{"id":19442371,"url":"https://github.com/ackeecz/terraform-sql-postgresql","last_synced_at":"2025-04-25T00:31:47.032Z","repository":{"id":45263447,"uuid":"279865154","full_name":"AckeeCZ/terraform-sql-postgresql","owner":"AckeeCZ","description":"Provision GCP Cloud SQL PostgreSQL instance","archived":false,"fork":false,"pushed_at":"2023-03-16T16:27:59.000Z","size":123,"stargazers_count":6,"open_issues_count":0,"forks_count":3,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-04-15T00:06:33.875Z","etag":null,"topics":["cloudsql","gcp","kubernetes","terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AckeeCZ.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-07-15T12:41:37.000Z","updated_at":"2023-06-05T12:59:20.000Z","dependencies_parsed_at":"2023-02-13T22:05:31.877Z","dependency_job_id":null,"html_url":"https://github.com/AckeeCZ/terraform-sql-postgresql","commit_stats":null,"previous_names":[],"tags_count":49,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AckeeCZ%2Fterraform-sql-postgresql","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AckeeCZ%2Fterraform-sql-postgresql/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AckeeCZ%2Fterraform-sql-postgresql/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AckeeCZ%2Fterraform-sql-postgresql/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AckeeCZ","download_url":"https://codeload.github.com/AckeeCZ/terraform-sql-postgresql/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223974728,"owners_count":17234705,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloudsql","gcp","kubernetes","terraform"],"created_at":"2024-11-10T15:39:06.781Z","updated_at":"2024-11-10T15:39:07.345Z","avatar_url":"https://github.com/AckeeCZ.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Terraform Google Cloud SQL Postgres module with K8s secret deploy\n\nTerraform module for provisioning GCP SQL Postgres database. It should also deploy the username and password to K8s\nas a secret. That could be used in setting up cloudsql proxy pod.\n\n## Usage\n\n```hcl\nmodule \"postgresql\" {\n  source  = \"AckeeCZ/postgresql/sql\"\n\n  project = \"${var.project}\"\n  region = \"${var.region}\"\n  zone = \"${var.zone}\"\n  namespace = \"${var.namespace}\"\n  cluster_ca_certificate = \"${module.gke.cluster_ca_certificate}\"\n  cluster_user = \"${module.gke.cluster_username}\"\n  cluster_pass = \"${module.gke.cluster_password}\"\n  cluster_endpoint = \"${module.gke.endpoint}\"\n  environment = \"production\"\n  instance_tier = \"db-n1-standard-1\" # optional, default is db-n1-standard-1\n  availability_type = \"REGIONAL\" # REGIONAL for HA setup, ZONAL for single zone\n  vault_secret_path = \"secret/devops/generated/${TYPE}/${var.project}/${var.environment}\" # ${TYPE} should be set to internal for internal projects, external for external projects\n  read_replicas = {\n    replica-a : {\n      instance_tier = \"db-custom-1-3840\"\n      ipv4_enabled  = false\n      zone          = \"europe-west3-a\"\n    },\n    replica-b : {\n      instance_tier = \"db-custom-1-3840\"\n      ipv4_enabled  = false\n      zone          = \"europe-west3-b\"\n    },\n  }\n}\n```\n\n## Read replicas\n\nRead replicas are configured from `read_replicas` parameter map. Key serve as replica name, it is appended to primary's `instance_name` local variable.\n\nEvery read replica have four parameters:\n* `instance_tier`: Instance type for replica, equivalent of primary's `instance_tier` parameter.\n* `ipv4_enabled`: Availability of public IP address on replica, equivalent of primary's `ipv4_enabled` parameter.\n* `zone`: Zone where read replicas is deployed. This is bit different from primary's `zone` parameter. On primary instance, we define \"prefered location\"\n* `authorized_networks`: List of maps of strings authorized networks allowed to connect to Cloud SQL Read Replica Instance, example: [{name: the_office, cidr: 1.2.3.4/31}] This parameter is `optional`.\n- HA instance will change it's location in case of failover, but read replicas have zone \"hard set\".\n\n## Before you do anything in this module\n\nInstall pre-commit hooks by running following commands:\n\n```shell script\nbrew install pre-commit terraform-docs\npre-commit install\n```\n\n## Dependencies\n\nGKE module: https://gitlab.ack.ee/Infra/terraform-gke-vpc\n\n## Example SQL proxy specification\n\n[proxy.yaml](https://gitlab.ack.ee/Ackee/infrastruktura-templates/blob/master/k8s/production/services/proxy.yaml) in infrastuktura-template repo\n\n\u003c!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 0.15 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_google\"\u003e\u003c/a\u003e [google](#provider\\_google) | n/a |\n| \u003ca name=\"provider_kubernetes\"\u003e\u003c/a\u003e [kubernetes](#provider\\_kubernetes) | n/a |\n| \u003ca name=\"provider_random\"\u003e\u003c/a\u003e [random](#provider\\_random) | n/a |\n| \u003ca name=\"provider_vault\"\u003e\u003c/a\u003e [vault](#provider\\_vault) | n/a |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [google_compute_global_address.psql_private_ip_address](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_address) | resource |\n| [google_project_iam_member.sqlproxy_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |\n| [google_project_service.enable-servicenetworking-api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |\n| [google_project_service.enable_sqladmin_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |\n| [google_service_account.sqlproxy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |\n| [google_service_account_key.sqlproxy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource |\n| [google_service_networking_connection.private_vpc_connection](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_networking_connection) | resource |\n| [google_sql_database.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database) | resource |\n| [google_sql_database_instance.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance) | resource |\n| [google_sql_database_instance.read_replica](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance) | resource |\n| [google_sql_user.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_user) | resource |\n| [google_sql_user.postgres](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_user) | resource |\n| [kubernetes_endpoints.cloudsql](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/endpoints) | resource |\n| [kubernetes_secret.sqlproxy](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |\n| [kubernetes_service.cloudsql](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service) | resource |\n| [random_id.instance_name_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |\n| [random_password.postgres_default](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |\n| [random_password.postgres_postgres](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |\n| [vault_generic_secret.default](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/generic_secret) | resource |\n| [google_compute_network.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_network) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_authorized_networks\"\u003e\u003c/a\u003e [authorized\\_networks](#input\\_authorized\\_networks) | List of maps of strings authorized networks allowed to connect to Cloud SQL instance, example: [{name: the\\_office, cidr: 1.2.3.4/31}] | `list(map(string))` | `[]` | no |\n| \u003ca name=\"input_availability_type\"\u003e\u003c/a\u003e [availability\\_type](#input\\_availability\\_type) | The availability type of the Cloud SQL instance, high availability (REGIONAL) or single zone (ZONAL) | `string` | `\"ZONAL\"` | no |\n| \u003ca name=\"input_backup_location\"\u003e\u003c/a\u003e [backup\\_location](#input\\_backup\\_location) | Location of backups | `string` | `\"eu\"` | no |\n| \u003ca name=\"input_backup_start_time\"\u003e\u003c/a\u003e [backup\\_start\\_time](#input\\_backup\\_start\\_time) | The time, when backup starts | `string` | `\"03:00\"` | no |\n| \u003ca name=\"input_cloudsql_port\"\u003e\u003c/a\u003e [cloudsql\\_port](#input\\_cloudsql\\_port) | CloudSQL's port | `number` | `5432` | no |\n| \u003ca name=\"input_cluster_ca_certificate\"\u003e\u003c/a\u003e [cluster\\_ca\\_certificate](#input\\_cluster\\_ca\\_certificate) | Public CA certificate that is the root of trust for the GKE K8s cluster | `string` | `null` | no |\n| \u003ca name=\"input_cluster_endpoint\"\u003e\u003c/a\u003e [cluster\\_endpoint](#input\\_cluster\\_endpoint) | Cluster control plane endpoint | `string` | `\"example.com:8080\"` | no |\n| \u003ca name=\"input_cluster_token\"\u003e\u003c/a\u003e [cluster\\_token](#input\\_cluster\\_token) | Cluster master token, keep always secret! | `string` | `null` | no |\n| \u003ca name=\"input_database_flags\"\u003e\u003c/a\u003e [database\\_flags](#input\\_database\\_flags) | The optional settings.database\\_flags list of values, where key is name and value is value from documentation: https://www.terraform.io/docs/providers/google/r/sql_database_instance.html | `map(string)` | `{}` | no |\n| \u003ca name=\"input_db_version\"\u003e\u003c/a\u003e [db\\_version](#input\\_db\\_version) | Database version | `string` | `\"POSTGRES_11\"` | no |\n| \u003ca name=\"input_default_dbname_override\"\u003e\u003c/a\u003e [default\\_dbname\\_override](#input\\_default\\_dbname\\_override) | Overrides default postgres database name | `string` | `null` | no |\n| \u003ca name=\"input_deletion_protection\"\u003e\u003c/a\u003e [deletion\\_protection](#input\\_deletion\\_protection) | Whether or not to allow Terraform to destroy the instance. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply command that deletes the instance will fail. | `bool` | `true` | no |\n| \u003ca name=\"input_disk_autoresize\"\u003e\u003c/a\u003e [disk\\_autoresize](#input\\_disk\\_autoresize) | Configuration to increase storage size automatically | `bool` | `true` | no |\n| \u003ca name=\"input_disk_autoresize_limit\"\u003e\u003c/a\u003e [disk\\_autoresize\\_limit](#input\\_disk\\_autoresize\\_limit) | Limit of disk space for autoresize | `number` | `0` | no |\n| \u003ca name=\"input_enable_query_insights\"\u003e\u003c/a\u003e [enable\\_query\\_insights](#input\\_enable\\_query\\_insights) | Enable query insights https://cloud.google.com/sql/docs/postgres/insights-overview | `bool` | `true` | no |\n| \u003ca name=\"input_environment\"\u003e\u003c/a\u003e [environment](#input\\_environment) | Project enviroment, e.g. stage, production and development | `string` | `\"development\"` | no |\n| \u003ca name=\"input_instance_tier\"\u003e\u003c/a\u003e [instance\\_tier](#input\\_instance\\_tier) | The machine type to use | `string` | `\"db-custom-1-3840\"` | no |\n| \u003ca name=\"input_kubernetes_service_name\"\u003e\u003c/a\u003e [kubernetes\\_service\\_name](#input\\_kubernetes\\_service\\_name) | Name of kubernetes service | `string` | `\"cloudsql\"` | no |\n| \u003ca name=\"input_maintenance_window_day\"\u003e\u003c/a\u003e [maintenance\\_window\\_day](#input\\_maintenance\\_window\\_day) | The day, when maintenance window will be performed | `string` | `\"7\"` | no |\n| \u003ca name=\"input_maintenance_window_hour\"\u003e\u003c/a\u003e [maintenance\\_window\\_hour](#input\\_maintenance\\_window\\_hour) | The hour, when maintenance window begins | `string` | `\"4\"` | no |\n| \u003ca name=\"input_name_override\"\u003e\u003c/a\u003e [name\\_override](#input\\_name\\_override) | Sets complete CloudSQL instance name | `string` | `null` | no |\n| \u003ca name=\"input_namespace\"\u003e\u003c/a\u003e [namespace](#input\\_namespace) | K8s namespace to where insert Cloud SQL credentials secrets | `string` | `\"production\"` | no |\n| \u003ca name=\"input_network\"\u003e\u003c/a\u003e [network](#input\\_network) | GCE VPC used for possible private IP addresses | `string` | `\"default\"` | no |\n| \u003ca name=\"input_password_length\"\u003e\u003c/a\u003e [password\\_length](#input\\_password\\_length) | Password length of postgres users | `number` | `16` | no |\n| \u003ca name=\"input_password_special\"\u003e\u003c/a\u003e [password\\_special](#input\\_password\\_special) | Use special characters for passwords of postgres users | `bool` | `true` | no |\n| \u003ca name=\"input_point_in_time_recovery\"\u003e\u003c/a\u003e [point\\_in\\_time\\_recovery](#input\\_point\\_in\\_time\\_recovery) | Enable Point-in-time recovery (effectively turns on WAL) | `bool` | `false` | no |\n| \u003ca name=\"input_private_ip\"\u003e\u003c/a\u003e [private\\_ip](#input\\_private\\_ip) | If set to true, private IP address will get allocated and connect it to VPC network set in `var.network` in the project -- once enabled, this can't be turned off. | `bool` | `false` | no |\n| \u003ca name=\"input_project\"\u003e\u003c/a\u003e [project](#input\\_project) | GCP project name | `string` | n/a | yes |\n| \u003ca name=\"input_provision_kubernetes_resources\"\u003e\u003c/a\u003e [provision\\_kubernetes\\_resources](#input\\_provision\\_kubernetes\\_resources) | Should we provision anything that needs Kubernetes? | `bool` | `true` | no |\n| \u003ca name=\"input_public_ip\"\u003e\u003c/a\u003e [public\\_ip](#input\\_public\\_ip) | If set to true, public IP address will get allocated | `bool` | `false` | no |\n| \u003ca name=\"input_query_string_length_insights\"\u003e\u003c/a\u003e [query\\_string\\_length\\_insights](#input\\_query\\_string\\_length\\_insights) | Insights maximum query length stored in bytes. Between 256 and 4500. Default to 1024. | `number` | `1024` | no |\n| \u003ca name=\"input_random_id_length\"\u003e\u003c/a\u003e [random\\_id\\_length](#input\\_random\\_id\\_length) | Byte length of random ID, used as suffix in SQL name | `number` | `4` | no |\n| \u003ca name=\"input_read_replicas\"\u003e\u003c/a\u003e [read\\_replicas](#input\\_read\\_replicas) | Map of maps containing name as a key of read\\_replicas mapa and settings some parameters of read replica. For more information see README part Read replica | `map` | `{}` | no |\n| \u003ca name=\"input_region\"\u003e\u003c/a\u003e [region](#input\\_region) | GCP region | `string` | `\"europe-west3\"` | no |\n| \u003ca name=\"input_secondary_zone\"\u003e\u003c/a\u003e [secondary\\_zone](#input\\_secondary\\_zone) | secondary GCP region preference | `string` | `null` | no |\n| \u003ca name=\"input_sqlproxy_dependencies\"\u003e\u003c/a\u003e [sqlproxy\\_dependencies](#input\\_sqlproxy\\_dependencies) | If set to true, we will create dependencies for running SQLproxy - GCP IAM SA, Kubernetes secret and Kubernetes Service | `bool` | `true` | no |\n| \u003ca name=\"input_sqlproxy_service_account_name\"\u003e\u003c/a\u003e [sqlproxy\\_service\\_account\\_name](#input\\_sqlproxy\\_service\\_account\\_name) | SQL instance service account name | `string` | `null` | no |\n| \u003ca name=\"input_transaction_log_retention_days\"\u003e\u003c/a\u003e [transaction\\_log\\_retention\\_days](#input\\_transaction\\_log\\_retention\\_days) | The number of days of transaction logs we retain for point in time restore, from 1-7. | `number` | `null` | no |\n| \u003ca name=\"input_user_labels\"\u003e\u003c/a\u003e [user\\_labels](#input\\_user\\_labels) | Labels to the instance | `map(string)` | `{}` | no |\n| \u003ca name=\"input_user_suffix\"\u003e\u003c/a\u003e [user\\_suffix](#input\\_user\\_suffix) | Suffix - used, for instance, when you create a clone. Should include starting dash | `string` | `\"\"` | no |\n| \u003ca name=\"input_vault_secret_path\"\u003e\u003c/a\u003e [vault\\_secret\\_path](#input\\_vault\\_secret\\_path) | Path to secret in local vault, used mainly to save gke credentials | `string` | n/a | yes |\n| \u003ca name=\"input_zone\"\u003e\u003c/a\u003e [zone](#input\\_zone) | The preferred compute engine zone | `string` | `\"europe-west3-c\"` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_instance_connection_name\"\u003e\u003c/a\u003e [instance\\_connection\\_name](#output\\_instance\\_connection\\_name) | PSQL instance connection name |\n| \u003ca name=\"output_instance_name\"\u003e\u003c/a\u003e [instance\\_name](#output\\_instance\\_name) | PSQL instance name |\n| \u003ca name=\"output_postgres_default_password\"\u003e\u003c/a\u003e [postgres\\_default\\_password](#output\\_postgres\\_default\\_password) | PSQL password to default user |\n| \u003ca name=\"output_postgres_instance_connection_name\"\u003e\u003c/a\u003e [postgres\\_instance\\_connection\\_name](#output\\_postgres\\_instance\\_connection\\_name) | PSQL instance connection name |\n| \u003ca name=\"output_postgres_instance_ip_settings\"\u003e\u003c/a\u003e [postgres\\_instance\\_ip\\_settings](#output\\_postgres\\_instance\\_ip\\_settings) | PSQL instance IP address settings |\n| \u003ca name=\"output_postgres_instance_name\"\u003e\u003c/a\u003e [postgres\\_instance\\_name](#output\\_postgres\\_instance\\_name) | PSQL instance name |\n| \u003ca name=\"output_postgres_postgres_password\"\u003e\u003c/a\u003e [postgres\\_postgres\\_password](#output\\_postgres\\_postgres\\_password) | PSQL password to postgres user |\n| \u003ca name=\"output_postgres_reader_instance_ip_settings\"\u003e\u003c/a\u003e [postgres\\_reader\\_instance\\_ip\\_settings](#output\\_postgres\\_reader\\_instance\\_ip\\_settings) | PSQL instance IP address settings of read replicas |\n\u003c!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fackeecz%2Fterraform-sql-postgresql","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fackeecz%2Fterraform-sql-postgresql","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fackeecz%2Fterraform-sql-postgresql/lists"}