Merge pull request #22 from karim-fc/feature/add-accesstoken-auth-option

Feature/add accesstoken auth option

Author: karim-fc

docs/index.md

@@ -33,12 +33,23 @@ provider "cloudsqlpostgresql" {
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
-### Optional
+### Required
+
+- `connection_configs` (Attributes Map) A map of connections of Postgresql database instances (see [below for nested schema](#nestedatt--connection_configs))
+
+<a id="nestedatt--connection_configs"></a>
+### Nested Schema for `connection_configs`
+
+Required:
 
 - `connection_name` (String) The connection name of the Google Cloud SQL Postgresql instance. The `connection_name` format should be `<project>:<region>:<instance>`
 - `password` (String, Sensitive) The password to use to authenticate using the built-in database authentication
+- `username` (String) The username to use to authenticate with the Cloud SQL Postgresql instance
+
+Optional:
+
+- `database` (String) The database to connect to. Defaults to `postgres`.
 - `private_ip` (Boolean) Use the private IP address of the Cloud SQL Postgresql instance to connect to
 - `proxy` (String) Proxy socks url if used. Format needs to be `socks5://<ip>:<port>`
 - `psc` (Boolean) Use the Private Service Connect endpoint of the Cloud SQL Postgresql instance to connect to
 - `ssl_mode` (String) Determine the security of the connection to the Cloud SQL Postgresql instance
-- `username` (String) The username to use to authenticate with the Cloud SQL Postgresql instance

docs/resources/default_privileges.md

@@ -17,7 +17,7 @@ The `cloudsqlpostgresql_default_privileges` resource allows to set the privilege
 
 ### Required
 
-- `database` (String) The database
+- `connection_config` (String) The key of the connection defined in the provider
 - `owner` (String) The target role
 - `privileges` (Attributes Set) A list of privileges (see [below for nested schema](#nestedatt--privileges))
 - `role` (String) The role

docs/resources/grant_database.md

@@ -29,6 +29,7 @@ resource "cloudsqlpostgresql_grant_database" "default" {
 
 ### Required
 
+- `connection_config` (String) The key of the connection defined in the provider
 - `database` (String) The database on which the privileges will be granted for this role.
 - `privileges` (Attributes Set) A list of privileges to grant on the database for this role. (see [below for nested schema](#nestedatt--privileges))
 - `role` (String) The name of the role to grant privileges on the database. Can be username or role.

docs/resources/grant_role.md

@@ -17,6 +17,7 @@ The `cloudsqlpostgresql_grant_role` resource creates and manages role membership
 
 ### Required
 
+- `connection_config` (String) The key of the connection defined in the provider
 - `group_role` (String) The `group_role` that will get the `role` as member
 - `role` (String) The `role` that will be a member of the `group_role`
 

docs/resources/grant_schema.md

@@ -30,7 +30,7 @@ resource "cloudsqlpostgresql_grant_database" "default" {
 
 ### Required
 
-- `database` (String) The database where the schema resides.
+- `connection_config` (String) The key of the connection defined in the provider
 - `privileges` (Attributes Set) A list of privileges to grant on the schema for this role. (see [below for nested schema](#nestedatt--privileges))
 - `role` (String) The name of the role to grant privileges on the schema. Can be username or role.
 - `schema` (String) The schema on which the privileges will be granted for this role.

docs/resources/grant_table.md

@@ -34,7 +34,7 @@ resource "cloudsqlpostgresql_grant_table" "default" {
 
 ### Required
 
-- `database` (String) The database where the table resides.
+- `connection_config` (String) The key of the connection defined in the provider
 - `privileges` (Attributes Set) A list of privileges to grant on the table for this role. (see [below for nested schema](#nestedatt--privileges))
 - `role` (String) The name of the role to grant privileges on the table. Can be username or role.
 - `schema` (String) The schema where the table resides.

docs/resources/role.md

@@ -17,6 +17,7 @@ The `cloudsqlpostgresql_role` resource creates and manages a role. The superuser
 
 ### Required
 
+- `connection_config` (String) The key of the connection defined in the provider
 - `name` (String) The name of the role
 
 ### Optional

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/hashicorp/terraform-plugin-go v0.22.1
 	github.com/hashicorp/terraform-plugin-log v0.9.0
 	golang.org/x/net v0.24.0
+	golang.org/x/oauth2 v0.18.0
 )
 
 require (
@@ -83,7 +84,6 @@ require (
 	golang.org/x/crypto v0.22.0 // indirect
 	golang.org/x/exp v0.0.0-20230809150735-7b3493d9a819 // indirect
 	golang.org/x/mod v0.15.0 // indirect
-	golang.org/x/oauth2 v0.18.0 // indirect
 	golang.org/x/sys v0.19.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect

internal/provider/config.go

@@ -1,46 +1,124 @@
 package provider
 
 import (
+	"context"
 	"database/sql"
 	"fmt"
+	"net"
+	"net/url"
 	"sync"
+
+	"cloud.google.com/go/cloudsqlconn"
+	"cloud.google.com/go/cloudsqlconn/postgres/pgxv4"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"golang.org/x/net/proxy"
+	"golang.org/x/oauth2"
 )
 
 type Config struct {
-	dsnTemplate     string
 	dbRegistry      map[string]*sql.DB
 	dbRegistryMutex sync.Mutex
+	dbDrivers       map[string]bool
+	dbDriversMutex  sync.Mutex
+	connections     map[string]*ConnectionConfig
 }
 
