diff --git a/mmv1/third_party/terraform/services/sql/resource_sql_database_instance.go.tmpl b/mmv1/third_party/terraform/services/sql/resource_sql_database_instance.go.tmpl index 669b7679f688..6afb56fdc9bf 100644 --- a/mmv1/third_party/terraform/services/sql/resource_sql_database_instance.go.tmpl +++ b/mmv1/third_party/terraform/services/sql/resource_sql_database_instance.go.tmpl @@ -88,6 +88,7 @@ var ( "settings.0.ip_configuration.0.ssl_mode", "settings.0.ip_configuration.0.server_ca_mode", "settings.0.ip_configuration.0.server_ca_pool", + "settings.0.ip_configuration.0.server_certificate_rotation_mode", "settings.0.ip_configuration.0.custom_subject_alternative_names", } @@ -696,6 +697,13 @@ API (for read pools, effective_availability_type may differ from availability_ty Description: `The resource name of the server CA pool for an instance with "CUSTOMER_MANAGED_CAS_CA" as the "server_ca_mode".`, AtLeastOneOf: ipConfigurationKeys, }, + "server_certificate_rotation_mode": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{"NO_AUTOMATIC_ROTATION", "AUTOMATIC_ROTATION_DURING_MAINTENANCE"}, false), + Description: `Settings for how the server certificate gets rotated.`, + AtLeastOneOf: ipConfigurationKeys, + }, "custom_subject_alternative_names": { Type: schema.TypeSet, Optional: true, @@ -1876,6 +1884,7 @@ func expandIpConfiguration(configured []interface{}, databaseVersion string) *sq SslMode: _ipConfiguration["ssl_mode"].(string), ServerCaMode: _ipConfiguration["server_ca_mode"].(string), ServerCaPool: _ipConfiguration["server_ca_pool"].(string), + ServerCertificateRotationMode: _ipConfiguration["server_certificate_rotation_mode"].(string), CustomSubjectAlternativeNames: tpgresource.ConvertStringArr(_ipConfiguration["custom_subject_alternative_names"].(*schema.Set).List()), } } @@ -3107,6 +3116,10 @@ func flattenIpConfiguration(ipConfiguration *sqladmin.IpConfiguration, d *schema data["psc_config"] = flattenPscConfigs(ipConfiguration.PscConfig) } + if ipConfiguration.ServerCertificateRotationMode != "SERVER_CERTIFICATE_ROTATION_MODE_UNSPECIFIED" { + data["server_certificate_rotation_mode"] = ipConfiguration.ServerCertificateRotationMode + } + return []map[string]interface{}{data} } diff --git a/mmv1/third_party/terraform/services/sql/resource_sql_database_instance_meta.yaml.tmpl b/mmv1/third_party/terraform/services/sql/resource_sql_database_instance_meta.yaml.tmpl index 8e305f6312b5..77805b5a7182 100644 --- a/mmv1/third_party/terraform/services/sql/resource_sql_database_instance_meta.yaml.tmpl +++ b/mmv1/third_party/terraform/services/sql/resource_sql_database_instance_meta.yaml.tmpl @@ -163,6 +163,7 @@ fields: - api_field: 'settings.ipConfiguration.pscConfig.pscEnabled' - api_field: 'settings.ipConfiguration.serverCaMode' - api_field: 'settings.ipConfiguration.serverCaPool' + - api_field: 'settings.ipConfiguration.serverCertificateRotationMode' - api_field: 'settings.ipConfiguration.sslMode' - api_field: 'settings.locationPreference.followGaeApplication' - api_field: 'settings.locationPreference.secondaryZone' diff --git a/mmv1/third_party/terraform/services/sql/resource_sql_database_instance_test.go.tmpl b/mmv1/third_party/terraform/services/sql/resource_sql_database_instance_test.go.tmpl index 7216a92e7635..a791ce4f949e 100644 --- a/mmv1/third_party/terraform/services/sql/resource_sql_database_instance_test.go.tmpl +++ b/mmv1/third_party/terraform/services/sql/resource_sql_database_instance_test.go.tmpl @@ -3785,6 +3785,7 @@ func TestAccSqlDatabaseInstance_useInternalCaByDefault(t *testing.T) { Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_ca_mode", "GOOGLE_MANAGED_INTERNAL_CA"), resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_ca_pool", ""), + resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_certificate_rotation_mode", "NO_AUTOMATIC_ROTATION"), ), }, { @@ -3814,6 +3815,7 @@ func TestAccSqlDatabaseInstance_useCasBasedServerCa(t *testing.T) { Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_ca_mode", "GOOGLE_MANAGED_CAS_CA"), resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_ca_pool", ""), + resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_certificate_rotation_mode", "AUTOMATIC_ROTATION_DURING_MAINTENANCE"), resource.TestCheckResourceAttr(resourceName, "dns_names.#", "1"), resource.TestCheckResourceAttr(resourceName, "dns_names.0.connection_type", "PUBLIC"), resource.TestCheckResourceAttr(resourceName, "dns_names.0.dns_scope", "INSTANCE"), @@ -4546,6 +4548,7 @@ resource "google_sql_database_instance" "instance" { ipv4_enabled = "true" server_ca_mode = "CUSTOMER_MANAGED_CAS_CA" server_ca_pool = google_privateca_ca_pool.customer_ca_pool.id + server_certificate_rotation_mode = "AUTOMATIC_ROTATION_DURING_MAINTENANCE" custom_subject_alternative_names = ["%{customSan}"] } } @@ -4634,9 +4637,10 @@ resource "google_sql_database_instance" "instance" { settings { tier = "db-f1-micro" ip_configuration { - ipv4_enabled = "true" - server_ca_mode = "CUSTOMER_MANAGED_CAS_CA" - server_ca_pool = google_privateca_ca_pool.customer_ca_pool.id + ipv4_enabled = "true" + server_ca_mode = "CUSTOMER_MANAGED_CAS_CA" + server_ca_pool = google_privateca_ca_pool.customer_ca_pool.id + server_certificate_rotation_mode = "AUTOMATIC_ROTATION_DURING_MAINTENANCE" } } diff --git a/mmv1/third_party/terraform/website/docs/r/sql_database_instance.html.markdown b/mmv1/third_party/terraform/website/docs/r/sql_database_instance.html.markdown index 4a93aa24519d..0ef175f97ba4 100644 --- a/mmv1/third_party/terraform/website/docs/r/sql_database_instance.html.markdown +++ b/mmv1/third_party/terraform/website/docs/r/sql_database_instance.html.markdown @@ -534,6 +534,8 @@ This setting can be updated, but it cannot be removed after it is set. * `server_ca_pool` - (Optional) The resource name of the server CA pool for an instance with `CUSTOMER_MANAGED_CAS_CA` as the `server_ca_mode`. +* `server_certificate_rotation_mode` - (Optional) Controls the automatic server certificate rotation feature. Supported values are `NO_AUTOMATIC_ROTATION`and `AUTOMATIC_ROTATION_DURING_MAINTENANCE`. `AUTOMATIC_ROTATION_DURING_MAINTENANCE` can only be set if `server_ca_mode` is either `GOOGLE_MANAGED_CAS_CA` or `CUSTOMER_MANAGED_CAS_CA`. See [API reference doc](https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration) for details. + * `custom_subject_alternative_names` - (Optional) The custom subject alternative names for an instance with `CUSTOMER_MANAGED_CAS_CA` as the `server_ca_mode`. * `allocated_ip_range` - (Optional) The name of the allocated ip range for the private ip CloudSQL instance. For example: "google-managed-services-default". If set, the instance ip will be created in the allocated range. The range name must comply with [RFC 1035](https://datatracker.ietf.org/doc/html/rfc1035). Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])?.