terraform-google-cloudsql-database

Overview

This Terraform configuration sets up a below listed GCP Services:

1. CloudSQL - PostgreSQL: The configuration provisions a CloudSQL - PostgreSQL instance using the google_sql_database_instance resource. It sets up the instance with specified settings such as tier, edition, activation policy, availability type, deletion protection, encryption, backup configuration, IP configuration, insights configuration, and more.

2. Additional Databases: The configuration creates additional databases within the CloudSQL instance using the google_sql_database resource. These databases are defined in the var.additional_databases variable.

3. Additional Users: The configuration creates additional users within the CloudSQL instance using the google_sql_user resource. These users are defined in the var.additional_users variable. Passwords for these users are randomly generated using the random_password resource.

4. IAM Users: The configuration creates IAM users within the CloudSQL instance using the google_sql_user resource. These users are defined in the var.iam_users variable. The type of user (CLOUD_IAM_SERVICE_ACCOUNT or CLOUD_IAM_USER) is determined based on the is_account_sa attribute.

5. Replicas: The configuration sets up replicas of the CloudSQL instance using the google_sql_database_instance resource. Replicas are defined in the var.read_replicas variable. Each replica has its own settings and can be configured with different characteristics.

Usage

Default - Single Database:

module "single-database" {
  source  = "nurdsoft/cloudsql-database/google"
  version = "0.1.0"
  project_id                  = "zeus-404008"
  name                        = "example-csql"
  random_instance_name        = false
  database_version            = "POSTGRES_14"
  zone                        = "us-central1-c"
  region                      = "us-central1"
  edition                     = "ENTERPRISE"
  tier                        = "db-f1-micro"
  user_name                   = "master"
  user_password               = ""
  data_cache_enabled          = false
  deletion_protection         = false
  create_additional_databases = false
  labels = {
    platform_name = "demo"
    cloud         = "gcp"
    component     = "project"
    environment   = "dev"
    client        = "ns"
  }
  iam_users = [{
    id    = "Hello",
    email = "hello@nurdsoft.co"
    }, {
    id    = "Test",
    email = "test@nurdsoft.co"
    },
  ]
  database_flags = [{
    name  = "cloudsql.iam_authentication",
    value = true
  }]
  ip_configuration = {
    ipv4_enabled       = true
    private_network    = null
    require_ssl        = true
    allocated_ip_range = null
    authorized_networks = [{
      name  = "ns-priavte-vpc-cidr"
      value = "10.0.0.0/16"
  }] }
}

Multiple Databases:

module "multiple-databases" {
  source  = "nurdsoft/cloudsql-database/google"
  version = "0.1.0"
  project_id                  = "zeus-404008"
  name                        = "example-csql"
  random_instance_name        = false
  database_version            = "POSTGRES_14"
  zone                        = "us-central1-c"
  region                      = "us-central1"
  edition                     = "ENTERPRISE"
  tier                        = "db-f1-micro"
  user_name                   = "master"
  user_password               = ""
  data_cache_enabled          = false
  deletion_protection         = false
  create_additional_databases = false
  additional_databases = [
    {
      name      = "internal-dev"
      charset   = "UTF8"
      collation = "en_US.UTF8"
    }
  ]
  labels = {
    platform_name = "demo"
    cloud         = "gcp"
    component     = "project"
    environment   = "dev"
    client        = "ns"
    app           = "portal"
  }
  iam_users = [{
    id    = "Hello",
    email = "hello@nurdsoft.co"
    }, {
    id    = "Test",
    email = "test@nurdsoft.co"
    },
  ]
  database_flags = [{
    name  = "cloudsql.iam_authentication",
    value = true
  }]
  ip_configuration = {
    ipv4_enabled       = true
    private_network    = null
    require_ssl        = false
    ssl_mode           = "ENCRYPTED_ONLY"
    allocated_ip_range = null
    authorized_networks = [{
      name  = "ns-priavte-vpc-cidr"
      value = "0.0.0.0/0"
  }] }
}

Assumptions

The project assumes the following:

