Add configurable SSL settings for Cloud SQL database

dcmcand · dcmcand · commit d8bc2646f67c · 2025-08-06T12:08:15.000+02:00
- Add database_require_ssl variable with default true
- Add database_ssl_mode variable with default ENCRYPTED_ONLY
- Include validation for ssl_mode to ensure valid GCP values
- Apply SSL configuration to Cloud SQL ip_configuration block
diff --git a/README.md b/README.md
@@ -226,6 +226,8 @@ No modules.
 | <a name="input_database_disk_autoresize_limit"></a> [database\_disk\_autoresize\_limit](#input\_database\_disk\_autoresize\_limit) | Maximum disk size in GB for database autoresize | `number` | `100` | no |
 | <a name="input_database_disk_size"></a> [database\_disk\_size](#input\_database\_disk\_size) | Database disk size in GB | `number` | `20` | no |
 | <a name="input_database_log_retention_days"></a> [database\_log\_retention\_days](#input\_database\_log\_retention\_days) | Number of days to retain database transaction logs | `number` | `7` | no |
+| <a name="input_database_require_ssl"></a> [database\_require\_ssl](#input\_database\_require\_ssl) | Require SSL for database connections | `bool` | `true` | no |
+| <a name="input_database_ssl_mode"></a> [database\_ssl\_mode](#input\_database\_ssl\_mode) | SSL mode for database connections | `string` | `"ENCRYPTED_ONLY"` | no |
 | <a name="input_database_tier"></a> [database\_tier](#input\_database\_tier) | Database instance tier | `string` | `"db-f1-micro"` | no |
 | <a name="input_enable_cloudflare_dns"></a> [enable\_cloudflare\_dns](#input\_enable\_cloudflare\_dns) | Enable Cloudflare DNS management | `bool` | `false` | no |
 | <a name="input_enable_database"></a> [enable\_database](#input\_enable\_database) | Enable Cloud SQL database deployment | `bool` | `true` | no |
diff --git a/database.tf b/database.tf
@@ -43,7 +43,8 @@ resource "google_sql_database_instance" "main" {
       ipv4_enabled                                  = false
       private_network                               = google_compute_network.main.id
       enable_private_path_for_google_cloud_services = true
-      require_ssl                                   = true
+      require_ssl                                   = var.database_require_ssl
+      ssl_mode                                      = var.database_ssl_mode
     }
 
     # Database flags for optimal performance
diff --git a/variables.tf b/variables.tf
@@ -81,6 +81,22 @@ variable "database_log_retention_days" {
   default     = 7
 }
 
+variable "database_require_ssl" {
+  description = "Require SSL for database connections"
+  type        = bool
+  default     = true
+}
+
+variable "database_ssl_mode" {
+  description = "SSL mode for database connections"
+  type        = string
+  default     = "ENCRYPTED_ONLY"
+  validation {
+    condition     = contains(["ALLOW_UNENCRYPTED_AND_ENCRYPTED", "ENCRYPTED_ONLY", "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"], var.database_ssl_mode)
+    error_message = "SSL mode must be one of: ALLOW_UNENCRYPTED_AND_ENCRYPTED, ENCRYPTED_ONLY, TRUSTED_CLIENT_CERTIFICATE_REQUIRED."
+  }
+}
+
 # Application Configuration
 variable "app_image" {
   description = "Container image for the hrafnar application (without tag)"

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,8 @@ resource "google_sql_database_instance" "main" {`
`43`	`43`	`ipv4_enabled = false`
`44`	`44`	`private_network = google_compute_network.main.id`
`45`	`45`	`enable_private_path_for_google_cloud_services = true`
`46`		`- require_ssl = true`
	`46`	`+ require_ssl = var.database_require_ssl`
	`47`	`+ ssl_mode = var.database_ssl_mode`
`47`	`48`	`}`
`48`	`49`
`49`	`50`	`# Database flags for optimal performance`