A Terraform module for Google Cloud Platform (GCP).
This module supports Terraform version 1 and is compatible with the Terraform Google Provider version 4. and 5._**
NOTE: This module doesn't support SQL Server
This module is part of our Infrastructure as Code (IaC) framework that enables our users and customers to easily deploy and manage reusable, secure, and production-grade cloud infrastructure.
- Module Features
- Getting Started
- Module Argument Reference
- Module Outputs
- External Documentation
- Module Versioning
- About Mineiros
- Reporting Issues
- Contributing
- Makefile Targets
- License
This module implements the following terraform resources:
google_sql_database_instance
google_sql_database
google_sql_ssl_cert
google_sql_user
Most basic usage just setting required arguments:
module "terraform-google-cloud-sql" {
source = "github.com/mineiros-io/terraform-google-cloud-sql.git?ref=v0.1.0"
tier = "db-f1-micro"
database_version = "MYSQL_5_6"
}
See variables.tf and examples/ for details and use-cases.
-
module_enabled
: (Optionalbool
)Specifies whether resources in the module will be created.
Default is
true
. -
module_depends_on
: (Optionallist(dependency)
)A list of dependencies. Any object can be assigned to this list to define a hidden external dependency.
Example:
module_depends_on = [ google_network.network ]
-
database_version
: (Requiredstring
)The MySQL or PostgreSQL version to use.
-
tier
: (Requiredstring
)The machine type to use.
-
project
: (Requiredstring
)The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
-
name
: (Optionalstring
)The name of the instance. If the name is left blank, Terraform will randomly generate one when the instance is first created. This is done because after a name is used, it cannot be reused for up to one week.
-
region
: (Optionalstring
)The region the instance will sit in. If a region is not provided in the resource definition, the provider region will be used instead.
-
master_instance_name
: (Optionalstring
)The name of the existing instance that will act as the master in the replication setup. Note, this requires the master to have
binary_log_enabled
set, as well as existing backups. -
deletion_protection
: (Optionalbool
)Whether or not to allow Terraform to destroy the instance.
Default is
true
. -
deletion_protection_enabled
: (Optionalbool
)Enables deletion protection of an instance at the GCP level.
Default is
false
. -
encryption_key_name
: (Optionalstring
)The full path to the encryption key used for the CMEK disk encryption.
Default is
null
. -
activation_policy
: (Optionalstring
)This specifies when the instance should be active. Can be either
ALWAYS
,NEVER
orON_DEMAND
. -
activation_policy
: (Optionalstring
)This specifies when the instance should be active. Can be either
ALWAYS
,NEVER
orON_DEMAND
. -
availability_type
: (Optionalstring
)The availability type of the Cloud SQL instance, high availability
REGIONAL
or single zoneZONAL
. For MySQL instances, ensure thatsettings.backup_configuration.enabled
andsettings.backup_configuration.binary_log_enabled
are both set totrue
. -
disk_autoresize
: (Optionalbool
)Configuration to increase storage size automatically.
Default is
true
. -
disk_autoresize_limit
: (Optionalnumber
)The maximum size in GB to which storage capacity can be automatically increased. The default value is 0, which specifies that there is no limit.
Default is
0
. -
disk_size
: (Optionalnumber
)The size of data disk, in GB. Size of a running instance cannot be reduced but can be increased.
Default is
10
. -
disk_type
: (Optionalstring
)The type of data disk:
PD_SSD
orPD_HDD
.Default is
"PD_SSD"
. -
pricing_plan
: (Optionalstring
)Pricing plan for this instance, can only be
PER_USE
. -
user_labels
: (Optionalmap(string)
)A set of key/value user label pairs to assign to the instance.
-
database_flags
: (Optionallist(database_flag)
)A list of database flags.
Each
database_flag
object in the list accepts the following attributes: -
backup_configuration
: (Optionalobject(backup_configuration)
)An object of backup configuration.
Example:
backup_configuration = { enabled = true start_time = "17:00" }
The
backup_configuration
object accepts the following attributes:-
binary_log_enabled
: (Optionalbool
)True if binary logging is enabled. If
settings.backup_configuration.enabled
isfalse
, this must be as well. Cannot be used with Postgres. -
enabled
: (Optionalbool
)True if backup configuration is enabled.
-
start_time
: (Optionalstring
)HH:MM
format time indicating when backup configuration starts. -
point_in_time_recovery_enabled
: (Optionalbool
)True if Point-in-time recovery is enabled. Will restart database if enabled after instance creation. Valid only for PostgreSQL instances.
-
location
: (Optionalstring
)The region where the backup will be stored.