• A basic understanding of Git.
• Git version >= 2.33.0.
• An existing GCP IAM user or role with access to create/update/delete resources defined in main.tf.
• GCloud CLI >= 465.0.0
• A basic understanding of Terraform.
• Terraform version >= 1.6.0
• (Optional - for local testing) A basic understanding of Make.
  • Make version >= GNU Make 3.81.
  • Important Note: This project includes a Makefile to speed up local development in Terraform. The make targets act as a wrapper around Terraform commands. As such, make has only been tested/verified on Linux/Mac OS. Though, it is possible to install make using Chocolatey, we do not guarantee this approach as it has not been tested/verified. You may use the commands in the Makefile as a guide to run each Terraform command locally on Windows.

Test

Important Note: This project includes a Makefile to speed up local development in Terraform. The make targets act as a wrapper around Terraform commands. As such, make has only been tested/verified on Linux/Mac OS. Though, it is possible to install make using Chocolatey, we do not guarantee this approach as it has not been tested/verified. You may use the commands in the Makefile as a guide to run each Terraform command locally on Windows.

gcloud init # https://cloud.google.com/docs/authentication/gcloud
gcloud auth
make plan
make apply
make destroy

Contributions

Contributions are always welcome. As such, this project uses the main branch as the source of truth to track changes.

Step 1. Clone this project.

# Using Git
$ git clone git@github.com:pacenthink/terraform-gcp-modules-cloudsql.git

# Using HTTPS
$ git clone https://github.com/pacenthink/terraform-gcp-modules-cloudsql.git

Step 2. Checkout a feature branch: git checkout -b feature/abc.

Step 3. Validate the change/s locally by executing the steps defined under Test.

Step 4. If testing is successful, commit and push the new change/s to the remote.

$ git add file1 file2 ...

$ git commit -m "Adding some change"

$ git push --set-upstream origin feature/abc

Step 5. Once pushed, create a PR and assign it to a member for review.

• Important Note: It can be helpful to attach the terraform plan output in the PR.

Step 6. A team member reviews/approves/merges the change/s.

Step 7. Once merged, deploy the required changes as needed.

Step 8. Once deployed, verify that the changes have been deployed.

• If possible, please add a plan output using the feature branch so the member reviewing the MR has better visibility in the changes.

Requirements

Name	Version
google	5.16.0
google-beta	5.16.0
null	3.2.2
random	3.6.0

Providers

Name	Version
google	5.16.0
google-beta	5.16.0
null	3.2.2
random	3.6.0
time	n/a

Resources

Name	Type
google-beta_google_sql_database_instance.sql_database_instance	resource
google-beta_google_sql_database_instance.sql_database_instance_replica	resource
google_compute_global_address.private_ip_alloc	resource
google_service_networking_connection.private_vpc_connection	resource
google_sql_database.additional_databases	resource
google_sql_database.sql_database	resource
google_sql_user.additional_users	resource
google_sql_user.iam_account	resource
google_sql_user.sql_user	resource
null_resource.module_depends_on	resource
random_id.suffix	resource
random_password.additional_passwords	resource
random_password.user_password	resource
time_sleep.wait_90_seconds	resource
google_compute_zones.available	data source

