instance" "instance" {
       allocated_ip_range = var.settings_ip_configuration_allocated_ip_range
     }
 
+    insights_config {
+      query_insights_enabled  = true
+      query_string_length     = var.settings_insights_config_query_string_length
+      query_plans_per_minute  = var.settings_insights_config_query_plans_per_minute
+      record_application_tags = true
+      record_client_address   = true
+    }
+
     dynamic "database_flags" {
       iterator = flag
       for_each = local.custom_database_flags
@@ -113,6 +116,11 @@ resource "google_sql_database_instance" "instance" {
       }
     }
 
+    maintenance_window {
+      day          = var.settings_maintenance_window_day
+      hour         = var.settings_maintenance_window_hour
+      update_track = "stable"
+    }
   }
 
   deletion_protection = var.deletion_protection
@@ -161,10 +169,11 @@ resource "google_sql_database_instance" "read_replica" {
 
   settings {
 
-    tier            = var.read_replica_settings_tier
-    disk_size       = var.settings_disk_size
-    disk_autoresize = var.settings_disk_autoresize
-    disk_type       = var.settings_disk_type
+    tier                        = var.read_replica_settings_tier
+    disk_size                   = var.settings_disk_size
+    disk_autoresize             = var.settings_disk_autoresize
+    disk_type                   = var.settings_disk_type
+    deletion_protection_enabled = var.deletion_protection
 
     # Not supported for Read Replica
     availability_type = "ZONAL"

diff --git a/modules/google_sql_database_instance/variables.tf b/modules/google_sql_database_instance/variables.tf
@@ -173,3 +173,43 @@ variable "enable_read_replica" {
   type        = bool
   default     = false
 }
+
+variable "settings_insights_config_query_string_length" {
+  description = "(Optional) Maximum query length stored in bytes."
+  type        = number
+  default     = 1024
+  validation {
+    condition     = var.settings_insights_config_query_string_length >= 256 && var.settings_insights_config_query_string_length <= 4500
+    error_message = " query string length must be >= 256 and <= 4500."
+  }
+}
+
+variable "settings_insights_config_query_plans_per_minute" {
+  description = "(Optional) Maximum number of query plans generated by Insights per minute"
+  type        = number
+  default     = 10
+  validation {
+    condition     = var.settings_insights_config_query_plans_per_minute >= 0 && var.settings_insights_config_query_plans_per_minute <= 20
+    error_message = " query plans per minute must be >= 0 and <= 20."
+  }
+}
+
+variable "settings_maintenance_window_day" {
+  description = "(Optional) The day of week (1-7) for maintenance window to start.Starting on Monday"
+  type        = number
+  default     = 1
+  validation {
+    condition     = var.settings_maintenance_window_day >= 1 && var.settings_maintenance_window_day <= 7
+    error_message = " maintenance window day must be >= 1 and <= 7."
+  }
+}
+
+variable "settings_maintenance_window_hour" {
+  description = "(Optional) The hour of day (0-23) maintenance window starts.The maintenance window is specified in UTC time"
+  type        = number
+  default     = 3
+  validation {
+    condition     = var.settings_maintenance_window_hour >= 0 && var.settings_maintenance_window_hour <= 23
+    error_message = " maintenance window hour must be >= 0 and <= 23."
+  }
+}