Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

it'd be great if we add write-only argument (password_wo) to the google_alloydb_user resource, so we may pass database user passwords without them being stored in state.

Note: for complete AlloyDB password management without state storage, we also need write-only support for google_alloydb_cluster's initial_user.password field but it's be better to handle as other issue since it'd need a extra consideration for nested field.

New or Affected Resource(s)

• google_alloydb_user

Potential Terraform Configuration

resource "google_alloydb_cluster" "default" {
  cluster_id = "alloydb-cluster"
  ...
}

resource "google_alloydb_instance" "default" {
  cluster       = google_alloydb_cluster.default.name
  ...
}

ephemeral "random_password" "pwd" {
  length  = 16
  special = false
}

resource "google_alloydb_user" "user1" {
  cluster   = google_alloydb_cluster.default.name
  user_id   = "user1"
  user_type = "ALLOYDB_BUILT_IN"

  password_wo         = ephemeral.random_password.pwd.result
  password_wo_version = "1"

  database_roles = ["alloydbsuperuser"]
  depends_on     = [google_alloydb_instance.default]
}

References

No response