hashicorp · modular-magician · Jan 7, 2025 · Jan 7, 2025
@@ -0,0 +1,3 @@
+```release-note:enhancement
+sql: added `server_ca_pool` field to `google_sql_database_instance` resource.
+```
@@ -83,6 +83,7 @@ var (
 		"settings.0.ip_configuration.0.psc_config",
 		"settings.0.ip_configuration.0.ssl_mode",
 		"settings.0.ip_configuration.0.server_ca_mode",
+		"settings.0.ip_configuration.0.server_ca_pool",
 	}
 
 	maintenanceWindowKeys = []string{
@@ -525,10 +526,16 @@ is set to true. Defaults to ZONAL.`,
 										Type:         schema.TypeString,
 										Optional:     true,
 										Computed:     true,
-										ValidateFunc: validation.StringInSlice([]string{"CA_MODE_UNSPECIFIED", "GOOGLE_MANAGED_INTERNAL_CA", "GOOGLE_MANAGED_CAS_CA"}, false),
+										ValidateFunc: validation.StringInSlice([]string{"CA_MODE_UNSPECIFIED", "GOOGLE_MANAGED_INTERNAL_CA", "GOOGLE_MANAGED_CAS_CA", "CUSTOMER_MANAGED_CAS_CA"}, false),
 										Description:  `Specify how the server certificate's Certificate Authority is hosted.`,
 										AtLeastOneOf: ipConfigurationKeys,
 									},
+									"server_ca_pool": {
+										Type:         schema.TypeString,
+										Optional:     true,
+										Description:  `The resource name of the server CA pool for an instance with "CUSTOMER_MANAGED_CAS_CA" as the "server_ca_mode".`,
+										AtLeastOneOf: ipConfigurationKeys,
+									},
 								},
 							},
 						},
@@ -1455,6 +1462,7 @@ func expandIpConfiguration(configured []interface{}, databaseVersion string) *sq
 		PscConfig:                               expandPscConfig(_ipConfiguration["psc_config"].(*schema.Set).List()),
 		SslMode:                                 _ipConfiguration["ssl_mode"].(string),
 		ServerCaMode:                            _ipConfiguration["server_ca_mode"].(string),
+		ServerCaPool:                            _ipConfiguration["server_ca_pool"].(string),
 	}
 }
 
@@ -2379,6 +2387,7 @@ func flattenIpConfiguration(ipConfiguration *sqladmin.IpConfiguration, d *schema
 		"enable_private_path_for_google_cloud_services": ipConfiguration.EnablePrivatePathForGoogleCloudServices,
 		"ssl_mode":       ipConfiguration.SslMode,
 		"server_ca_mode": ipConfiguration.ServerCaMode,
+		"server_ca_pool": ipConfiguration.ServerCaPool,
 	}
 
 	if ipConfiguration.AuthorizedNetworks != nil {

@@ -2665,7 +2665,10 @@ func TestAccSqlDatabaseInstance_useInternalCaByDefault(t *testing.T) {
 		Steps: []resource.TestStep{
 			{
 				Config: fmt.Sprintf(testGoogleSqlDatabaseInstance_basic3, databaseName),
-				Check:  resource.ComposeTestCheckFunc(resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_ca_mode", "GOOGLE_MANAGED_INTERNAL_CA")),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_ca_mode", "GOOGLE_MANAGED_INTERNAL_CA"),
+					resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_ca_pool", ""),
+				),
 			},
 			{
 				ResourceName:            resourceName,
@@ -2691,7 +2694,10 @@ func TestAccSqlDatabaseInstance_useCasBasedServerCa(t *testing.T) {
 		Steps: []resource.TestStep{
 			{
 				Config: testGoogleSqlDatabaseInstance_setCasServerCa(databaseName, "GOOGLE_MANAGED_CAS_CA"),
-				Check:  resource.ComposeTestCheckFunc(resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_ca_mode", "GOOGLE_MANAGED_CAS_CA")),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_ca_mode", "GOOGLE_MANAGED_CAS_CA"),
+					resource.TestCheckResourceAttr(resourceName, "settings.0.ip_configuration.0.server_ca_pool", ""),
+				),
 			},
 			{
 				ResourceName:            resourceName,

@@ -411,6 +411,8 @@ This setting can be updated, but it cannot be removed after it is set.
 
 * `server_ca_mode` - (Optional) Specify how the server certificate's Certificate Authority is hosted. Supported values are `GOOGLE_MANAGED_INTERNAL_CA` and `GOOGLE_MANAGED_CAS_CA`.
 
+* `server_ca_pool` - (Optional) The resource name of the server CA pool for an instance with `CUSTOMER_MANAGED_CAS_CA` as the `server_ca_mode`.
+
 * `allocated_ip_range` - (Optional) The name of the allocated ip range for the private ip CloudSQL instance. For example: "google-managed-services-default". If set, the instance ip will be created in the allocated range. The range name must comply with [RFC 1035](https://datatracker.ietf.org/doc/html/rfc1035). Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])?.
 
 * `enable_private_path_for_google_cloud_services` - (Optional) Whether Google Cloud services such as BigQuery are allowed to access data in this Cloud SQL instance over a private IP connection. SQLSERVER database type is not supported.