12 KiB
12 KiB
Cloud SQL instance with read replicas
This module manages the creation of Cloud SQL instances with potential read replicas in other regions. It can also create an initial set of users and databases via the users and databases parameters.
Note that this module assumes that some options are the same for both the primary instance and all the replicas (e.g. tier, disks, labels, flags, etc).
Warning: if you use the users field, you terraform state will contain each user's password in plain text.
Simple example
This example shows how to setup a project, VPC and a standalone Cloud SQL instance.
module "project" {
source = "./fabric/modules/project"
billing_account = var.billing_account_id
parent = var.organization_id
name = "my-db-project"
services = [
"servicenetworking.googleapis.com"
]
}
module "vpc" {
source = "./fabric/modules/net-vpc"
project_id = module.project.project_id
name = "my-network"
psa_config = {
ranges = { cloud-sql = "10.60.0.0/16" }
}
}
module "db" {
source = "./fabric/modules/cloudsql-instance"
project_id = module.project.project_id
network = module.vpc.self_link
name = "db"
region = "europe-west1"
database_version = "POSTGRES_13"
tier = "db-g1-small"
}
# tftest modules=3 resources=11 inventory=simple.yaml
Cross-regional read replica
module "db" {
source = "./fabric/modules/cloudsql-instance"
project_id = var.project_id
network = var.vpc.self_link
prefix = "myprefix"
name = "db"
region = "europe-west1"
database_version = "POSTGRES_13"
tier = "db-g1-small"
replicas = {
replica1 = { region = "europe-west3", encryption_key_name = null }
replica2 = { region = "us-central1", encryption_key_name = null }
}
}
# tftest modules=1 resources=3 inventory=replicas.yaml
Custom flags, databases and users
module "db" {
source = "./fabric/modules/cloudsql-instance"
project_id = var.project_id
network = var.vpc.self_link
name = "db"
region = "europe-west1"
database_version = "MYSQL_8_0"
tier = "db-g1-small"
flags = {
disconnect_on_expired_password = "on"
}
databases = [
"people",
"departments"
]
users = {
# generatea password for user1
user1 = null
# assign a password to user2
user2 = "mypassword"
}
}
# tftest modules=1 resources=6 inventory=custom.yaml
CMEK encryption
module "project" {
source = "./fabric/modules/project"
billing_account = var.billing_account_id
parent = var.organization_id
name = "my-db-project"
services = [
"servicenetworking.googleapis.com",
"sqladmin.googleapis.com",
]
}
module "kms" {
source = "./fabric/modules/kms"
project_id = module.project.project_id
keyring = {
name = "keyring"
location = var.region
}
keys = {
key-sql = null
}
key_iam = {
key-sql = {
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
"serviceAccount:${module.project.service_accounts.robots.sqladmin}"
]
}
}
}
module "db" {
source = "./fabric/modules/cloudsql-instance"
project_id = module.project.project_id
encryption_key_name = module.kms.keys["key-sql"].id
network = var.vpc.self_link
name = "db"
region = var.region
database_version = "POSTGRES_13"
tier = "db-g1-small"
}
# tftest modules=3 resources=10
Enable public IP
Use ipv_enabled to create instances with a public IP.
module "db" {
source = "./fabric/modules/cloudsql-instance"
project_id = var.project_id
network = var.vpc.self_link
name = "db"
region = "europe-west1"
tier = "db-g1-small"
database_version = "MYSQL_8_0"
ipv4_enabled = true
replicas = {
replica1 = { region = "europe-west3", encryption_key_name = null }
}
}
# tftest modules=1 resources=2 inventory=public-ip.yaml
Query Insights
Provide insights_config (can be just empty {}) to enable Query Insights
module "db" {
source = "./fabric/modules/cloudsql-instance"
project_id = var.project_id
network = var.vpc.self_link
name = "db"
region = "europe-west1"
database_version = "POSTGRES_13"
tier = "db-g1-small"
insights_config = {
query_string_length = 2048
}
}
# tftest modules=1 resources=1 inventory=insights.yaml
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| database_version | Database type and version to create. | string |
✓ | |
| name | Name of primary instance. | string |
✓ | |
| network | VPC self link where the instances will be deployed. Private Service Networking must be enabled and configured in this VPC. | string |
✓ | |
| project_id | The ID of the project where this instances will be created. | string |
✓ | |
| region | Region of the primary instance. | string |
✓ | |
| tier | The machine type to use for the instances. | string |
✓ | |
| activation_policy | This variable specifies when the instance should be active. Can be either ALWAYS, NEVER or ON_DEMAND. Default is ALWAYS. | string |
"ALWAYS" |
|
| allocated_ip_ranges | (Optional)The name of the allocated ip range for the private ip CloudSQL instance. For example: "google-managed-services-default". If set, the instance ip will be created in the allocated range. The range name must comply with RFC 1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z?. | object({…}) |
{} |
|
| authorized_networks | Map of NAME=>CIDR_RANGE to allow to connect to the database(s). | map(string) |
null |
|
| availability_type | Availability type for the primary replica. Either ZONAL or REGIONAL. |
string |
"ZONAL" |
|
| backup_configuration | Backup settings for primary instance. Will be automatically enabled if using MySQL with one or more replicas. | object({…}) |
{…} |
|
| databases | Databases to create once the primary instance is created. | list(string) |
null |
|
| deletion_protection | Allow terraform to delete instances. | bool |
false |
|
| disk_size | Disk size in GB. Set to null to enable autoresize. | number |
null |
|
| disk_type | The type of data disk: PD_SSD or PD_HDD. |
string |
"PD_SSD" |
|
| encryption_key_name | The full path to the encryption key used for the CMEK disk encryption of the primary instance. | string |
null |
|
| flags | Map FLAG_NAME=>VALUE for database-specific tuning. | map(string) |
null |
|
| insights_config | Query Insights configuration. Defaults to null which disables Query Insights. | object({…}) |
null |
|
| ipv4_enabled | Add a public IP address to database instance. | bool |
false |
|
| labels | Labels to be attached to all instances. | map(string) |
null |
|
| postgres_client_certificates | Map of cert keys connect to the application(s) using public IP. | list(string) |
null |
|
| prefix | Optional prefix used to generate instance names. | string |
null |
|
| replicas | Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation. | map(object({…})) |
{} |
|
| require_ssl | Enable SSL connections only. | bool |
null |
|
| root_password | Root password of the Cloud SQL instance. Required for MS SQL Server. | string |
null |
|
| users | Map of users to create in the primary instance (and replicated to other replicas) in the format USER=>PASSWORD. For MySQL, anything afterr the first @ (if persent) will be used as the user's host. Set PASSWORD to null if you want to get an autogenerated password. |
map(string) |
null |
Outputs
| name | description | sensitive |
|---|---|---|
| connection_name | Connection name of the primary instance. | |
| connection_names | Connection names of all instances. | |
| id | Fully qualified primary instance id. | |
| ids | Fully qualified ids of all instances. | |
| instances | Cloud SQL instance resources. | ✓ |
| ip | IP address of the primary instance. | |
| ips | IP addresses of all instances. | |
| name | Name of the primary instance. | |
| names | Names of all instances. | |
| postgres_client_certificates | The CA Certificate used to connect to the SQL Instance via SSL. | ✓ |
| self_link | Self link of the primary instance. | |
| self_links | Self links of all instances. | |
| user_passwords | Map of containing the password of all users created through terraform. | ✓ |