feat: MySQL DB and Vault (#1)

Signed-off-by: Yoan Blanc <yblanc@edgelab.ch>
Co-authored-by: Vincent Thiery <vjmthiery@gmail.com>

Author: greut

README.md

@@ -1,3 +1,39 @@
 # terraform-mysql-db
 
 This module offers default conventions when creating a new MySQL database.
+
+In particular:
+
+- It creates a database 👋
+- Optionally, it creates a user named after the database when not specified.
+- Optionally, it creates two roles to obtain credentials via Vault:
+
+    - `${vault_backend_path}/${DBNAME}-all-privileges` with `ALL PRIVILEGES` permissions.
+    - `${vault_backend_path}/${DBNAME}-read-only` with `SELECT` permissions.
+
+- When the intent is to use Vault, it's recommended to **NOT** provide the `plaintext_password`.
+
+
+## Usage
+
+```hcl
+module "my_database" {
+  source = "git@github.com:edgelaboratories/terraform-mysql-db?ref=v0.1.0"
+
+  database = "my-database"
+
+  # By default, the database name is used
+  # user = "my-database"
+
+  # Optional user password. Not required when using Vault roles
+  plaintext_password = "a very hard to guess password"
+
+  # Default values are utf8mb4 and utf8mb4_unicode_ci
+  default_character_set = "utf8"
+  default_collation     = "utf8_unicode_ci"
+
+  # Optional
+  vault_backend_path       = "mysql/my-cluster"
+  vault_db_connection_name = "my-cluster"
+}
+```

main.tf

@@ -0,0 +1,28 @@
+locals {
+  user = coalesce(var.user, var.database)
+}
+
+resource "mysql_database" "this" {
+  name = var.database
+
+  default_character_set = var.default_character_set
+  default_collation     = var.default_collation
+}
+
+resource "mysql_user" "this" {
+  count = var.plaintext_password != null ? 1 : 0
+
+  user               = local.user
+  host               = "%"
+  plaintext_password = var.plaintext_password
+}
+
+resource "mysql_grant" "this" {
+  count = var.plaintext_password != null ? 1 : 0
+
+  user     = mysql_user.this[count.index].user
+  host     = "%"
+  database = mysql_database.this.name
+
+  privileges = ["ALL PRIVILEGES"]
+}

outputs.tf

@@ -0,0 +1,7 @@
+output "database" {
+  value = mysql_database.this.name
+}
+
+output "user" {
+  value = mysql_user.this.*.name
+}

provider.tf

@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    mysql = {
+      source = "winebarrel/mysql"
+    }
+
+    vault = {
+      source = "cyrilgdn/vault"
+    }
+  }
+}

variables.tf

@@ -0,0 +1,37 @@
+variable "database" {
+  description = "The name of the database"
+}
+
+variable "user" {
+  description = "Name of the main user. Defaults to the database name"
+  default     = ""
+}
+
+variable "plaintext_password" {
+  description = "Required to create the default user."
+  type        = string
+  sensitive   = true
+  default     = null
+}
+
+variable "default_character_set" {
+  default = "utf8mb4"
+}
+
+variable "default_collation" {
+  default = "utf8mb4_unicode_ci"
+}
+
+variable "vault_backend_path" {
+  type    = string
+  default = null
+}
+
+variable "vault_db_connection_name" {
+  type    = string
+  default = null
+}
+
+variable "vault_role_default_ttl" {
+  default = 3600
+}

vault.tf

@@ -0,0 +1,37 @@
+locals {
+  roles = var.vault_backend_path == null ? {} : {
+    "${var.database}-all-privileges" = "ALL PRIVILEGES"
+    "${var.database}-read-only"      = "SELECT"
+  }
+}
+
+resource "vault_database_secret_backend_role" "this" {
+  for_each = local.roles
+
+  name    = each.key
+  backend = var.vault_backend_path
+  db_name = var.vault_db_connection_name
+
+  creation_statements = [
+    "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';",
+    "GRANT ${each.value} ON ${var.database}.* TO '{{name}}'@'%';",
+  ]
+
+  default_ttl = var.vault_role_default_ttl
+}
+
+data "vault_policy_document" "this" {
+  for_each = local.roles
+
+  rule {
+    path         = "${var.vault_backend_path}/creds/${each.key}"
+    capabilities = ["read"]
+  }
+}
+
+resource "vault_policy" "this" {
+  for_each = local.roles
+
+  name   = "${var.vault_backend_path}/${each.key}"
+  policy = data.vault_policy_document.this[each.key].hcl
+}