-
transaction_log_retention_days
: (Optionalnumber
)The number of days of transaction logs we retain for point in time restore, from 1-7.
-
backup_retention_settings
: (Optionallist(backup_retention_setting)
)A List of backup retention settings.
Example:
backup_retention_settings = [{ retained_backups = 3 retention_unit = "COUNT" }]
Each
backup_retention_setting
object in the list accepts the following attributes:-
retained_backups
: (Optionalnumber
)Depending on the value of
retention_unit
, this is used to determine if a backup needs to be deleted. Ifretention_unit
isCOUNT
, we will retain this many backups. -
retention_unit
: (Optionalstring
)The unit that
retained_backups
represents.Default is
"COUNT"
.
-
-
-
ip_configuration
: (Optionalobject(ip_configuration)
)An object of ip configuration.
Example:
ip_configuration = { ipv4_enabled = true }
The
ip_configuration
object accepts the following attributes:-
ipv4_enabled
: (Optionalbool
)Whether this Cloud SQL instance should be assigned a public IPV4 address. At least
ipv4_enabled
must be enabled or aprivate_network
must be configured. -
private_network
: (Optionalstring
)The VPC network from which the Cloud SQL instance is accessible for private IP. For example,
projects/myProject/global/networks/default
. Specifying a network enables private IP. At leastipv4_enabled
must be enabled or aprivate_network
must be configured. This setting can be updated, but it cannot be removed after it is set. This setting only works if the VPC network has a peering connection configured withservicenetworking.googleapis.com
. -
require_ssl
: (Optionalbool
)Whether SSL connections over IP are enforced or not.
-
ssl_mode
: (Optionalstring
)Specify how SSL connection should be enforced in DB connections. To change this field, also set the correspoding value in require_ssl. Check the value pairs API reference
-
allocated_ip_range
: (Optionalstring
)The name of the allocated ip range for the private ip CloudSQL instance. For example:
google-managed-services-default
. If set, the instance ip will be created in the allocated range. The range name must comply with RFC 1035. Specifically, the name must be 1-63 characters long and match the regular expressiona-z?
. -
authorized_networks
: (Optionallist(authorized_network)
)A List of public IPs/networks authorized to access the CloudSQL instance.
Example:
authorized_networks = [{ value = "35.35.35.35/32" }]
Each
authorized_network
object in the list accepts the following attributes:-
expiration_time
: (Optionalstring
)The RFC 3339 formatted date time string indicating when this whitelist expires.
-
name
: (Optionalstring
)A name for this whitelist entry.
-
value
: (Requiredstring
)A CIDR notation public IPv4 or IPv6 address that is allowed to access this instance. Must be set even if other two attributes are not for the whitelist to become active.
-
-
psc_config
: (Optionallist(psc_config)
)Settings for Private Service Connect.
Example:
psc_enabled = true allowed_consumer_projects = ["test123"]
Each
psc_config
object in the list accepts the following attributes:-
psc_enabled
: (Optionalbool
)Whether PSC connectivity is enabled for this instance.
-
allowed_consumer_projects
: (Optionallist(string)
)List of consumer projects that are allow-listed for PSC connections to this instance.
-
-
-
location_preference
: (Optionalobject(location_preference)
)An object of location preferences.
Example:
location_preference = { zone = "us-central1-a" }
The
location_preference
object accepts the following attributes:-
follow_gae_application
: (Optionalstring
)A GAE application whose zone to remain in. Must be in the same region as this instance.
-
zone
: (Optionalstring
)The preferred compute engine zone.
-
-
maintenance_window
: (Optionalobject(maintenance_window)
)An object of maintenance window.
Example:
maintenance_window = { day = 1 hour = 0 update_track = "stable" }
The
maintenance_window
object accepts the following attributes:-
day
: (Optionalnumber
)Day of week (1-7), starting on Monday.
-
hour
: (Optionalnumber
)Hour of day (0-23), ignored if day not set.
-
update_track
: (Optionalstring
)Receive updates earlier
canary
or laterstable
.
-
-
deny_maintenance_period
: (Optionalobject(deny_maintenance_period)
)An object of maintenance window.
Example:
deny_maintenance_period = { start_date = "2020-11-01" end_date = "2020-11-01" time = "00:00:00" }
The
deny_maintenance_period
object accepts the following attributes:-
start_date
: (Optionalstring
)(Required) "deny maintenance period" start date. If the year of the start date is empty, the year of the end date also must be empty. In this case, it means the deny maintenance period recurs every year.
-
end_date
: (Optionalstring
)(Required) "deny maintenance period" end date. If the year of the end date is empty, the year of the start date also must be empty. In this case, it means the no maintenance interval recurs every year.
-
time
: (Optionalstring
)(Required) Time in UTC when the "deny maintenance period" starts on startDate and ends on endDate.
-
-
insights_config
: (Optionalobject(insights_config)
)An object of insight config.
Example:
insights_config = { query_insights_enabled = true }
The
insights_config
object accepts the following attributes:-
query_insights_enabled
: (Optionalbool
)True if Query Insights feature is enabled.
-
query_string_length
: (Optionalnumber
)Maximum query length stored in bytes. Between 256 and 4500. Default to 1024.
Default is
1024
. -
record_application_tags
: (Optionalbool
)True if Query Insights will record application tags from query when enabled.
-
record_client_address
: (Optionalbool
)True if Query Insights will record client address when enabled.
-
-
password_validation_policy
: (Optionalobject(password_validation_policy)
)An object of password_validation_policy config.
Example:
password_validation_policy = { min_length = 15 complexity = "COMPLEXITY_DEFAULT" reuse_interval = 10 disallow_username_substring = true password_change_interval = "10d" enable_password_policy = true }
The
password_validation_policy
object accepts the following attributes:-
min_length
: (Optionalnumber
)Specifies the minimum number of characters that the password must have.
-
complexity
: (Optionalstring
)Checks if the password is a combination of lowercase, uppercase, numeric, and non-alphanumeric characters.
-
reuse_interval
: (Optionalnumber
)Specifies the number of previous passwords that you can't reuse.
-
disallow_username_substring
: (Optionalbool
)Prevents the use of the username in the password.
-
password_change_interval
: (Optionalstring
)Specifies the minimum duration after which you can change the password.
-
enable_password_policy
: (Optionalbool
)Enables or disable the password validation policy.
-
-
data_cache_config
: (Optionalobject(advanced_machine_features)
)An object if data cache config.
Example:
data_cache_config = { data_cache_enabled = true }
The
advanced_machine_features
object accepts the following attributes:-
data_cache_enabled
: (Optionalbool
)Whether data cache is enabled for the instance (MYSQL,PostgreSQL).
-
-
replica_configuration
: (Optionalobject(replica_configuration)
)An object of replica configuration.
Example:
replica_configuration = { failover_target = true }
The
replica_configuration
object accepts the following attributes:-
ca_certificate
: (Optionalstring
)PEM representation of the trusted CA's x509 certificate.
-
client_certificate
: (Optionalstring
)PEM representation of the replica's x509 certificate.
-
client_key
: (Optionalstring
)PEM representation of the replica's private key. The corresponding public key in encoded in the
client_certificate
. -
connect_retry_interval
: (Optionalnumber
)The number of seconds between connect retries.
Default is
60
. -
dump_file_path
: (Optionalstring
)Path to a SQL file in GCS from which replica instances are created. Format is
gs://bucket/filename
. -
failover_target
: (Optionalbool
)Specifies if the replica is the failover target. If the field is set to true the replica will be designated as a failover replica. If the master instance fails, the replica instance will be promoted as the new master instance.
-
master_heartbeat_period
: (Optionalnumber
)Time in ms between replication heartbeats.
-
password
: (Optionalstring
)Password for the replication connection.
-
ssl_cipher
: (Optionalstring
)Permissible ciphers for use in SSL encryption.
-
username
: (Optionalstring
)Username for replication connection.
-
verify_server_certificate
: (Optionalbool
)True if the master's common name value is checked during the SSL handshake.
-
-
module_timeouts
: (Optionalmap(module_timeout)
)resource_timeouts
are keyed by resource type and define default timeouts for various terraform operations (see Operation Timeouts)Example:
module_timeouts = { google_sql_database_instance = { create = "30m" update = "30m" delete = "30m" } }
Each
module_timeout
object in the map accepts the following attributes:-
google_sql_database_instance
: (Optionalmap(string)
)-
create
: (Optional)Used for sql database instance creation.
Default is
"30m"
. -
update
: (Optional)Used for sql database instance manipulation.
Default is
"30m"
. -
delete
: (Optional)Used for sql database instance deletion.
Default is
"30m"
.
Default is
"30m"
. -
-
google_sql_database
: (Optionalmap(string)
)-
create
: (Optional)Used for sql database creation.
Default is
"15m"
. -
update
: (Optional)Used for sql database manipulation.
Default is
"10m"
. -
delete
: (Optional)Used for sql database deletion.
Default is
"10m"
.
Default is
"15m"
. -
-
google_sql_ssl_cert
: (Optionalmap(string)
)-
create
: (Optional)Used for sql user creation.
