From c399ab5bdd460f5a2873463f2e9181ff640d13b8 Mon Sep 17 00:00:00 2001 From: bibek4699 <121928896+bibek4699@users.noreply.github.com> Date: Fri, 8 Sep 2023 15:11:07 +0700 Subject: [PATCH] feat: Add functionality to prevent deletion of databases across all surfaces, enable Query Insight, and set maintenance window. (#34) * feat: update the broken functionaity of delete protection settings * fix: resolve conflict --- .github/workflows/shiftleft-terraform.yml | 27 --------- .pre-commit-config.yaml | 4 +- modules/google_sql_database_instance/main.tf | 57 +++++++++++-------- .../google_sql_database_instance/variables.tf | 40 +++++++++++++ 4 files changed, 75 insertions(+), 53 deletions(-) delete mode 100644 .github/workflows/shiftleft-terraform.yml diff --git a/.github/workflows/shiftleft-terraform.yml b/.github/workflows/shiftleft-terraform.yml deleted file mode 100644 index 9614ebc..0000000 --- a/.github/workflows/shiftleft-terraform.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# This workflow integrates ShiftLeft NG SAST with GitHub -# Visit https://docs.shiftleft.io for help -name: shiftleft-terraform -permissions: read-all - -on: - pull_request: - workflow_dispatch: - -jobs: - shiftleft-terraform: - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v2 - - run: echo "REPO_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV - - name: Download ShiftLeft CLI - run: | - curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl - - name: Extract branch name - shell: bash - run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" - id: extract_branch - - name: NextGen Static Analysis - run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app ${{ env.REPO_NAME}} --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --terraform $(pwd) - env: - SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f274372..5a55de0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -13,7 +13,7 @@ repos: - id: check-yaml - id: check-added-large-files - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.81.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + rev: v1.83.2 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases hooks: - id: terraform_fmt - id: terraform_docs @@ -24,7 +24,7 @@ repos: - id: terraform_checkov exclude: (test/|examples/) - repo: https://github.com/gitguardian/ggshield - rev: v1.16.0 # Update to latest version by running `pre-commit autoupdate` + rev: v1.18.1 # Update to latest version by running `pre-commit autoupdate` hooks: - id: ggshield language: python diff --git a/modules/google_sql_database_instance/main.tf b/modules/google_sql_database_instance/main.tf index dd4c2dc..7d84d88 100644 --- a/modules/google_sql_database_instance/main.tf +++ b/modules/google_sql_database_instance/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 4.0" + version = "~> 4.48" } } } @@ -17,21 +17,16 @@ locals { postgres_database_flags = { "cloudsql.enable_pgaudit" = "on" + log_hostname = "on" + log_duration = "on" + log_temp_files = "0" + log_connections = "on" + log_lock_waits = "on" + log_disconnections = "on" + log_checkpoints = "on" "pgaudit.log" = "all" "pgaudit.log_client" = "on" "pgaudit.log_level" = "notice" - log_hostname = "on" - log_duration = "on" - # google-sql-enable-pg-temp-file-logging - log_temp_files = "0" - # google-sql-pg-log-connections - log_connections = "on" - # google-sql-pg-log-lock-waits - log_lock_waits = "on" - # google-sql-pg-log-disconnections - log_disconnections = "on" - # google-sql-pg-log-checkpoints - log_checkpoints = "on" } settings_backup_configuration_binary_log_enabled = local.is_postgres ? false : var.settings_backup_configuration_binary_log_enabled @@ -69,13 +64,13 @@ resource "google_sql_database_instance" "instance" { master_instance_name = var.master_instance_name settings { - - tier = var.settings_tier - disk_size = var.settings_disk_size - disk_autoresize = var.settings_disk_autoresize - disk_type = var.settings_disk_type - availability_type = var.settings_availability_type - disk_autoresize_limit = var.settings_disk_autoresize_limit + availability_type = var.settings_availability_type + deletion_protection_enabled = var.deletion_protection + disk_autoresize = var.settings_disk_autoresize + disk_autoresize_limit = var.settings_disk_autoresize_limit + disk_type = var.settings_disk_type + disk_size = var.settings_disk_size + tier = var.settings_tier backup_configuration { enabled = var.settings_backup_configuration_enabled @@ -103,6 +98,14 @@ resource "google_sql_database_instance" "instance" { allocated_ip_range = var.settings_ip_configuration_allocated_ip_range } + insights_config { + query_insights_enabled = true + query_string_length = var.settings_insights_config_query_string_length + query_plans_per_minute = var.settings_insights_config_query_plans_per_minute + record_application_tags = true + record_client_address = true + } + dynamic "database_flags" { iterator = flag for_each = local.custom_database_flags @@ -113,6 +116,11 @@ resource "google_sql_database_instance" "instance" { } } + maintenance_window { + day = var.settings_maintenance_window_day + hour = var.settings_maintenance_window_hour + update_track = "stable" + } } deletion_protection = var.deletion_protection @@ -161,10 +169,11 @@ resource "google_sql_database_instance" "read_replica" { settings { - tier = var.read_replica_settings_tier - disk_size = var.settings_disk_size - disk_autoresize = var.settings_disk_autoresize - disk_type = var.settings_disk_type + tier = var.read_replica_settings_tier + disk_size = var.settings_disk_size + disk_autoresize = var.settings_disk_autoresize + disk_type = var.settings_disk_type + deletion_protection_enabled = var.deletion_protection # Not supported for Read Replica availability_type = "ZONAL" diff --git a/modules/google_sql_database_instance/variables.tf b/modules/google_sql_database_instance/variables.tf index ef452a2..a2a19e7 100644 --- a/modules/google_sql_database_instance/variables.tf +++ b/modules/google_sql_database_instance/variables.tf @@ -173,3 +173,43 @@ variable "enable_read_replica" { type = bool default = false } + +variable "settings_insights_config_query_string_length" { + description = "(Optional) Maximum query length stored in bytes." + type = number + default = 1024 + validation { + condition = var.settings_insights_config_query_string_length >= 256 && var.settings_insights_config_query_string_length <= 4500 + error_message = " query string length must be >= 256 and <= 4500." + } +} + +variable "settings_insights_config_query_plans_per_minute" { + description = "(Optional) Maximum number of query plans generated by Insights per minute" + type = number + default = 10 + validation { + condition = var.settings_insights_config_query_plans_per_minute >= 0 && var.settings_insights_config_query_plans_per_minute <= 20 + error_message = " query plans per minute must be >= 0 and <= 20." + } +} + +variable "settings_maintenance_window_day" { + description = "(Optional) The day of week (1-7) for maintenance window to start.Starting on Monday" + type = number + default = 1 + validation { + condition = var.settings_maintenance_window_day >= 1 && var.settings_maintenance_window_day <= 7 + error_message = " maintenance window day must be >= 1 and <= 7." + } +} + +variable "settings_maintenance_window_hour" { + description = "(Optional) The hour of day (0-23) maintenance window starts.The maintenance window is specified in UTC time" + type = number + default = 3 + validation { + condition = var.settings_maintenance_window_hour >= 0 && var.settings_maintenance_window_hour <= 23 + error_message = " maintenance window hour must be >= 0 and <= 23." + } +}