Support sslnegotiation option

MagicRB · MagicRB · commit 046abb007820 · 2024-12-31T16:32:39.000+01:00
Signed-off-by: magic_rb &lt;richard@brezak.sk&gt;
diff --git a/postgresql/config.go b/postgresql/config.go
@@ -46,6 +46,7 @@ const (
 	featureServer
 	featureCreateRoleSelfGrant
 	featureSecurityLabel
+	featureSSLNegotiation
 )
 
 var (
@@ -122,6 +123,9 @@ var (
 		// https://www.postgresql.org/docs/16/release-16.html#RELEASE-16-PRIVILEGES
 		featureCreateRoleSelfGrant: semver.MustParseRange(">=16.0.0"),
 		featureSecurityLabel:       semver.MustParseRange(">=11.0.0"),
+
+		// SSL without STARTTLS
+		featureSSLNegotation: semver.MustParseRange(">=17.0.0"),
 	}
 )
 
@@ -175,6 +179,7 @@ type Config struct {
 	DatabaseUsername                string
 	Superuser                       bool
 	SSLMode                         string
+	SSLNegotiation                  string
 	ApplicationName                 string
 	Timeout                         int
 	ConnectTimeoutSec               int
@@ -221,6 +226,9 @@ func (c *Config) connParams() []string {
 	// (TLS is provided by gocloud directly)
 	if c.Scheme == "postgres" {
 		params["sslmode"] = c.SSLMode
+		if c.featureSupported(featureSSLNegotation) {
+			params["sslnegotiation"] = c.SSLNegotiation
+		}
 		params["connect_timeout"] = strconv.Itoa(c.ConnectTimeoutSec)
 	}
 
diff --git a/postgresql/provider.go b/postgresql/provider.go
@@ -147,6 +147,12 @@ func Provider() *schema.Provider {
 				Optional:   true,
 				Deprecated: "Rename PostgreSQL provider `ssl_mode` attribute to `sslmode`",
 			},
+			"sslnegotiation": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Default:     "postgres",
+				Description: "This option controls how SSL encryption is negotiated with the server, if SSL is used. In the default postgres mode, the client first asks the server if SSL is supported. In direct mode, the client starts the standard SSL handshake directly after establishing the TCP/IP connection.",
+			},
 			"clientcert": {
 				Type:        schema.TypeList,
 				Optional:    true,
@@ -376,6 +382,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		DatabaseUsername:                d.Get("database_username").(string),
 		Superuser:                       d.Get("superuser").(bool),
 		SSLMode:                         sslMode,
+		SSLNegotiation:                  d.Get("sslnegotiation").(string),
 		ApplicationName:                 "Terraform provider",
 		ConnectTimeoutSec:               d.Get("connect_timeout").(int),
 		MaxConns:                        d.Get("max_connections").(int),
