cloud-foundation-fabric/examples/data-solutions/cloudsql-multiregion

Cloud SQL instance with multi-region read replicas

This example creates a Cloud SQL instance with multi-region read replicas as described in the Cloud SQL for PostgreSQL disaster recovery article.

The solution is resilient to a regional outage. To get familiar with the procedure needed in the unfortunate case of a disaster recovery, please follow steps described in part two of the aforementioned article.

The solution will use:

• VPC with Private Service Access to deploy the instances and VM
• Cloud SQL - Postgre SQL instanced with Private IP
• Goocle Cloud Storage bucket to handle database import/export
• Google Cloud Engine instance to connect to the Posgre SQL instance
• Google Cloud NAT to access internet resources

This is the high level diagram:

Requirements

This example will deploy all its resources into the project defined by the project_id variable. Please note that we assume this project already exists. However, if you provide the appropriate values to the project_create variable, the project will be created as part of the deployment.

If project_create is left to null, the identity performing the deployment needs the owner role on the project defined by the project_id variable. Otherwise, the identity performing the deployment needs resourcemanager.projectCreator on the resource hierarchy node specified by project_create.parent and billing.user on the billing account specified by project_create.billing_account_id.

Deployment

Configure the Terraform variables in your terraform.tfvars file. You need to specify at least the project_id and prefix variables. See terraform.tfvars.sample as starting point.

Run Terraform init:

$ terraform init
$ terraform apply

You should see the output of the Terraform script with resources created and some commands that you'll need in the following steps below.

Move to real use case consideration

This implementation is intentionally minimal and easy to read. A real world use case should consider:

• Using a Shared VPC
• Using VPC-SC to mitigate data exfiltration

Test your environment

We assume all those steps are run using a user listed on data_eng_principals. You can authenticate as the user using the following command:

$ gcloud init
$ gcloud auth application-default login

Below you can find commands to connect to the VM instance and Cloud SQL instance.

  $ gcloud compute ssh sql-test --project PROJECT_ID --zone ZONE
  sql-test:~$ cloud_sql_proxy -instances=CLOUDSQL_INSTANCE=tcp:5432
  sql-test:~$ psql 'host=127.0.0.1 port=5432 sslmode=disable dbname=DATABASE user=USER'

You can find computed commands on the Terraform demo_commands output.

Variables

name	description	type	required	default
postgres_user_password	postgres user password.	string	✓
prefix	Unique prefix used for resource names. Not used for project if 'project_create' is null.	string	✓
project_id	Project id, references existing project if project_create is null.	string	✓
cmek_encryption	Flag to enable CMEK on GCP resources created.	bool		false
data_eng_principals	Groups with Service Account Token creator role on service accounts in IAM format, only user supported on CloudSQL, eg 'user@domain.com'.	list(string)		[]
postgres_database	postgres database.	string		"guestbook"
project_create	Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format.	object({…})		null
regions	Map of instance_name => location where instances will be deployed.	map(string)		{…}
sql_configuration	Cloud SQL configuration	object({…})		{…}

Outputs

name	description	sensitive
bucket	Cloud storage bucket to import/export data from Cloud SQL.
connection_names	Connection name of each instance.
demo_commands	Demo commands.
ips	IP address of each instance.
project_id	ID of the project containing all the instances.
service_accounts	Service Accounts.