add support for IAM Group authentication to google_sql_user (#9578) (#16681)

[upstream:05c4410c0e599f33ab255e3820187855c82c7739]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/9578.txt

@@ -0,0 +1,3 @@
+```release-note: enhancement
+sql: added support for IAM GROUP authentication in the `type` field of `google_sql_user`
+```

google/services/sql/resource_sql_user.go

@@ -104,8 +104,10 @@ func ResourceSqlUser() *schema.Resource {
 				ForceNew:         true,
 				DiffSuppressFunc: tpgresource.EmptyOrDefaultStringSuppress("BUILT_IN"),
 				Description: `The user type. It determines the method to authenticate the user during login.
-                The default is the database's built-in user type. Flags include "BUILT_IN", "CLOUD_IAM_USER", or "CLOUD_IAM_SERVICE_ACCOUNT".`,
-				ValidateFunc: validation.StringInSlice([]string{"BUILT_IN", "CLOUD_IAM_USER", "CLOUD_IAM_SERVICE_ACCOUNT", ""}, false),
+                The default is the database's built-in user type. Flags include "BUILT_IN", "CLOUD_IAM_USER", "CLOUD_IAM_SERVICE_ACCOUNT",
+								"CLOUD_IAM_GROUP", "CLOUD_IAM_GROUP_USER" or "CLOUD_IAM_GROUP_SERVICE_ACCOUNT".`,
+				ValidateFunc: validation.StringInSlice([]string{"BUILT_IN", "CLOUD_IAM_USER", "CLOUD_IAM_SERVICE_ACCOUNT",
+					"CLOUD_IAM_GROUP", "CLOUD_IAM_GROUP_USER", "CLOUD_IAM_GROUP_SERVICE_ACCOUNT", ""}, false),
 			},
 			"sql_server_user_details": {
 				Type:     schema.TypeList,

google/services/sql/resource_sql_user_test.go

@@ -28,6 +28,7 @@ func TestAccSqlUser_mysql(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckGoogleSqlUserExists(t, "google_sql_user.user1"),
 					testAccCheckGoogleSqlUserExists(t, "google_sql_user.user2"),
+					testAccCheckGoogleSqlUserExists(t, "google_sql_user.user3"),
 				),
 			},
 			{
@@ -36,6 +37,7 @@ func TestAccSqlUser_mysql(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckGoogleSqlUserExists(t, "google_sql_user.user1"),
 					testAccCheckGoogleSqlUserExists(t, "google_sql_user.user2"),
+					testAccCheckGoogleSqlUserExists(t, "google_sql_user.user3"),
 				),
 			},
 			{
@@ -313,6 +315,15 @@ resource "google_sql_user" "user2" {
   instance = google_sql_database_instance.instance.name
   host     = "gmail.com"
   password = "hunter2"
+  type = "CLOUD_IAM_USER"
+}
+
+resource "google_sql_user" "user3" {
+  name     = "admin"
+  instance = google_sql_database_instance.instance.name
+  host     = "gmail.com"
+  password = "hunter3"
+  type = "CLOUD_IAM_GROUP"
 }
 `, instance, password)
 }

website/docs/r/sql_user.html.markdown

@@ -72,6 +72,24 @@ resource "google_sql_user" "iam_service_account_user" {
   instance = google_sql_database_instance.main.name
   type     = "CLOUD_IAM_SERVICE_ACCOUNT"
 }
+
+resource "google_sql_user" "iam_group" {
+  name     = "[email protected]"
+  instance = google_sql_database_instance.main.name
+  type     = "CLOUD_IAM_GROUP"
+}
+
+resource "google_sql_user" "iam_group_user" {
+  name     = "[email protected]"
+  instance = google_sql_database_instance.main.name
+  type     = "CLOUD_IAM_GROUP_USER"
+}
+
+resource "google_sql_user" "iam_group_service_account_user" {
+  name     = "[email protected]"
+  instance = google_sql_database_instance.main.name
+  type     = "CLOUD_IAM_GROUP_SERVICE_ACCOUNT"
+}
 ```
 
 ## Argument Reference
@@ -91,7 +109,8 @@ The following arguments are supported:
 
 * `type` - (Optional) The user type. It determines the method to authenticate the
     user during login. The default is the database's built-in user type. Flags
-    include "BUILT_IN", "CLOUD_IAM_USER", or "CLOUD_IAM_SERVICE_ACCOUNT".
+    include "BUILT_IN", "CLOUD_IAM_USER", "CLOUD_IAM_SERVICE_ACCOUNT", 
+    "CLOUD_IAM_GROUP", "CLOUD_IAM_GROUP_USER" or "CLOUD_IAM_GROUP_SERVICE_ACCOUNT".
 
 * `deletion_policy` - (Optional) The deletion policy for the user.
     Setting `ABANDON` allows the resource to be abandoned rather than deleted. This is useful