feat(rdb): add rdb_instance password_wo (#3614)

* feat(rdb): add rdb_instance password_wo

* fix(rdb): keep password optional to prevent breaking change

Author: estellesoulard

docs/resources/rdb_instance.md

@@ -8,11 +8,12 @@ page_title: "Scaleway: scaleway_rdb_instance"
 Creates and manages Scaleway Database Instances.
 For more information, see refer to the [API documentation](https://www.scaleway.com/en/developers/api/managed-database-postgre-mysql/).
 
+
 ## Example Usage
 
+```terraform
 ### Example Basic
 
-```terraform
 resource "scaleway_rdb_instance" "main" {
   name               = "test-rdb"
   node_type          = "DB-DEV-S"
@@ -25,61 +26,9 @@ resource "scaleway_rdb_instance" "main" {
 }
 ```
 
-### Example Block Storage Low Latency
-
 ```terraform
-resource "scaleway_rdb_instance" "main" {
-  name              = "test-rdb-sbs"
-  node_type         = "db-play2-pico"
-  engine            = "PostgreSQL-15"
-  is_ha_cluster     = true
-  disable_backup    = true
-  user_name         = "my_initial_user"
-  password          = "thiZ_is_v&ry_s3cret"
-  volume_type       = "sbs_15k"
-  volume_size_in_gb = 10
-}
-```
-
-### Example with Settings
-
-```terraform
-resource "scaleway_rdb_instance" "main" {
-  name           = "test-rdb"
-  node_type      = "db-dev-s"
-  disable_backup = true
-  engine         = "MySQL-8"
-  user_name      = "my_initial_user"
-  password       = "thiZ_is_v&ry_s3cret"
-  init_settings = {
-    "lower_case_table_names" = 1
-  }
-  settings = {
-    "max_connections" = "350"
-  }
-}
-```
-
-### Example with backup schedule
-
-```terraform
-resource "scaleway_rdb_instance" "main" {
-  name          = "test-rdb"
-  node_type     = "DB-DEV-S"
-  engine        = "PostgreSQL-15"
-  is_ha_cluster = true
-  user_name     = "my_initial_user"
-  password      = "thiZ_is_v&ry_s3cret"
-
-  disable_backup            = false
-  backup_schedule_frequency = 24 # every day
-  backup_schedule_retention = 7  # keep it one week
-}
-```
-
 ### Example Engine Upgrade
 
-```terraform
 # Initial creation with PostgreSQL 14
 resource "scaleway_rdb_instance" "main" {
   name           = "my-database"
@@ -109,15 +58,61 @@ output "upgradable_versions" {
 # }
 ```
 
-~> **Warning** Provider versions prior to `2.61.0` did not support engine upgrades. Changing the `engine` value in these versions would recreate the Database Instance **empty**, resulting in **data loss**. Ensure you are using provider version `>= 2.61.0` before upgrading your Database Instance engine version.
+```terraform
+### Usage of ephemeral random_password for instance password without storing it in state
+
+// Generate an ephemeral password (not stored in the state)
+ephemeral "random_password" "db_password" {
+  length      = 20
+  special     = true
+  upper       = true
+  lower       = true
+  numeric     = true
+  min_upper   = 1
+  min_lower   = 1
+  min_numeric = 1
+  min_special = 1
+  # Exclude characters that might cause issues in some contexts
+  override_special = "!@#$%^&*()_+-=[]{}|;:,.<>?"
+}
+
+// Pass the ephemeral password with password_wo (not stored in the state)
+resource "scaleway_rdb_instance" "main" {
+  name                = "test-rdb"
+  node_type           = "DB-DEV-S"
+  engine              = "PostgreSQL-15"
+  is_ha_cluster       = true
+  disable_backup      = true
+  user_name           = "my_initial_user"
+  password_wo         = ephemeral.random_password.db_password.result
+  password_wo_version = 1
+  encryption_at_rest  = true
+}
+```
+
+```terraform
+#### 1 IPAM Private Network endpoint + 1 public endpoint
+
+resource "scaleway_vpc_private_network" "pn" {}
 
+resource "scaleway_rdb_instance" "main" {
+  node_type = "DB-DEV-S"
+  engine    = "PostgreSQL-15"
+  private_network {
+    pn_id       = scaleway_vpc_private_network.pn.id
+    enable_ipam = true
+  }
+  load_balancer {}
+}
+```
+
+```terraform
 ### Examples of endpoint configuration
 
-Database Instances can have a maximum of 1 public endpoint and 1 private endpoint. They can have both, or none.
+##### Database Instances can have a maximum of 1 public endpoint and 1 private endpoint. They can have both, or none.
 
 #### 1 static Private Network endpoint
 
-```terraform
 resource "scaleway_vpc_private_network" "pn" {
   ipv4_subnet {
     subnet = "172.16.20.0/22"
@@ -135,31 +130,70 @@ resource "scaleway_rdb_instance" "main" {
 }
 ```
 
