[Cloud SQL] Add and pass-through vars.users.database_roles (#3968)

* Fix weekly_schedule config section for secondary instance

* Add and pass-through vars.users.database_roles

* Merge from upstream

---------

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>

modules/cloudsql-instance/main.tf

@@ -47,16 +47,18 @@ locals {
     for k, v in var.users : k =>
     local.is_mysql
     ? {
-      name     = v.type == "BUILT_IN" ? split("@", k)[0] : k
+      name           = v.type == "BUILT_IN" ? split("@", k)[0] : k
-      host     = v.type == "BUILT_IN" ? try(split("@", k)[1], null) : null
+      host           = v.type == "BUILT_IN" ? try(split("@", k)[1], null) : null
-      password = v.type == "BUILT_IN" ? try(random_password.passwords[k].result, v.password) : null
+      password       = v.type == "BUILT_IN" ? try(random_password.passwords[k].result, v.password) : null
-      type     = v.type
+      type           = v.type
+      database_roles = v.database_roles
     }
     : {
-      name     = local.is_postgres ? try(trimsuffix(k, ".gserviceaccount.com"), k) : k
+      name           = local.is_postgres ? try(trimsuffix(k, ".gserviceaccount.com"), k) : k
-      host     = null
+      host           = null
-      password = v.type == "BUILT_IN" ? try(random_password.passwords[k].result, v.password) : null
+      password       = v.type == "BUILT_IN" ? try(random_password.passwords[k].result, v.password) : null
-      type     = v.type
+      type           = v.type
+      database_roles = v.database_roles
     }
   }
 }
@@ -370,13 +372,14 @@ resource "random_password" "root_password" {
 }
 
 resource "google_sql_user" "users" {
-  for_each = local.users
+  for_each       = local.users
-  project  = local.project_id
+  project        = local.project_id
-  instance = google_sql_database_instance.primary.name
+  instance       = google_sql_database_instance.primary.name
-  name     = each.value.name
+  name           = each.value.name
-  host     = each.value.host
+  host           = each.value.host
-  password = each.value.password
+  password       = each.value.password
-  type     = each.value.type
+  type           = each.value.type
+  database_roles = each.value.database_roles
 }
 
 moved {

modules/cloudsql-instance/variables.tf

@@ -332,6 +332,7 @@ variable "users" {
     password         = optional(string)
     password_version = optional(number)
     type             = optional(string, "BUILT_IN")
+    database_roles   = optional(list(string))
   }))
   default  = {}
   nullable = false