From 7a15bb1d2d7283a876efedc3c679f4046429af6c Mon Sep 17 00:00:00 2001
From: Bibek Rauniyar <bibek@honestbank.com>
Date: Fri, 18 Aug 2023 11:28:07 +0700
Subject: [PATCH 1/2] feat: update the broken functionaity of delete protection
 settings

---
 .github/workflows/shiftleft-terraform.yml     | 27 ---------
 .pre-commit-config.yaml                       |  4 +-
 modules/google_sql_database_instance/main.tf  | 58 +++++++++++--------
 .../google_sql_database_instance/variables.tf | 31 ++++++++++
 4 files changed, 67 insertions(+), 53 deletions(-)
 delete mode 100644 .github/workflows/shiftleft-terraform.yml

diff --git a/.github/workflows/shiftleft-terraform.yml b/.github/workflows/shiftleft-terraform.yml
deleted file mode 100644
index 9614ebc..0000000
--- a/.github/workflows/shiftleft-terraform.yml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-# This workflow integrates ShiftLeft NG SAST with GitHub
-# Visit https://docs.shiftleft.io for help
-name: shiftleft-terraform
-permissions: read-all
-
-on:
-  pull_request:
-  workflow_dispatch:
-
-jobs:
-  shiftleft-terraform:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v2
-      - run: echo "REPO_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV
-      - name: Download ShiftLeft CLI
-        run: |
-          curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
-      - name: Extract branch name
-        shell: bash
-        run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
-        id: extract_branch
-      - name: NextGen Static Analysis
-        run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app ${{ env.REPO_NAME}} --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --terraform $(pwd)
-        env:
-          SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index f274372..5a55de0 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -13,7 +13,7 @@ repos:
       - id: check-yaml
       - id: check-added-large-files
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.81.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    rev: v1.83.2 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
@@ -24,7 +24,7 @@ repos:
       - id: terraform_checkov
         exclude: (test/|examples/)
   - repo: https://github.com/gitguardian/ggshield
-    rev: v1.16.0 # Update to latest version by running `pre-commit autoupdate`
+    rev: v1.18.1 # Update to latest version by running `pre-commit autoupdate`
     hooks:
       - id: ggshield
         language: python
diff --git a/modules/google_sql_database_instance/main.tf b/modules/google_sql_database_instance/main.tf
index dd4c2dc..18a439d 100644
--- a/modules/google_sql_database_instance/main.tf
+++ b/modules/google_sql_database_instance/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 4.0"
+      version = "~> 4.4"
     }
   }
 }
@@ -17,21 +17,16 @@ locals {
 
   postgres_database_flags = {
     "cloudsql.enable_pgaudit" = "on"
+    log_hostname              = "on"
+    log_duration              = "on"
+    log_temp_files            = "0"
+    log_connections           = "on"
+    log_lock_waits            = "on"
+    log_disconnections        = "on"
+    log_checkpoints           = "on"
     "pgaudit.log"             = "all"
     "pgaudit.log_client"      = "on"
     "pgaudit.log_level"       = "notice"
-    log_hostname              = "on"
-    log_duration              = "on"
-    # google-sql-enable-pg-temp-file-logging
-    log_temp_files = "0"
-    # google-sql-pg-log-connections
-    log_connections = "on"
-    # google-sql-pg-log-lock-waits
-    log_lock_waits = "on"
-    # google-sql-pg-log-disconnections
-    log_disconnections = "on"
-    # google-sql-pg-log-checkpoints
-    log_checkpoints = "on"
   }
 
   settings_backup_configuration_binary_log_enabled             = local.is_postgres ? false : var.settings_backup_configuration_binary_log_enabled
@@ -69,13 +64,13 @@ resource "google_sql_database_instance" "instance" {
   master_instance_name = var.master_instance_name
 
   settings {
-
-    tier                  = var.settings_tier
-    disk_size             = var.settings_disk_size
-    disk_autoresize       = var.settings_disk_autoresize
-    disk_type             = var.settings_disk_type
-    availability_type     = var.settings_availability_type
-    disk_autoresize_limit = var.settings_disk_autoresize_limit
+    availability_type           = var.settings_availability_type
+    deletion_protection_enabled = var.deletion_protection
+    disk_autoresize             = var.settings_disk_autoresize
+    disk_autoresize_limit       = var.settings_disk_autoresize_limit
+    disk_type                   = var.settings_disk_type
+    disk_size                   = var.settings_disk_size
+    tier                        = var.settings_tier
 
     backup_configuration {
       enabled            = var.settings_backup_configuration_enabled
@@ -103,6 +98,15 @@ resource "google_sql_database_instance" "instance" {
       allocated_ip_range = var.settings_ip_configuration_allocated_ip_range
     }
 
+    insights_config {
+      query_insights_enabled  = true
+      query_string_length     = var.settings_insights_config_query_string_length
+      query_plans_per_minute  = var.settings_insights_config_query_plans_per_minute
+      record_application_tags = true
+      record_client_address   = true
+
+    }
+
     dynamic "database_flags" {
       iterator = flag
       for_each = local.custom_database_flags
@@ -113,6 +117,11 @@ resource "google_sql_database_instance" "instance" {
       }
     }
 