-func NewConfig(dsnTemplate string) *Config {
+func NewConfig() *Config {
 	return &Config{
-		dsnTemplate: dsnTemplate,
 		dbRegistry:  make(map[string]*sql.DB),
+		dbDrivers:   make(map[string]bool),
+		connections: make(map[string]*ConnectionConfig),
 	}
 }
 
-func (c *Config) connectToPostgresqlDb(dbName string) (*sql.DB, error) {
-	dsn := fmt.Sprintf(c.dsnTemplate, "dbname="+dbName)
-	return c.connectToPostgresql(dsn)
-}
-
-func (c *Config) connectToPostgresqlNoDb() (*sql.DB, error) {
-	dsn := fmt.Sprintf(c.dsnTemplate, "dbname=postgres")
-	return c.connectToPostgresql(dsn)
-}
-
-func (c *Config) connectToPostgresql(dsn string) (*sql.DB, error) {
+func (c *Config) connectToPostgresql(ctx context.Context, cc *ConnectionConfig) (*sql.DB, error) {
 	c.dbRegistryMutex.Lock()
 	defer c.dbRegistryMutex.Unlock()
 
-	if c.dbRegistry[dsn] != nil {
-		return c.dbRegistry[dsn], nil
+	key := cc.DsnKey()
+
+	if c.dbRegistry[key] != nil {
+		return c.dbRegistry[key], nil
+	}
+
+	err := c.registerDriver(ctx, cc)
+	if err != nil {
+		return nil, err
 	}
 
-	db, err := sql.Open("cloudsql-postgres", dsn)
+	db, err := sql.Open(cc.DriverKey(), cc.Dsn())
 	if err != nil {
 		return nil, err
 	}
-	c.dbRegistry[dsn] = db
-	return c.dbRegistry[dsn], nil
+
+	c.dbRegistry[key] = db
+	return c.dbRegistry[key], nil
+}
+
+func (c *Config) registerDriver(ctx context.Context, cc *ConnectionConfig) error {
+	c.dbDriversMutex.Lock()
+	defer c.dbDriversMutex.Unlock()
+
+	key := cc.DriverKey()
+
+	if c.dbDrivers[key] {
+		return nil
+	}
+
+	var (
+		dialOptions []cloudsqlconn.DialOption
+		options     []cloudsqlconn.Option
+	)
+
+	if cc.PrivateIP.ValueBool() {
+		dialOptions = append(dialOptions, cloudsqlconn.WithPrivateIP())
+	}
+
+	if cc.PSC.ValueBool() {
+		dialOptions = append(dialOptions, cloudsqlconn.WithPSC())
+	}
+
+	options = append(options, cloudsqlconn.WithDefaultDialOptions(dialOptions...))
+
+	if cc.GoogleApiAccessToken.ValueString() != "" {
+		token := &oauth2.Token{AccessToken: cc.GoogleApiAccessToken.ValueString()}
+		options = append(options, cloudsqlconn.WithTokenSource(oauth2.StaticTokenSource(token)))
+	}
+
+	if !cc.Proxy.IsNull() {
+		options = append(options, cloudsqlconn.WithDialFunc(createDialer(cc.Proxy.ValueString(), ctx)))
+	}
+
+	_, err := pgxv4.RegisterDriver(key, options...)
+	if err != nil {
+		return err
+	}
+
+	c.dbDrivers[key] = true
+	return nil
+}
+
+func createDialer(proxyInput string, ctxProvider context.Context) func(ctx context.Context, network, addr string) (net.Conn, error) {
+	return func(ctx context.Context, network, address string) (net.Conn, error) {
+		tflog.Info(ctxProvider, "Creating Dialer with proxy: "+proxyInput)
+		if len(proxyInput) == 0 {
+			return nil, fmt.Errorf("proxy is empty")
+		}
+
+		proxyURL, err := url.Parse(proxyInput)
+		if err != nil {
+			return nil, err
+		}
+		d, err := proxy.FromURL(proxyURL, proxy.Direct)
+		if err != nil {
+			return nil, err
+		}
+
+		if xd, ok := d.(proxy.ContextDialer); ok {
+			return xd.DialContext(ctx, network, address)
+		}
+
+		tflog.Warn(ctxProvider, "net.Conn created without context.Context")
+		return d.Dial(network, address) // TODO: force use of context?
+	}
 }