Google Cloud SQL User

This page shows how to write Terraform for Cloud SQL User and write them securely.

google_sql_user (Terraform)

The User in Cloud SQL can be configured in Terraform with the resource name google_sql_user. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).


The deletion policy for the user. Setting ABANDON allows the resource to be abandoned rather than deleted. This is useful for Postgres, where users cannot be deleted from the API if they have been granted SQL roles. Possible values are: "ABANDON".

The host the user can connect from. This is only supported for MySQL instances. Don't set this field for PostgreSQL instances. Can be an IP address. Changing this forces a new resource to be created.

The name of the Cloud SQL instance. Changing this forces a new resource to be created.

The name of the user. Changing this forces a new resource to be created.

The password for the user. Can be updated. For Postgres instances this is a Required field, unless type is set to either CLOUD_IAM_USER or CLOUD_IAM_SERVICE_ACCOUNT.

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The user type. It determines the method to authenticate the user during login. The default is the database's built-in user type. Flags include "BUILT_IN", "CLOUD_IAM_USER", or "CLOUD_IAM_SERVICE_ACCOUNT".

Explanation in Terraform Registry

Creates a new Google SQL User on a Google SQL User Instance. For more information, see the official documentation, or the JSON API.

Note: All arguments including the username and password will be stored in the raw state as plain-text. Read more about sensitive data in state. Passwords will not be retrieved when running "terraform import".

Tips: Best Practices for The Other Google Cloud SQL Resources

In addition to the google_sql_database_instance, Google Cloud SQL has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.



Ensure to disable local_infile setting in MySQL

It is better to disable the local_infile setting in MySQL. If this is not disabled, arbitrary files might be readable.

Review your Google Cloud SQL settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Frequently asked questions

What is Google Cloud SQL User?

Google Cloud SQL User is a resource for Cloud SQL of Google Cloud Platform. Settings can be wrote in Terraform.


Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.