Docs list password as optional for google_sql_user but it is not

[regner]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

Terraform Version

» terraform -v
Terraform v0.11.14
+ provider.google v2.10.0
+ provider.google-beta v2.11.0
+ provider.ns1 v1.4.0
+ provider.random v2.1.2
+ provider.template v2.1.0

Your version of Terraform is out of date! The latest version
is 0.12.5. You can update by downloading from www.terraform.io/downloads.html

Affected Resource(s)

• google_sql_user

Terraform Configuration Files

resource "google_sql_database_instance" "instance" {
  provider = "google-beta"

  name             = "somename"
  region           = "${var.region}"
  database_version = "POSTGRES_9_6"

  settings {
    tier              = "db-custom-1-3840"
    availability_type = "REGIONAL"

    ip_configuration {
      ipv4_enabled = "false"
      private_network = "${var.network}"
    }
  }
}

resource "google_sql_database" "db" {
  name      = "somename"
  instance  = "${google_sql_database_instance.instance.name}"
  charset   = "UTF8"
  collation = "en_US.UTF8"
}

resource "google_sql_user" "user" {
  name     = "somename"
  instance = "${google_sql_database_instance.instance.name}"
}

Debug Output

Error: Error applying plan:

1 error occurred:
        * module.app-cloud-sql.google_sql_user.user: 1 error occurred:
        * google_sql_user.user: Error, failed to insert user somename into instance somename: googleapi: Error 400: Invalid request: Missing user password for PostgreSQL instance., invalid

Expected Behavior

Create the user with a randomly generated password.

Actual Behavior

Fails to create the user at all.

Steps to Reproduce

1. terraform apply

Important Factoids

If I supply the password things work just fine.

References

https://www.terraform.io/docs/providers/google/r/sql_user.html#password

[paddycarver]

This is interesting! It used to be required, then @viajab submitted a PR less than two years ago to make it optional (#1056), but I'm not sure why. I don't want to keep flip-flopping on this, so I want to check in with a couple maintainers to see if anyone else has context, but I can't see any indication that it's optional, so I imagine we'll probably make this required again. My best guess is that there was an upstream API change sometime in the last year or two?

[chrisst]

@paddycarver I think the issue here is that Postgres instances require a password and will fail without one but MySql instances don't. Since we support both types of databases through the same user resource we have to be at the lowest common level of validation so I don't think we can restrict this right now.

There are some outstanding problems with the user API and what MYSQL accepts, such as blank hosts (#3784), so I suspect they might make the API more restrictive to disallow this at some point.

[paddycarver]

OK. I'm willing to leave this optional and document it for 3.0.0, and if it turns out to be required, we'll hit it in 4.0.0 or decide if it's a breaking change to fix something that doesn't work at all.

[novascreen]

It is not required for Postgres when using type = "CLOUD_IAM_SERVICE_ACCOUNT" for example so it can't be made required, right?

[rileykarson]

Removing from 4.0.0, marking as question to investigate whether this would be a valid validation to apply or not.

[melinath]

b/261384656

The current documentation already covers this sufficiently: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_user#password

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.