Multiple operational discipline example in a single terraform module for Google CloudSQL Instance

boundary.tf

locals {
  boundary_creds_path = format(
    "%s/creds/%s",
    vault_mount.default.path,
    vault_database_secret_backend_role.default.name
  )
}

resource "boundary_credential_library_vault" "default" {
  name                = google_sql_database_instance.default.name
  credential_store_id = boundary_credential_store_vault.default.id
  path                = local.boundary_creds_path
  http_method         = "GET"
}

resource "boundary_host_static" "default" {
  name            = google_sql_database_instance.default.name
  address         = google_sql_database_instance.default.private_ip_address
  host_catalog_id = boundary_host_catalog_static.default.id
}

resource "boundary_target" "default" {
  type                     = "tcp"
  name                     = google_sql_database_instance.default.name
  scope_id                 = local.boundary_developer_scope
  session_connection_limit = 1
  default_port             = 1433

  host_source_ids = [
    boundary_host_static.default.id
  ]

  application_credential_source_ids = [
    boundary_credential_library_vault.default.id
  ]
}

cloudsql.tf

resource "random_id" "default" {
  byte_length = 4
}

resource "random_uuid" "default" {}

resource "random_password" "default" {
  length           = 16
  special          = true
  override_special = "!#$%&*()-_=+[]{}<>:?"
}

resource "google_sql_database" "default" {
  name     = var.application
  instance = google_sql_database_instance.default.name
}

resource "google_sql_database_instance" "default" {
  provider = google-beta

  name             = "private-instance-${random_id.default.hex}"
  region           = "us-central1"
  database_version = "SQLSERVER_2019_WEB"

  settings {
    tier = "db-f1-micro"
    ip_configuration {
      ipv4_enabled    = false
      private_network = data.google_compute_network.private_network.id
      require_ssl     = true
    }
  }
}

resource "google_sql_user" "default" {
  name     = random_uuid.default.result
  instance = google_sql_database_instance.default.name
  password = random_password.default.result
}

consul.tf

resource "consul_service" "default" {
  name = google_sql_database_instance.default.name
  node = consul_node.default.name
  port = 3306
  tags = ["tag0"]
}

resource "consul_node" "default" {
  name    = google_sql_database_instance.default.name
  address = google_sql_database_instance.default.private_ip_address
}

resource "consul_catalog_entry" "default" {
  address = consul_node.default.address
  node    = consul_node.default.name
}

vault.tf

resource "vault_mount" "default" {
  path = format("%s/database/mssql", google_sql_database_instance.default.name)
  type = "database"
}

resource "vault_database_secret_backend_connection" "default" {
  backend       = vault_mount.default.path
  name          = google_sql_database_instance.default.name
  allowed_roles = ["dev", "prod"]

  mssql {
    connection_url = "sqlserver://{{username}}:{{password}}@${google_sql_database_instance.default.private_ip_address}:1433"
    username       = google_sql_user.default.name
    password       = google_sql_user.default.password
    allowed_roles = [
      "dev1",
    ]
  }
}

resource "vault_database_secret_backend_role" "default" {
  backend               = vault_mount.default.path
  name                  = google_sql_database_instance.default.name
  db_name               = vault_database_secret_backend_connection.default.name
  creation_statements   = ["CREATE USER [{{name}}] WITH PASSWORD = '{{password}}';GRANT SELECT TO [{{name}}];"]
  revocation_statements = ["DROP USER [{{name}}];"]
}