Default is
"10m"
. -
delete
: (Optional)Used for sql user deletion.
Default is
"10m"
.
Default is
"10m"
. -
-
google_sql_user
: (Optionalmap(string)
)-
create
: (Optional)Used for sql user creation.
Default is
"10m"
. -
update
: (Optional)Used for sql user manipulation.
Default is
"10m"
. -
delete
: (Optional)Used for sql user deletion.
Default is
"10m"
.
Default is
"10m"
. -
-
-
sql_databases
: (Optionallist(sql_database)
)A list of SQL databases.
Example:
sql_databases = [{ name = "db" }]
Each
sql_database
object in the list accepts the following attributes:-
name
: (Requiredstring
)The Name of the database.
-
charset
: (Optionalstring
)The charset value. Postgres databases only support a value of
UTF8
at creation time. -
collation
: (Optionalstring
)The collation value. Postgres databases only support a value of
en_US.UTF8
at creation time. -
deletion_policy
: (Optionalstring
)(Optional) The deletion policy for the database. Possible values are: "ABANDON", "DELETE". Defaults to "DELETE".
-
-
sql_ssl_certs
: (Optionallist(sql_ssl_cert)
)List of SQL SSL certs. You can create up to 10 client certificates for each instance.
Example:
sql_ssl_certs = [{ common_name = "ssl-name" }]
Each
sql_ssl_cert
object in the list accepts the following attributes:-
common_name
: (Requiredstring
)The common name to be used in the certificate to identify the client. Constrained to [a-zA-Z.-_ ]+. Changing this forces a new resource to be created.
-
-
sql_users
: (Optionallist(sql_user)
)List of SQL users.
Example:
sql_users = [{ name = "user" password = "changeme" }]
Each
sql_user
object in the list accepts the following attributes:-
name
: (Requiredstring
)The Name of the user.
-
password
: (Optionalstring
)The password for the user. Can be updated. For Postgres instances this is a Required field.
-
type
: (Optionalstring
)The user type. It determines the method to authenticate the user during login. The default is the database's built-in user type. Flags include
BUILT_IN
,CLOUD_IAM_USER
, orCLOUD_IAM_SERVICE_ACCOUNT
. -
deletion_policy
: (Optionalstring
)The deletion policy for the user. Setting
ABANDON
allows the resource to be abandoned rather than deleted. This is useful for Postgres, where users cannot be deleted from the API if they have been granted SQL roles. Possible values are:ABANDON
. -
host
: (Optionalstring
)The host the user can connect from. This is only supported for MySQL instances. Don't set this field for PostgreSQL instances. Can be an IP address. Changing this forces a new resource to be created.
-
The following attributes are exported in the outputs of the module:
-
module_enabled
: (bool
)Whether this module is enabled.
-
instance
: (object(instance)
)SQL Database Instance.
-
databases
: (map(database)
)All SQL Databases.
-
certs
: (map(cert)
)All SQL Certs.
-
users
: (map(user)
)All SQL Users.
- Available database version on GCP (SQL Server is not supported by this module): https://cloud.google.com/sql/docs/db-versions
- Configuring SSL/TLS certificates: https://cloud.google.com/sql/docs/mysql/configure-ssl-instance
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_ssl_cert
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_user
This Module follows the principles of Semantic Versioning (SemVer).
Given a version number MAJOR.MINOR.PATCH
, we increment the:
MAJOR
version when we make incompatible changes,MINOR
version when we add functionality in a backwards compatible manner, andPATCH
version when we make backwards compatible bug fixes.
- Backwards compatibility in versions
0.0.z
is not guaranteed whenz
is increased. (Initial development) - Backwards compatibility in versions
0.y.z
is not guaranteed wheny
is increased. (Pre-release)
Mineiros is a remote-first company headquartered in Berlin, Germany that solves development, automation and security challenges in cloud infrastructure.
Our vision is to massively reduce time and overhead for teams to manage and deploy production-grade and secure cloud infrastructure.
We offer commercial support for all of our modules and encourage you to reach out if you have any questions or need help. Feel free to email us at hello@mineiros.io or join our Community Slack channel.
We use GitHub Issues to track community reported issues and missing features.
Contributions are always encouraged and welcome! For the process of accepting changes, we use Pull Requests. If you'd like more information, please see our Contribution Guidelines.
This repository comes with a handy Makefile.
Run make help
to see details on each available target.
This module is licensed under the Apache License Version 2.0, January 2004. Please see LICENSE for full details.
Copyright © 2020-2022 Mineiros GmbH