feat: Add support for v1 projects flag.

Author: hessjcg

cmd/options.go

@@ -92,6 +92,14 @@ func WithProxyV1LogDebugStdout() Option {
 	}
 }
 
+// WithProxyV1Projects enables legacy behavior of v1 and will connect to
+// all Second Generation instances in the provided projects.
+func WithProxyV1Projects(projects []string) Option {
+	return func(c *Command) {
+		c.conf.Projects = projects
+	}
+}
+
 // WithProxyV1Verbose enables legacy behavior of v1 and will set
 // the debug-logs flag on the v2 proxy.
 func WithProxyV1Verbose(v bool) Option {

cmd/root.go

@@ -33,9 +33,9 @@ import (
 	"syscall"
 	"time"
 
+	"cloud.google.com/go/compute/metadata"
 	"contrib.go.opencensus.io/exporter/prometheus"
 	"contrib.go.opencensus.io/exporter/stackdriver"
-	"cloud.google.com/go/compute/metadata"
 	"github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/cloudsql"
 	"github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/internal/healthcheck"
 	"github.com/GoogleCloudPlatform/cloud-sql-proxy/v2/internal/log"
@@ -45,6 +45,10 @@ import (
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
 	"go.opencensus.io/trace"
+	"golang.org/x/oauth2"
+	"google.golang.org/api/impersonate"
+	"google.golang.org/api/option"
+	sqladmin "google.golang.org/api/sqladmin/v1"
 )
 
 var (
@@ -659,6 +663,15 @@ func loadConfig(c *Command, args []string, opts []Option) error {
 		args = append(args, mArgs...)
 	}
 
+	// If projects is set, fetch instances from those projects.
+	if len(c.conf.Projects) > 0 {
+		pArgs, err := instanceFromProjects(c.Context(), c.conf)
+		if err != nil {
+			return err
+		}
+		args = append(args, pArgs...)
+	}
+
 	// Handle logger separately from config
 	if c.conf.StructuredLogs {
 		c.logger = log.NewStructuredLogger(c.conf.Quiet)
@@ -1304,3 +1317,110 @@ func instanceFromMetadata(path string) ([]string, error) {
 	}
 	return args, nil
 }
+
+func instanceFromProjects(ctx context.Context, conf *proxy.Config) ([]string, error) {
+	var opts []option.ClientOption
+	if conf.APIEndpointURL != "" {
+		opts = append(opts, option.WithEndpoint(conf.APIEndpointURL))
+	}
+	if conf.QuotaProject != "" {
+		opts = append(opts, option.WithQuotaProject(conf.QuotaProject))
+	}
+
+	// Handle credentials
+	switch {
+	case conf.ImpersonationChain != "":
+		target, delegates := parseImpersonationChain(conf.ImpersonationChain)
+		var iopts []option.ClientOption
+		switch {
+		case conf.Token != "":
+			ts := oauth2.StaticTokenSource(&oauth2.Token{AccessToken: conf.Token})
+			iopts = append(iopts, option.WithTokenSource(ts))
+		case conf.CredentialsFile != "":
+			iopts = append(iopts, option.WithCredentialsFile(conf.CredentialsFile))
+		case conf.CredentialsJSON != "":
+			iopts = append(iopts, option.WithCredentialsJSON([]byte(conf.CredentialsJSON)))
+		}
+		ts, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{
+			TargetPrincipal: target,
+			Delegates:       delegates,
+			Scopes:          []string{sqladmin.SqlserviceAdminScope},
+		}, iopts...)
+		if err != nil {
+			return nil, err
+		}
+		opts = append(opts, option.WithTokenSource(ts))
+	case conf.Token != "":
+		ts := oauth2.StaticTokenSource(&oauth2.Token{AccessToken: conf.Token})
+		opts = append(opts, option.WithTokenSource(ts))
+	case conf.CredentialsFile != "":
+		opts = append(opts, option.WithCredentialsFile(conf.CredentialsFile))
+	case conf.CredentialsJSON != "":
+		opts = append(opts, option.WithCredentialsJSON([]byte(conf.CredentialsJSON)))
+	}
+
+	sql, err := sqladmin.NewService(ctx, opts...)
+	if err != nil {
+		return nil, err
+	}
+
+	ch := make(chan string)
+	errCh := make(chan error, len(conf.Projects))
+	var wg sync.WaitGroup
+	wg.Add(len(conf.Projects))
+	for _, proj := range conf.Projects {
+		proj := proj
+		go func() {
+			defer wg.Done()
+			err := sql.Instances.List(proj).Pages(ctx, func(r *sqladmin.InstancesListResponse) error {
+				for _, in := range r.Items {
+					// The Proxy only supports Second Gen
+					if in.BackendType == "SECOND_GEN" {
+						ch <- in.ConnectionName
+					}
+				}
+				return nil
+			})
+			if err != nil {
+				errCh <- fmt.Errorf("failed to list instances in %q: %v", proj, err)
+			}
+		}()
+	}
+	go func() {
+		wg.Wait()
+		close(ch)
+		close(errCh)
+	}()
+
+	var args []string
+	for x := range ch {
+		args = append(args, x)
+	}
+
+	// Check for any errors
+	for err := range errCh {
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if len(args) == 0 {
+		return nil, fmt.Errorf("no Cloud SQL Instances found in projects: %v", conf.Projects)
+	}
+	return args, nil
+}
+
+func parseImpersonationChain(chain string) (string, []string) {
+	accts := strings.Split(chain, ",")
+	target := accts[0]
+	// Assign delegates if the chain is more than one account. Delegation
+	// goes from last back towards target, e.g., With sa1,sa2,sa3, sa3
+	// delegates to sa2, which impersonates the target sa1.
+	var delegates []string
+	if l := len(accts); l > 1 {
+		for i := l - 1; i > 0; i-- {
+			delegates = append(delegates, accts[i])
+		}
+	}
+	return target, delegates
+}

internal/proxy/proxy.go

@@ -212,6 +212,10 @@ type Config struct {
 	// comma-separated list of instance connection names.
 	InstancesMetadata string
 
+	// Projects is a list of projects from which to connect to all
+	// Second Generation instances.
+	Projects []string
+
 	// Instances are configuration for individual instances. Instance
 	// configuration takes precedence over global configuration.
 	Instances []InstanceConnConfig

migration-guide.md

@@ -169,7 +169,7 @@ The following table lists in alphabetical order v1 flags and their v2 version.
 | ip_address_types            | private-ip                  | Defaults to public. To connect to a private IP, you must add the --private-ip flag   |
 | log_debug_stdout            | ❌                          | v2 logs to stdout, errors to stderr by default                                       |
 | max_connections             | max-connections             |                                                                                      |
-| projects                    | ❌                          | v2 prefers explicit connection configuration to avoid user error                     |
+| projects                    | ❌                          | Not supported as a v2 flag. v2 prefers explicit configuration. v1 -projects is supported in v2 compatibility mode. |
 | quiet                       | quiet                       | quiet disables all logging except errors                                             |
 | quota_project               | quota-project               |                                                                                      |
 | refresh_config_throttle     | ❌                          |                                                                                      |