Inputs

Name	Description	Type	Default	Required
activation_policy	The activation policy for the master instance.Can be either ALWAYS, NEVER or ON_DEMAND.	string	"ALWAYS"	no
additional_databases	A list of databases to be created in your cluster	list(object({ name = string charset = string collation = string }))	[]	no
additional_users	A list of users to be created in your cluster. A random password would be set for the user if the random_password variable is set.	list(object({ name = string password = string random_password = bool }))	[]	no
availability_type	The availability type for the master instance.This is only used to set up high availability for the PostgreSQL instance. Can be either ZONAL or REGIONAL.	string	"ZONAL"	no
backup_configuration	The backup_configuration settings subblock for the database setings	object({ enabled = optional(bool, false) start_time = optional(string) location = optional(string) point_in_time_recovery_enabled = optional(bool, false) transaction_log_retention_days = optional(string) retained_backups = optional(number) retention_unit = optional(string) })	{}	no
connector_enforcement	Enforce that clients use the connector library	bool	false	no
create_additional_databases	Wether A list of databases to be created in your cluster	bool	true	no
create_database	Whether to create the CloudSQL database	bool	true	no
create_service_networking_connection	Whether to create service networking connection	bool	true	no
create_timeout	The optional timout that is applied to limit long database creates.	string	"30m"	no
data_cache_enabled	Whether data cache is enabled for the instance. Defaults to false. Feature is only available for ENTERPRISE_PLUS tier and supported database_versions	bool	false	no
database_deletion_policy	The deletion policy for the database. Setting ABANDON allows the resource to be abandoned rather than deleted. This is useful for Postgres, where databases cannot be deleted from the API if there are users other than cloudsqlsuperuser with access. Possible values are: "ABANDON".	string	null	no
database_flags	The database flags for the master instance. See more details	list(object({ name = string value = string }))	[]	no
database_version	The database version to use	string	n/a	yes
db_charset	The charset for the default database	string	""	no
db_collation	The collation for the default database. Example: 'en_US.UTF8'	string	""	no
db_name	The name of the default database to create	string	"default"	no
delete_timeout	The optional timout that is applied to limit long database deletes.	string	"30m"	no
deletion_protection	Used to block Terraform from deleting a SQL Instance.	bool	true	no
deletion_protection_enabled	Enables protection of an instance from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform).	bool	false	no
deny_maintenance_period	The Deny Maintenance Period fields to prevent automatic maintenance from occurring during a 90-day time period. List accepts only one value. See more details	list(object({ end_date = string start_date = string time = string }))	[]	no
disk_autoresize	Configuration to increase storage size.	bool	true	no
disk_autoresize_limit	The maximum size to which storage can be auto increased.	number	0	no
disk_size	The disk size for the master instance.	number	10	no
disk_type	The disk type for the master instance.	string	"PD_SSD"	no
edition	The edition of the instance, can be ENTERPRISE or ENTERPRISE_PLUS.	string	null	no
enable_default_db	Enable or disable the creation of the default database	bool	true	no
enable_default_user	Enable or disable the creation of the default user	bool	true	no
enable_random_password_special	Enable special characters in generated random passwords.	bool	false	no
encryption_key_name	The full path to the encryption key used for the CMEK disk encryption	string	null	no
follow_gae_application	A Google App Engine application whose zone to remain in. Must be in the same region as this instance.	string	null	no
iam_users	A list of IAM users to be created in your CloudSQL instance	list(object({ id = string, email = string }))	[]	no
insights_config	The insights_config settings for the database.	object({ query_plans_per_minute = optional(number, 5) query_string_length = optional(number, 1024) record_application_tags = optional(bool, false) record_client_address = optional(bool, false) })	null	no
internal_database_ip	Whether to create private IP allocation for Cloud SQL	bool	true	no
ip_configuration	The ip configuration for the master instances.	object({ authorized_networks = optional(list(map(string)), []) ipv4_enabled = optional(bool, true) private_network = optional(string) require_ssl = optional(bool) ssl_mode = optional(string) allocated_ip_range = optional(string) enable_private_path_for_google_cloud_services = optional(bool, false) psc_enabled = optional(bool, false) psc_allowed_consumer_projects = optional(list(string), []) })	{}	no
labels	Map of labels for project	map(string)	{}	no
maintenance_window_day	The day of week (1-7) for the master instance maintenance.	number	1	no
maintenance_window_hour	The hour of day (0-23) maintenance window for the master instance maintenance.	number	23	no
maintenance_window_update_track	The update track of maintenance window for the master instance maintenance.Can be either canary or stable.	string	"canary"	no
module_depends_on	List of modules or resources this module depends on.	list(any)	[]	no
name	The name of the Cloud SQL resources	string	""	no
password_validation_policy_config	The password validation policy settings for the database instance.	object({ min_length = number complexity = string reuse_interval = number disallow_username_substring = bool password_change_interval = string })	null	no
pricing_plan	The pricing plan for the master instance.	string	"PER_USE"	no
private_ip_address	Private IP address for allocation	string	null	no
private_ip_prefix_length	Prefix length for private IP allocation	number	20	no
project_id	The project ID to manage the Cloud SQL resources	string	n/a	yes
random_instance_name	Sets random suffix at the end of the Cloud SQL resource name	bool	false	no
read_replica_deletion_protection	Used to block Terraform from deleting replica SQL Instances.	bool	false	no
read_replica_deletion_protection_enabled	Enables protection of replica instance from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform).	bool	false	no
read_replica_name_suffix	The optional suffix to add to the read instance name	string	""	no
read_replicas	List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption_key_name = null	list(object({ name = string name_override = optional(string) tier = optional(string) edition = optional(string) availability_type = optional(string) zone = optional(string) disk_type = optional(string) disk_autoresize = optional(bool) disk_autoresize_limit = optional(number) disk_size = optional(string) user_labels = map(string) database_flags = optional(list(object({ name = string value = string })), []) insights_config = optional(object({ query_plans_per_minute = optional(number, 5) query_string_length = optional(number, 1024) record_application_tags = optional(bool, false) record_client_address = optional(bool, false) }), null) ip_configuration = object({ authorized_networks = optional(list(map(string)), []) ipv4_enabled = optional(bool) private_network = optional(string, ) require_ssl = optional(bool) ssl_mode = optional(string) allocated_ip_range = optional(string) enable_private_path_for_google_cloud_services = optional(bool, false) psc_enabled = optional(bool, false) psc_allowed_consumer_projects = optional(list(string), []) }) encryption_key_name = optional(string) }))	[]	no
region	The region of the Cloud SQL resources	string	null	no
root_password	Initial root password during creation	string	null	no
secondary_zone	The preferred zone for the secondary/failover instance, it should be something like: us-central1-a, us-east1-c.	string	null	no
tier	The tier for the master instance.	string	null	no
update_timeout	The optional timout that is applied to limit long database updates.	string	"30m"	no
user_deletion_policy	The deletion policy for the user. Setting ABANDON allows the resource to be abandoned rather than deleted. This is useful for Postgres, where users cannot be deleted from the API if they have been granted SQL roles. Possible values are: "ABANDON".	string	null	no
user_labels	The key/value labels for the master instances.	map(string)	{}	no
user_name	The name of the default user	string	null	no
user_password	The password for the default user. If not set, a random one will be generated and available in the generated_user_password output variable.	string	""	no
zone	The zone for the master instance, it should be something like: us-central1-a, us-east1-c.	string	null	no

Outputs

Name	Description
additional_users	List of maps of additional users and passwords
dns_name	DNS name of the instance endpoint
generated_user_password	The auto generated default user password if not input password was provided
iam_users	The list of the IAM users with access to the CloudSQL instance
instance_connection_name	The connection name of the master instance to be used in connection strings
instance_first_ip_address	The first IPv4 address of the addresses assigned.
instance_ip_address	The IPv4 address assigned for the master instance
instance_name	The instance name for the master instance
instance_psc_attachment	The psc_service_attachment_link created for the master instance
instance_self_link	The URI of the master instance
instance_server_ca_cert	The CA certificate information used to connect to the SQL instance via SSL
instance_service_account_email_address	The service account email address assigned to the master instance
instances	A list of all google_sql_database_instance resources we've created
primary	The google_sql_database_instance resource representing the primary instance
private_ip_address	The first private (PRIVATE) IPv4 address assigned for the master instance
public_ip_address	Primay IPv4 address assigned for the master instance
read_replica_instance_names	The instance names for the read replica instances
replicas	A list of google_sql_database_instance resources representing the replicas
replicas_instance_connection_names	The connection names of the replica instances to be used in connection strings
replicas_instance_first_ip_addresses	The first IPv4 addresses of the addresses assigned for the replica instances
replicas_instance_self_links	The URIs of the replica instances
replicas_instance_server_ca_certs	The CA certificates information used to connect to the replica instances via SSL
replicas_instance_service_account_email_addresses	The service account email addresses assigned to the replica instances

Authors

Module is maintained by Nurdsoft.

---

License

Apache 2 Licensed. See LICENSE for full details.