-#### 1 IPAM Private Network endpoint + 1 public endpoint
-
 ```terraform
-resource "scaleway_vpc_private_network" "pn" {}
+#### Default: 1 public endpoint
 
 resource "scaleway_rdb_instance" "main" {
-  node_type = "DB-DEV-S"
+  node_type = "db-dev-s"
   engine    = "PostgreSQL-15"
-  private_network {
-    pn_id       = scaleway_vpc_private_network.pn.id
-    enable_ipam = true
-  }
-  load_balancer {}
 }
 ```
 
-#### Default: 1 public endpoint
+```terraform
+### Example Block Storage Low Latency
+
+resource "scaleway_rdb_instance" "main" {
+  name              = "test-rdb-sbs"
+  node_type         = "db-play2-pico"
+  engine            = "PostgreSQL-15"
+  is_ha_cluster     = true
+  disable_backup    = true
+  user_name         = "my_initial_user"
+  password          = "thiZ_is_v&ry_s3cret"
+  volume_type       = "sbs_15k"
+  volume_size_in_gb = 10
+}
+```
+
+```terraform
+### Example with backup schedule
+
+resource "scaleway_rdb_instance" "main" {
+  name          = "test-rdb"
+  node_type     = "DB-DEV-S"
+  engine        = "PostgreSQL-15"
+  is_ha_cluster = true
+  user_name     = "my_initial_user"
+  password      = "thiZ_is_v&ry_s3cret"
+
+  disable_backup            = false
+  backup_schedule_frequency = 24 # every day
+  backup_schedule_retention = 7  # keep it one week
+}
+```
 
 ```terraform
+### Example with Settings
+
 resource "scaleway_rdb_instance" "main" {
-  node_type = "db-dev-s"
-  engine    = "PostgreSQL-15"
+  name           = "test-rdb"
+  node_type      = "db-dev-s"
+  disable_backup = true
+  engine         = "MySQL-8"
+  user_name      = "my_initial_user"
+  password       = "thiZ_is_v&ry_s3cret"
+  init_settings = {
+    "lower_case_table_names" = 1
+  }
+  settings = {
+    "max_connections" = "350"
+  }
 }
 ```
 
+
+
+
 -> **Note** If nothing is defined, your Database Instance will have a default public load-balancer endpoint.
 
 -> **Note** Managed PostgreSQL and MySQL Database Instances are compatible with the [VPC routing](https://www.scaleway.com/en/docs/network/vpc/concepts/#routing) feature, which allows you to connect one or more Database Instances in a Private Network to resources in other Private Networks of the same VPC. This feature is automatically enabled when your Database Instance is connected to a Private Network within a VPC that has routing enabled. Refer to the [How to manage routing](https://www.scaleway.com/en/docs/network/vpc/how-to/manage-routing/) documentation page for more information about VPC routing.
@@ -191,7 +225,11 @@ interruption.
 
 ~> **Important** Updates to `user_name` will recreate the Database Instance.
 
-- `password` - (Optional) Password for the first user of the Database Instance.
+- `password` - (Optional) Password for the first user of the Database Instance. Only one of `password` or `password_wo` should be specified.
+
+- `password_wo` - (Optional) Password for the first user of the Database Instance in [write-only](https://developer.hashicorp.com/terraform/language/manage-sensitive-data/write-only) mode. Only one of `password` or `password_wo` should be specified. `password_wo` will not be set in the Terraform state. To update the `password_wo`, you must also update the `password_wo_version`.
+
+- `password_wo_version` - (Optional) The version of the [write-only](https://developer.hashicorp.com/terraform/language/manage-sensitive-data/write-only) password. To update the `password_wo`, you must also update the `password_wo_version`.
 
 - `is_ha_cluster` - (Optional) Enable or disable high availability for the Database Instance.
 

examples/resources/scaleway_rdb_instance/resource-basic.tf

@@ -0,0 +1,12 @@
+### Example Basic
+
+resource "scaleway_rdb_instance" "main" {
+  name               = "test-rdb"
+  node_type          = "DB-DEV-S"
+  engine             = "PostgreSQL-15"
+  is_ha_cluster      = true
+  disable_backup     = true
+  user_name          = "my_initial_user"
+  password           = "thiZ_is_v&ry_s3cret"
+  encryption_at_rest = true
+}

examples/resources/scaleway_rdb_instance/resource-engine-upgrade.tf

@@ -0,0 +1,29 @@
+### Example Engine Upgrade
+
+# Initial creation with PostgreSQL 14
+resource "scaleway_rdb_instance" "main" {
+  name           = "my-database"
+  node_type      = "DB-DEV-S"
+  engine         = "PostgreSQL-14"
+  is_ha_cluster  = false
+  disable_backup = true
+  user_name      = "my_user"
+  password       = "thiZ_is_v&ry_s3cret"
+}
+
+# Check available versions for upgrade
+output "upgradable_versions" {
+  value = scaleway_rdb_instance.main.upgradable_versions
+}
+
+# To upgrade to PostgreSQL 15, simply change the engine value
+# This will trigger a blue/green upgrade with automatic endpoint migration
+# resource "scaleway_rdb_instance" "main" {
+#   name           = "my-database"
+#   node_type      = "DB-DEV-S"
+#   engine         = "PostgreSQL-15"  # Changed from PostgreSQL-14
+#   is_ha_cluster  = false
+#   disable_backup = true
+#   user_name      = "my_user"
+#   password       = "thiZ_is_v&ry_s3cret"
+# }

examples/resources/scaleway_rdb_instance/resource-password-wo.tf

@@ -0,0 +1,29 @@
+### Usage of ephemeral random_password for instance password without storing it in state
+
+// Generate an ephemeral password (not stored in the state)
+ephemeral "random_password" "db_password" {
+  length      = 20
+  special     = true
+  upper       = true
+  lower       = true
+  numeric     = true
+  min_upper   = 1
+  min_lower   = 1
+  min_numeric = 1
+  min_special = 1
+  # Exclude characters that might cause issues in some contexts
+  override_special = "!@#$%^&*()_+-=[]{}|;:,.<>?"
+}
+
+// Pass the ephemeral password with password_wo (not stored in the state)
+resource "scaleway_rdb_instance" "main" {
+  name                = "test-rdb"
+  node_type           = "DB-DEV-S"
+  engine              = "PostgreSQL-15"
+  is_ha_cluster       = true
+  disable_backup      = true
+  user_name           = "my_initial_user"
+  password_wo         = ephemeral.random_password.db_password.result
+  password_wo_version = 1
+  encryption_at_rest  = true
+}

examples/resources/scaleway_rdb_instance/resource-private-network-ipam.tf

@@ -0,0 +1,13 @@
+#### 1 IPAM Private Network endpoint + 1 public endpoint
+
+resource "scaleway_vpc_private_network" "pn" {}
+
+resource "scaleway_rdb_instance" "main" {
+  node_type = "DB-DEV-S"
+  engine    = "PostgreSQL-15"
+  private_network {
+    pn_id       = scaleway_vpc_private_network.pn.id
+    enable_ipam = true
+  }
+  load_balancer {}
+}

examples/resources/scaleway_rdb_instance/resource-private-network-static.tf

@@ -0,0 +1,21 @@
+### Examples of endpoint configuration
+
+##### Database Instances can have a maximum of 1 public endpoint and 1 private endpoint. They can have both, or none.
+
+#### 1 static Private Network endpoint
+
+resource "scaleway_vpc_private_network" "pn" {
+  ipv4_subnet {
+    subnet = "172.16.20.0/22"
+  }
+}
+
+resource "scaleway_rdb_instance" "main" {
+  node_type = "db-dev-s"
+  engine    = "PostgreSQL-15"
+  private_network {
+    pn_id  = scaleway_vpc_private_network.pn.id
+    ip_net = "172.16.20.4/22" # IP address within a given IP network
+    # enable_ipam = false
+  }
+}

examples/resources/scaleway_rdb_instance/resource-public-endpoint.tf

@@ -0,0 +1,6 @@
+#### Default: 1 public endpoint
+
+resource "scaleway_rdb_instance" "main" {
+  node_type = "db-dev-s"
+  engine    = "PostgreSQL-15"
+}

examples/resources/scaleway_rdb_instance/resource-sbs-volume.tf

@@ -0,0 +1,13 @@
+### Example Block Storage Low Latency
+
+resource "scaleway_rdb_instance" "main" {
+  name              = "test-rdb-sbs"
+  node_type         = "db-play2-pico"
+  engine            = "PostgreSQL-15"
+  is_ha_cluster     = true
+  disable_backup    = true
+  user_name         = "my_initial_user"
+  password          = "thiZ_is_v&ry_s3cret"
+  volume_type       = "sbs_15k"
+  volume_size_in_gb = 10
+}

examples/resources/scaleway_rdb_instance/resource-schedule-backup.tf

@@ -0,0 +1,14 @@
+### Example with backup schedule
+
+resource "scaleway_rdb_instance" "main" {
+  name          = "test-rdb"
+  node_type     = "DB-DEV-S"
+  engine        = "PostgreSQL-15"
+  is_ha_cluster = true
+  user_name     = "my_initial_user"
+  password      = "thiZ_is_v&ry_s3cret"
+
+  disable_backup            = false
+  backup_schedule_frequency = 24 # every day
+  backup_schedule_retention = 7  # keep it one week
+}

examples/resources/scaleway_rdb_instance/resource-settings.tf

@@ -0,0 +1,16 @@
+### Example with Settings
+
+resource "scaleway_rdb_instance" "main" {
+  name           = "test-rdb"
+  node_type      = "db-dev-s"
+  disable_backup = true
+  engine         = "MySQL-8"
+  user_name      = "my_initial_user"
+  password       = "thiZ_is_v&ry_s3cret"
+  init_settings = {
+    "lower_case_table_names" = 1
+  }
+  settings = {
+    "max_connections" = "350"
+  }
+}