diff --git a/postgresql/provider.go b/postgresql/provider.go index 8bc7546d..f3c0a2b9 100644 --- a/postgresql/provider.go +++ b/postgresql/provider.go @@ -120,6 +120,13 @@ func Provider() *schema.Provider { Description: "Service account to impersonate when using GCP IAM authentication.", }, + "gcp_credentials_path": { + Type: schema.TypeString, + Optional: true, + Default: "", + Description: "Path to GCP credentials file", + }, + // Connection username can be different than database username with user name maps (e.g.: in Azure) // See https://www.postgresql.org/docs/current/auth-username-maps.html "database_username": { @@ -286,7 +293,13 @@ func getRDSAuthToken(region string, profile string, role string, username string return token, err } -func createGoogleCredsFileIfNeeded() error { +func createGoogleCredsFileIfNeeded(gcpCredentialsPath string) error { + const GoogleCredentialsEnvVar = "GOOGLE_APPLICATION_CREDENTIALS" + + if gcpCredentialsPath != "" { + return os.Setenv(GoogleCredentialsEnvVar, gcpCredentialsPath) + } + if _, err := google.FindDefaultCredentials(context.Background()); err == nil { return nil } @@ -307,7 +320,7 @@ func createGoogleCredsFileIfNeeded() error { return fmt.Errorf("could not write in temporary file: %w", err) } - return os.Setenv("GOOGLE_APPLICATION_CREDENTIALS", tmpFile.Name()) + return os.Setenv(GoogleCredentialsEnvVar, tmpFile.Name()) } func acquireAzureOauthToken(tenantId string) (string, error) { @@ -395,7 +408,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { } if config.Scheme == "gcppostgres" { - if err := createGoogleCredsFileIfNeeded(); err != nil { + if err := createGoogleCredsFileIfNeeded(d.Get("gcp_credentials_path").(string)); err != nil { return nil, err } } diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown index bc0a1b03..b5a5fff8 100644 --- a/website/docs/index.html.markdown +++ b/website/docs/index.html.markdown @@ -186,6 +186,7 @@ The following arguments are supported: * `aws_rds_iam_provider_role_arn` - (Optional) AWS IAM role to assume while using AWS RDS IAM Auth. * `azure_identity_auth` - (Optional) If set to `true`, call the Azure OAuth token endpoint for temporary token * `azure_tenant_id` - (Optional) (Required if `azure_identity_auth` is `true`) Azure tenant ID [read more](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config.html) +* `gcp_credentials_path` - (Optional) The path to the GCP credentials file. This is only used if `scheme` is set to `gcppostgres`. ## GoCloud @@ -212,7 +213,7 @@ provider "postgresql" { To enable GoCloud for GCP SQL, set `scheme` to `gcppostgres` and `host` to the connection name of the instance in following format: `project/region/instance` (or `project:region:instance`). -For GCP, GoCloud also requires the `GOOGLE_APPLICATION_CREDENTIALS` environment variable to be set to the service account credentials file. +For GCP, GoCloud also requires the `GOOGLE_APPLICATION_CREDENTIALS` environment variable to be set to the service account credentials file. In alternative, you could set `gcp_credentials_path` to the credentials file. These credentials can be created here: https://console.cloud.google.com/iam-admin/serviceaccounts In addition, the provider supports service account impersonation with the `gcp_iam_impersonate_service_account` option. You must ensure: