feat: add support for server_ca_mode and custom SANs (#714) (#736)

hostekevin · web-flow · commit 15e8be86f3ea · 2025-06-12T07:47:59.000-05:00
diff --git a/modules/postgresql/README.md b/modules/postgresql/README.md
@@ -151,7 +151,7 @@ module "pg" {
 | iam\_users | A list of IAM users to be created in your CloudSQL instance. iam.users.type can be CLOUD\_IAM\_USER, CLOUD\_IAM\_SERVICE\_ACCOUNT, CLOUD\_IAM\_GROUP and is required for type CLOUD\_IAM\_GROUP (IAM groups) | <pre>list(object({<br>    id    = string,<br>    email = string,<br>    type  = optional(string)<br>  }))</pre> | `[]` | no |
 | insights\_config | The insights\_config settings for the database. | <pre>object({<br>    query_plans_per_minute  = optional(number, 5)<br>    query_string_length     = optional(number, 1024)<br>    record_application_tags = optional(bool, false)<br>    record_client_address   = optional(bool, false)<br>  })</pre> | `null` | no |
 | instance\_type | The type of the instance. The supported values are SQL\_INSTANCE\_TYPE\_UNSPECIFIED, CLOUD\_SQL\_INSTANCE, ON\_PREMISES\_INSTANCE and READ\_REPLICA\_INSTANCE. Set to READ\_REPLICA\_INSTANCE if master\_instance\_name value is provided | `string` | `"CLOUD_SQL_INSTANCE"` | no |
-| ip\_configuration | The ip configuration for the Cloud SQL instances. | <pre>object({<br>    authorized_networks                           = optional(list(map(string)), [])<br>    ipv4_enabled                                  = optional(bool, true)<br>    private_network                               = optional(string)<br>    ssl_mode                                      = optional(string)<br>    allocated_ip_range                            = optional(string)<br>    enable_private_path_for_google_cloud_services = optional(bool, false)<br>    psc_enabled                                   = optional(bool, false)<br>    psc_allowed_consumer_projects                 = optional(list(string), [])<br>  })</pre> | `{}` | no |
+| ip\_configuration | The ip configuration for the Cloud SQL instances. | <pre>object({<br>    authorized_networks                           = optional(list(map(string)), [])<br>    ipv4_enabled                                  = optional(bool, true)<br>    private_network                               = optional(string)<br>    ssl_mode                                      = optional(string)<br>    allocated_ip_range                            = optional(string)<br>    enable_private_path_for_google_cloud_services = optional(bool, false)<br>    psc_enabled                                   = optional(bool, false)<br>    psc_allowed_consumer_projects                 = optional(list(string), [])<br>    server_ca_mode                                = optional(string)<br>    server_ca_pool                                = optional(string)<br>    custom_subject_alternative_names              = optional(list(string), [])<br>  })</pre> | `{}` | no |
 | maintenance\_version | The current software version on the instance. This attribute can not be set during creation. Refer to available\_maintenance\_versions attribute to see what maintenance\_version are available for upgrade. When this attribute gets updated, it will cause an instance restart. Setting a maintenance\_version value that is older than the current one on the instance will be ignored | `string` | `null` | no |
 | maintenance\_window\_day | The day of week (1-7) for the Cloud SQL instance maintenance. | `number` | `1` | no |
 | maintenance\_window\_hour | The hour of day (0-23) maintenance window for the Cloud SQL instance maintenance. | `number` | `23` | no |
diff --git a/modules/postgresql/main.tf b/modules/postgresql/main.tf
@@ -126,6 +126,9 @@ resource "google_sql_database_instance" "default" {
         ssl_mode                                      = lookup(ip_configuration.value, "ssl_mode", null)
         allocated_ip_range                            = lookup(ip_configuration.value, "allocated_ip_range", null)
         enable_private_path_for_google_cloud_services = lookup(ip_configuration.value, "enable_private_path_for_google_cloud_services", false)
+        server_ca_mode                                = lookup(ip_configuration.value, "server_ca_mode", null)
+        server_ca_pool                                = lookup(ip_configuration.value, "server_ca_pool", null)
+        custom_subject_alternative_names              = lookup(ip_configuration.value, "custom_subject_alternative_names", [])
 
         dynamic "authorized_networks" {
           for_each = lookup(ip_configuration.value, "authorized_networks", [])
diff --git a/modules/postgresql/variables.tf b/modules/postgresql/variables.tf
@@ -330,6 +330,9 @@ variable "ip_configuration" {
     enable_private_path_for_google_cloud_services = optional(bool, false)
     psc_enabled                                   = optional(bool, false)
     psc_allowed_consumer_projects                 = optional(list(string), [])
+    server_ca_mode                                = optional(string)
+    server_ca_pool                                = optional(string)
+    custom_subject_alternative_names              = optional(list(string), [])
   })
   default = {}
 }
diff --git a/modules/postgresql/versions.tf b/modules/postgresql/versions.tf
@@ -27,11 +27,11 @@ terraform {
     }
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.17, < 7"
+      version = ">= 6.31, < 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.17, < 7"
+      version = ">= 6.31, < 7"
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -27,11 +27,11 @@ terraform {`
`27`	`27`	`}`
`28`	`28`	`google = {`
`29`	`29`	`source = "hashicorp/google"`
`30`		`- version = ">= 6.17, < 7"`
	`30`	`+ version = ">= 6.31, < 7"`
`31`	`31`	`}`
`32`	`32`	`google-beta = {`
`33`	`33`	`source = "hashicorp/google-beta"`
`34`		`- version = ">= 6.17, < 7"`
	`34`	`+ version = ">= 6.31, < 7"`
`35`	`35`	`}`
`36`	`36`	`}`
`37`	`37`