+    maintenance_window {
+      day          = var.settings_maintenance_window_day
+      hour         = var.settings_maintenance_window_hour
+      update_track = "stable"
+    }
   }
 
   deletion_protection = var.deletion_protection
@@ -161,10 +170,11 @@ resource "google_sql_database_instance" "read_replica" {
 
   settings {
 
-    tier            = var.read_replica_settings_tier
-    disk_size       = var.settings_disk_size
-    disk_autoresize = var.settings_disk_autoresize
-    disk_type       = var.settings_disk_type
+    tier                        = var.read_replica_settings_tier
+    disk_size                   = var.settings_disk_size
+    disk_autoresize             = var.settings_disk_autoresize
+    disk_type                   = var.settings_disk_type
+    deletion_protection_enabled = var.deletion_protection
 
     # Not supported for Read Replica
     availability_type = "ZONAL"
diff --git a/modules/google_sql_database_instance/variables.tf b/modules/google_sql_database_instance/variables.tf
index ef452a2..89ccdde 100644
--- a/modules/google_sql_database_instance/variables.tf
+++ b/modules/google_sql_database_instance/variables.tf
@@ -173,3 +173,34 @@ variable "enable_read_replica" {
   type        = bool
   default     = false
 }
+
+variable "settings_insights_config_query_string_length" {
+  description = "(Optional) Maximum query length stored in bytes."
+  type        = number
+  default     = 1024
+}
+
+variable "settings_insights_config_query_plans_per_minute" {
+  description = "(Optional) Maximum number of query plans generated by Insights per minute"
+  type        = number
+  default     = 10
+}
+
+variable "settings_maintenance_window_day" {
+  description = "(Optional) The day of week (1-7) for maintenance window to start."
+  type        = number
+  default     = 1
+  validation {
+    condition     = var.settings_maintenance_window_day >= 1 && var.settings_maintenance_window_day <= 7
+    error_message = " maintenance window day must be >= 1 and <= 7."
+  }
+}
+variable "settings_maintenance_window_hour" {
+  description = "(Optional) The hour of day (0-23) maintenance window starts."
+  type        = number
+  default     = 9
+  validation {
+    condition     = var.settings_maintenance_window_hour >= 0 && var.settings_maintenance_window_hour <= 23
+    error_message = " maintenance window hour must be >= 0 and <= 23."
+  }
+}

From 900d8d1fd655e11b9c5bab2549b9a367c47a0a37 Mon Sep 17 00:00:00 2001
From: Bibek Rauniyar <bibek@honestbank.com>
Date: Fri, 8 Sep 2023 13:24:59 +0700
Subject: [PATCH 2/2] fix: resolve conflict

---
 modules/google_sql_database_instance/main.tf      |  3 +--
 modules/google_sql_database_instance/variables.tf | 15 ++++++++++++---
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/modules/google_sql_database_instance/main.tf b/modules/google_sql_database_instance/main.tf
index 18a439d..7d84d88 100644
--- a/modules/google_sql_database_instance/main.tf
+++ b/modules/google_sql_database_instance/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 4.4"
+      version = "~> 4.48"
     }
   }
 }
@@ -104,7 +104,6 @@ resource "google_sql_database_instance" "instance" {
       query_plans_per_minute  = var.settings_insights_config_query_plans_per_minute
       record_application_tags = true
       record_client_address   = true
-
     }
 
     dynamic "database_flags" {
diff --git a/modules/google_sql_database_instance/variables.tf b/modules/google_sql_database_instance/variables.tf
index 89ccdde..a2a19e7 100644
--- a/modules/google_sql_database_instance/variables.tf
+++ b/modules/google_sql_database_instance/variables.tf
@@ -178,16 +178,24 @@ variable "settings_insights_config_query_string_length" {
   description = "(Optional) Maximum query length stored in bytes."
   type        = number
   default     = 1024
+  validation {
+    condition     = var.settings_insights_config_query_string_length >= 256 && var.settings_insights_config_query_string_length <= 4500
+    error_message = " query string length must be >= 256 and <= 4500."
+  }
 }
 
 variable "settings_insights_config_query_plans_per_minute" {
   description = "(Optional) Maximum number of query plans generated by Insights per minute"
   type        = number
   default     = 10
+  validation {
+    condition     = var.settings_insights_config_query_plans_per_minute >= 0 && var.settings_insights_config_query_plans_per_minute <= 20
+    error_message = " query plans per minute must be >= 0 and <= 20."
+  }
 }
 
 variable "settings_maintenance_window_day" {
-  description = "(Optional) The day of week (1-7) for maintenance window to start."
+  description = "(Optional) The day of week (1-7) for maintenance window to start.Starting on Monday"
   type        = number
   default     = 1
   validation {
@@ -195,10 +203,11 @@ variable "settings_maintenance_window_day" {
     error_message = " maintenance window day must be >= 1 and <= 7."
   }
 }
+
 variable "settings_maintenance_window_hour" {
-  description = "(Optional) The hour of day (0-23) maintenance window starts."
+  description = "(Optional) The hour of day (0-23) maintenance window starts.The maintenance window is specified in UTC time"
   type        = number
-  default     = 9
+  default     = 3
   validation {
     condition     = var.settings_maintenance_window_hour >= 0 && var.settings_maintenance_window_hour <= 23
     error_message = " maintenance window hour must be >= 0 and <= 23."