Merge pull request #9 from oaknational/feat/ENG-1079-allowed-connections

[ENG-1079] Authorise CIDRs to connect to DB instances
oaknational · Dec 20, 2024 · dfdf193 · dfdf193
2 parents 293e532 + fd43f75
commit dfdf193
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 1 deletion.
diff --git a/modules/gcp_sql/instance.tf b/modules/gcp_sql/instance.tf
@@ -8,6 +8,10 @@ locals {
   }
 
   name = "${var.name_parts.domain}-${var.env}-${var.name_parts.app}-${var.name_parts.resource}"
+
+  authorized_network_records = {
+    for an in var.authorized_networks : an.cidr => an.description
+  }
 }
 
 resource "google_sql_database_instance" "this" {
@@ -32,6 +36,15 @@ resource "google_sql_database_instance" "this" {
       ipv4_enabled    = true
       private_network = var.vpc_network_link
       require_ssl     = true
+
+      dynamic "authorized_networks" {
+        for_each = local.authorized_network_records
+
+        content {
+          name  = authorized_networks.value
+          value = authorized_networks.key
+        }
+      }
     }
 
     maintenance_window {
@@ -48,4 +61,18 @@ resource "google_sql_database_instance" "this" {
       enable_password_policy      = true
     }
   }
-}
+}
+
+output "connection_data" {
+  value = {
+    external_ip = one([
+      for ip in resource.google_sql_database_instance.this.ip_address : ip.ip_address if ip.type == "PRIMARY"
+    ])
+    internal_ip = one([
+      for ip in resource.google_sql_database_instance.this.ip_address : ip.ip_address if ip.type == "PRIVATE"
+    ])
+    server_ca_cert = one([
+      for ca in resource.google_sql_database_instance.this.server_ca_cert : ca.cert
+    ])
+  }
+}
diff --git a/modules/gcp_sql/variables.tf b/modules/gcp_sql/variables.tf
@@ -53,6 +53,20 @@ variable "memory" {
   }
 }
 
+variable "authorized_networks" {
+  description = "Allowable IP ranges for connectivity"
+  type = list(object({
+    description = string
+    cidr        = string
+  }))
+  default = []
+
+  validation {
+    condition     = alltrue([for an in var.authorized_networks : can(cidrnetmask(an.cidr))])
+    error_message = "Invalid cidr found"
+  }
+}
+
 variable "vpc_network_link" {
   description = "The resource name of the VPC e.g. projects/{project}/global/networks/{vpc_name}"
   type        = string