From d5d0f72dd26f11e31efca5bc33c86155dcd1724b Mon Sep 17 00:00:00 2001
From: magic_rb <richard@brezak.sk>
Date: Tue, 31 Dec 2024 16:13:46 +0100
Subject: [PATCH] Support `sslnegotiation` option

Signed-off-by: magic_rb <richard@brezak.sk>
---
 postgresql/config.go   | 8 ++++++++
 postgresql/provider.go | 7 +++++++
 2 files changed, 15 insertions(+)

diff --git a/postgresql/config.go b/postgresql/config.go
index c2f1410c..d5e7f681 100644
--- a/postgresql/config.go
+++ b/postgresql/config.go
@@ -46,6 +46,7 @@ const (
 	featureServer
 	featureCreateRoleSelfGrant
 	featureSecurityLabel
+	featureSSLNegotiation
 )
 
 var (
@@ -122,6 +123,9 @@ var (
 		// https://www.postgresql.org/docs/16/release-16.html#RELEASE-16-PRIVILEGES
 		featureCreateRoleSelfGrant: semver.MustParseRange(">=16.0.0"),
 		featureSecurityLabel:       semver.MustParseRange(">=11.0.0"),
+
+		// SSL without STARTTLS
+		featureSSLNegotiation: semver.MustParseRange(">=17.0.0"),
 	}
 )
 
@@ -175,6 +179,7 @@ type Config struct {
 	DatabaseUsername                string
 	Superuser                       bool
 	SSLMode                         string
+	SSLNegotiation                  string
 	ApplicationName                 string
 	Timeout                         int
 	ConnectTimeoutSec               int
@@ -221,6 +226,9 @@ func (c *Config) connParams() []string {
 	// (TLS is provided by gocloud directly)
 	if c.Scheme == "postgres" {
 		params["sslmode"] = c.SSLMode
+		if c.featureSupported(featureSSLNegotiation) {
+			params["sslnegotiation"] = c.SSLNegotiation
+		}
 		params["connect_timeout"] = strconv.Itoa(c.ConnectTimeoutSec)
 	}
 
diff --git a/postgresql/provider.go b/postgresql/provider.go
index 8bc7546d..48aabf81 100644
--- a/postgresql/provider.go
+++ b/postgresql/provider.go
@@ -147,6 +147,12 @@ func Provider() *schema.Provider {
 				Optional:   true,
 				Deprecated: "Rename PostgreSQL provider `ssl_mode` attribute to `sslmode`",
 			},
+			"sslnegotiation": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Default:     "postgres",
+				Description: "This option controls how SSL encryption is negotiated with the server, if SSL is used. In the default postgres mode, the client first asks the server if SSL is supported. In direct mode, the client starts the standard SSL handshake directly after establishing the TCP/IP connection.",
+			},
 			"clientcert": {
 				Type:        schema.TypeList,
 				Optional:    true,
@@ -376,6 +382,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		DatabaseUsername:                d.Get("database_username").(string),
 		Superuser:                       d.Get("superuser").(bool),
 		SSLMode:                         sslMode,
+		SSLNegotiation:                  d.Get("sslnegotiation").(string),
 		ApplicationName:                 "Terraform provider",
 		ConnectTimeoutSec:               d.Get("connect_timeout").(int),
 		MaxConns:                        d.Get("max_connections").(int),