From fd63ea2c434252519fa2dd4536434da8e3f6a538 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sun, 18 Jul 2021 21:19:08 -0400
Subject: [PATCH] Generate a postgresql certificate.

---
 .gitignore                             |  4 +++
 terraform/basic_gke/main.tf            | 39 ++++++++++++++++++++++++++
 terraform/modules/cloudsql/cloudsql.tf | 10 +++++++
 3 files changed, 53 insertions(+)

diff --git a/.gitignore b/.gitignore
index 55c0266..a72fd7c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,7 @@
 .terraform/
 terraform.tfstate
 terraform.tfstate.backup
+
+pgclient.crt
+pgclient.key
+pgserver.crt
diff --git a/terraform/basic_gke/main.tf b/terraform/basic_gke/main.tf
index 91b1a2e..117fb28 100644
--- a/terraform/basic_gke/main.tf
+++ b/terraform/basic_gke/main.tf
@@ -105,6 +105,45 @@ module "cloudsql" {
   ]
 }
 
+output "cloudsql_server_certificate" {
+  description = "CA certificate"
+  value       = module.cloudsql.certificate.server_ca_cert
+  sensitive   = true
+}
+
+output "cloudsql_client_certificate" {
+  description = "CA certificate"
+  value       = module.cloudsql.certificate.cert
+  sensitive   = true
+}
+
+output "cloudsql_client_key" {
+  description = "CA certificate"
+  value       = module.cloudsql.certificate.private_key
+  sensitive   = true
+}
+
+resource "local_file" "pgserver_crt" {
+  sensitive_content    = module.cloudsql.certificate.server_ca_cert
+  filename             = "${path.module}/pgserver.crt"
+  file_permission      = "0600"
+  directory_permission = "0700"
+}
+
+resource "local_file" "pgclient_crt" {
+  sensitive_content    = module.cloudsql.certificate.cert
+  filename             = "${path.module}/pgclient.crt"
+  file_permission      = "0600"
+  directory_permission = "0700"
+}
+
+resource "local_file" "pgclient_key" {
+  sensitive_content    = module.cloudsql.certificate.private_key
+  filename             = "${path.module}/pgclient.key"
+  file_permission      = "0600"
+  directory_permission = "0700"
+}
+
 # Create a workload identity service account for IAM authentication to
 # cloudsql
 module "cloudsql_test_sa" {
diff --git a/terraform/modules/cloudsql/cloudsql.tf b/terraform/modules/cloudsql/cloudsql.tf
index b2b5cd8..4059dc3 100644
--- a/terraform/modules/cloudsql/cloudsql.tf
+++ b/terraform/modules/cloudsql/cloudsql.tf
@@ -43,6 +43,11 @@ output "instance" {
   value       = google_sql_database_instance.instance
 }
 
+output "certificate" {
+  description = "TLS certificate for connecting to the database."
+  value       = google_sql_ssl_cert.client_cert
+}
+
 # Needed for CloudSQL Auth Proxy
 resource "google_project_service" "sqladmin" {
   project                    = var.project
@@ -85,3 +90,8 @@ resource "google_sql_user" "postgres" {
   instance = google_sql_database_instance.instance.name
   password = var.postgres_password
 }
+
+resource "google_sql_ssl_cert" "client_cert" {
+  common_name = "client-name"
+  instance    = google_sql_database_instance.instance.name
+}