From 76c6d4f4042db8fe72ecd94ec7f9c575cdd290dc Mon Sep 17 00:00:00 2001
From: Brandon Tucker <brandon.tucker@vizio.com>
Date: Thu, 14 May 2026 15:25:00 -0600
Subject: [PATCH] [Cloud SQL] Add and pass-through vars.users.database_roles
 (#3968)

* Fix weekly_schedule config section for secondary instance

* Add and pass-through vars.users.database_roles

* Merge from upstream

---------

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
---
 modules/cloudsql-instance/main.tf      | 33 ++++++++++++++------------
 modules/cloudsql-instance/variables.tf |  1 +
 2 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/modules/cloudsql-instance/main.tf b/modules/cloudsql-instance/main.tf
index ee8f79eb5..d1fc9d9f3 100644
--- a/modules/cloudsql-instance/main.tf
+++ b/modules/cloudsql-instance/main.tf
@@ -47,16 +47,18 @@ locals {
     for k, v in var.users : k =>
     local.is_mysql
     ? {
-      name     = v.type == "BUILT_IN" ? split("@", k)[0] : k
-      host     = v.type == "BUILT_IN" ? try(split("@", k)[1], null) : null
-      password = v.type == "BUILT_IN" ? try(random_password.passwords[k].result, v.password) : null
-      type     = v.type
+      name           = v.type == "BUILT_IN" ? split("@", k)[0] : k
+      host           = v.type == "BUILT_IN" ? try(split("@", k)[1], null) : null
+      password       = v.type == "BUILT_IN" ? try(random_password.passwords[k].result, v.password) : null
+      type           = v.type
+      database_roles = v.database_roles
     }
     : {
-      name     = local.is_postgres ? try(trimsuffix(k, ".gserviceaccount.com"), k) : k
-      host     = null
-      password = v.type == "BUILT_IN" ? try(random_password.passwords[k].result, v.password) : null
-      type     = v.type
+      name           = local.is_postgres ? try(trimsuffix(k, ".gserviceaccount.com"), k) : k
+      host           = null
+      password       = v.type == "BUILT_IN" ? try(random_password.passwords[k].result, v.password) : null
+      type           = v.type
+      database_roles = v.database_roles
     }
   }
 }
@@ -370,13 +372,14 @@ resource "random_password" "root_password" {
 }
 
 resource "google_sql_user" "users" {
-  for_each = local.users
-  project  = local.project_id
-  instance = google_sql_database_instance.primary.name
-  name     = each.value.name
-  host     = each.value.host
-  password = each.value.password
-  type     = each.value.type
+  for_each       = local.users
+  project        = local.project_id
+  instance       = google_sql_database_instance.primary.name
+  name           = each.value.name
+  host           = each.value.host
+  password       = each.value.password
+  type           = each.value.type
+  database_roles = each.value.database_roles
 }
 
 moved {
diff --git a/modules/cloudsql-instance/variables.tf b/modules/cloudsql-instance/variables.tf
index 118351574..b6c3f7151 100644
--- a/modules/cloudsql-instance/variables.tf
+++ b/modules/cloudsql-instance/variables.tf
@@ -332,6 +332,7 @@ variable "users" {
     password         = optional(string)
     password_version = optional(number)
     type             = optional(string, "BUILT_IN")
+    database_roles   = optional(list(string))
   }))
   default  = {}
   nullable = false