Skip to content

googleSqlUser

Creates a new Google SQL User on a Google SQL User Instance. For more information, see the official documentation, or the JSON API.

\~> Note: All arguments including the username and password will be stored in the raw state as plain-text. Read more about sensitive data in state. Passwords will not be retrieved when running "terraform import".

Example Usage

Example creating a SQL User.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
import * as random from "./.gen/providers/random";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google, random.
For a more precise conversion please use the --provider flag in convert.*/
const randomIdDbNameSuffix = new random.id.Id(this, "db_name_suffix", {
  byte_length: 4,
});
const googleSqlDatabaseInstanceMain =
  new google.sqlDatabaseInstance.SqlDatabaseInstance(this, "main", {
    database_version: "MYSQL_5_7",
    name: `main-instance-\${${randomIdDbNameSuffix.hex}}`,
    settings: [
      {
        tier: "db-f1-micro",
      },
    ],
  });
new google.sqlUser.SqlUser(this, "users", {
  host: "me.com",
  instance: googleSqlDatabaseInstanceMain.name,
  name: "me",
  password: "changeme",
});

Example creating a Cloud IAM User. (For MySQL, specify cloudsqlIamAuthentication)

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
import * as random from "./.gen/providers/random";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google, random.
For a more precise conversion please use the --provider flag in convert.*/
const randomIdDbNameSuffix = new random.id.Id(this, "db_name_suffix", {
  byte_length: 4,
});
const googleSqlDatabaseInstanceMain =
  new google.sqlDatabaseInstance.SqlDatabaseInstance(this, "main", {
    database_version: "POSTGRES_9_6",
    name: `main-instance-\${${randomIdDbNameSuffix.hex}}`,
    settings: [
      {
        database_flags: [
          {
            name: "cloudsql.iam_authentication",
            value: "on",
          },
        ],
        tier: "db-f1-micro",
      },
    ],
  });
new google.sqlUser.SqlUser(this, "users", {
  instance: googleSqlDatabaseInstanceMain.name,
  name: "me@example.com",
  type: "CLOUD_IAM_USER",
});

Argument Reference

The following arguments are supported:

  • instance - (Required) The name of the Cloud SQL instance. Changing this forces a new resource to be created.

  • name - (Required) The name of the user. Changing this forces a new resource to be created.

  • password - (Optional) The password for the user. Can be updated. For Postgres instances this is a Required field, unless type is set to either CLOUD_IAM_USER or CLOUD_IAM_SERVICE_ACCOUNT. Don't set this field for CLOUD_IAM_USER and CLOUD_IAM_SERVICE_ACCOUNT user types for any Cloud SQL instance.

  • type - (Optional) The user type. It determines the method to authenticate the user during login. The default is the database's built-in user type. Flags include "BUILT_IN", "CLOUD_IAM_USER", or "CLOUD_IAM_SERVICE_ACCOUNT".

  • deletionPolicy - (Optional) The deletion policy for the user. Setting abandon allows the resource to be abandoned rather than deleted. This is useful for Postgres, where users cannot be deleted from the API if they have been granted SQL roles.

    Possible values are: abandon.

  • host - (Optional) The host the user can connect from. This is only supported for BUILT_IN users in MySQL instances. Don't set this field for PostgreSQL and SQL Server instances. Can be an IP address. Changing this forces a new resource to be created.

  • project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The optional passwordPolicy block is only supported by Mysql. The passwordPolicy block supports:

  • allowedFailedAttempts - (Optional) Number of failed attempts allowed before the user get locked.

  • passwordExpirationDuration - (Optional) Password expiration duration with one week grace period.

  • enableFailedAttemptsCheck - (Optional) If true, the check that will lock user after too many failed login attempts will be enabled.

  • enablePasswordVerification - (Optional) If true, the user must specify the current password before changing the password. This flag is supported only for MySQL.

The read only passwordPolicyStatus subblock supports:

  • locked - (read only) If true, user does not have login privileges.

  • passwordExpirationTime - (read only) Password expiration duration with one week grace period.

Attributes Reference

Only the arguments listed above are exposed as attributes.

Timeouts

This resource provides the following Timeouts configuration options: configuration options:

  • create - Default is 10 minutes.
  • update - Default is 10 minutes.
  • delete - Default is 10 minutes.

Import

SQL users for MySQL databases can be imported using the project, instance, host and name, e.g.

$ terraform import google_sql_user.users my-project/main-instance/my-domain.com/me

SQL users for PostgreSQL databases can be imported using the project, instance and name, e.g.

$ terraform import google_sql_user.users my-project/main-instance/me