From a74453c8853a5854546210757f2a9e5c51225519 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Hoste?= <kevinhoste@proton.me>
Date: Tue, 10 Jun 2025 09:36:36 +0200
Subject: [PATCH] feat: add support for server_ca_mode and custom SANs (#714)

Add support for configuring server_ca_mode and server_ca_pool in the
PostgreSQL module's IP configuration. This enables custom certificate
authority management for CloudSQL instances.

Also add support for custom Subject Alternative Names (SANs) to allow
custom DNS names to be included in the server certificate.

This fixes an issue with cloud-sql-proxy version after 2.15.2 that fails
to verify certificates when using custom domain names, as described in:
https://github.com/GoogleCloudPlatform/cloud-sql-proxy/issues/2425

Increase minimum Google provider version to 6.31.0, as the
custom_subject_alternative_names field was introduced in this version:
https://github.com/hashicorp/terraform-provider-google/releases/tag/v6.31.0
---
 modules/postgresql/README.md    | 2 +-
 modules/postgresql/main.tf      | 3 +++
 modules/postgresql/variables.tf | 3 +++
 modules/postgresql/versions.tf  | 4 ++--
 4 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/modules/postgresql/README.md b/modules/postgresql/README.md
index 9b9a7859..11bc5066 100644
--- a/modules/postgresql/README.md
+++ b/modules/postgresql/README.md
@@ -151,7 +151,7 @@ module "pg" {
 | iam\_users | A list of IAM users to be created in your CloudSQL instance. iam.users.type can be CLOUD\_IAM\_USER, CLOUD\_IAM\_SERVICE\_ACCOUNT, CLOUD\_IAM\_GROUP and is required for type CLOUD\_IAM\_GROUP (IAM groups) | <pre>list(object({<br>    id    = string,<br>    email = string,<br>    type  = optional(string)<br>  }))</pre> | `[]` | no |
 | insights\_config | The insights\_config settings for the database. | <pre>object({<br>    query_plans_per_minute  = optional(number, 5)<br>    query_string_length     = optional(number, 1024)<br>    record_application_tags = optional(bool, false)<br>    record_client_address   = optional(bool, false)<br>  })</pre> | `null` | no |
 | instance\_type | The type of the instance. The supported values are SQL\_INSTANCE\_TYPE\_UNSPECIFIED, CLOUD\_SQL\_INSTANCE, ON\_PREMISES\_INSTANCE and READ\_REPLICA\_INSTANCE. Set to READ\_REPLICA\_INSTANCE if master\_instance\_name value is provided | `string` | `"CLOUD_SQL_INSTANCE"` | no |
-| ip\_configuration | The ip configuration for the Cloud SQL instances. | <pre>object({<br>    authorized_networks                           = optional(list(map(string)), [])<br>    ipv4_enabled                                  = optional(bool, true)<br>    private_network                               = optional(string)<br>    ssl_mode                                      = optional(string)<br>    allocated_ip_range                            = optional(string)<br>    enable_private_path_for_google_cloud_services = optional(bool, false)<br>    psc_enabled                                   = optional(bool, false)<br>    psc_allowed_consumer_projects                 = optional(list(string), [])<br>  })</pre> | `{}` | no |
+| ip\_configuration | The ip configuration for the Cloud SQL instances. | <pre>object({<br>    authorized_networks                           = optional(list(map(string)), [])<br>    ipv4_enabled                                  = optional(bool, true)<br>    private_network                               = optional(string)<br>    ssl_mode                                      = optional(string)<br>    allocated_ip_range                            = optional(string)<br>    enable_private_path_for_google_cloud_services = optional(bool, false)<br>    psc_enabled                                   = optional(bool, false)<br>    psc_allowed_consumer_projects                 = optional(list(string), [])<br>    server_ca_mode                                = optional(string)<br>    server_ca_pool                                = optional(string)<br>    custom_subject_alternative_names              = optional(list(string), [])<br>  })</pre> | `{}` | no |
 | maintenance\_version | The current software version on the instance. This attribute can not be set during creation. Refer to available\_maintenance\_versions attribute to see what maintenance\_version are available for upgrade. When this attribute gets updated, it will cause an instance restart. Setting a maintenance\_version value that is older than the current one on the instance will be ignored | `string` | `null` | no |
 | maintenance\_window\_day | The day of week (1-7) for the Cloud SQL instance maintenance. | `number` | `1` | no |
 | maintenance\_window\_hour | The hour of day (0-23) maintenance window for the Cloud SQL instance maintenance. | `number` | `23` | no |
diff --git a/modules/postgresql/main.tf b/modules/postgresql/main.tf
index 4b4fd2aa..a8284879 100644
--- a/modules/postgresql/main.tf
+++ b/modules/postgresql/main.tf
@@ -126,6 +126,9 @@ resource "google_sql_database_instance" "default" {
         ssl_mode                                      = lookup(ip_configuration.value, "ssl_mode", null)
         allocated_ip_range                            = lookup(ip_configuration.value, "allocated_ip_range", null)
         enable_private_path_for_google_cloud_services = lookup(ip_configuration.value, "enable_private_path_for_google_cloud_services", false)
+        server_ca_mode                                = lookup(ip_configuration.value, "server_ca_mode", null)
+        server_ca_pool                                = lookup(ip_configuration.value, "server_ca_pool", null)
+        custom_subject_alternative_names              = lookup(ip_configuration.value, "custom_subject_alternative_names", [])
 
         dynamic "authorized_networks" {
           for_each = lookup(ip_configuration.value, "authorized_networks", [])
diff --git a/modules/postgresql/variables.tf b/modules/postgresql/variables.tf
index e05b5844..6596b0e8 100644
--- a/modules/postgresql/variables.tf
+++ b/modules/postgresql/variables.tf
@@ -330,6 +330,9 @@ variable "ip_configuration" {
     enable_private_path_for_google_cloud_services = optional(bool, false)
     psc_enabled                                   = optional(bool, false)
     psc_allowed_consumer_projects                 = optional(list(string), [])
+    server_ca_mode                                = optional(string)
+    server_ca_pool                                = optional(string)
+    custom_subject_alternative_names              = optional(list(string), [])
   })
   default = {}
 }
diff --git a/modules/postgresql/versions.tf b/modules/postgresql/versions.tf
index 5700838a..c0e950d1 100644
--- a/modules/postgresql/versions.tf
+++ b/modules/postgresql/versions.tf
@@ -27,11 +27,11 @@ terraform {
     }
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.17, < 7"
+      version = ">= 6.31, < 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.17, < 7"
+      version = ">= 6.31, < 7"
     }
   }