A Terraform module for Google Cloud Platform (GCP).

This module supports Terraform version 1 and is compatible with the Terraform Google Provider version 4. and 5._**

NOTE: This module doesn't support SQL Server

This module is part of our Infrastructure as Code (IaC) framework that enables our users and customers to easily deploy and manage reusable, secure, and production-grade cloud infrastructure.

• Module Features
• Getting Started
• Module Argument Reference
  • Module Configuration
  • Main Resource Configuration
  • Extended Resource Configuration
• Module Outputs
• External Documentation
  • Google Documentation
  • Terraform Google Provider Documentation
• Module Versioning
  • Backwards compatibility in 0.0.z and 0.y.z version
• About Mineiros
• Reporting Issues
• Contributing
• Makefile Targets
• License

This module implements the following terraform resources:

• google_sql_database_instance
• google_sql_database
• google_sql_ssl_cert
• google_sql_user

Most basic usage just setting required arguments:

module "terraform-google-cloud-sql" {
  source = "github.com/mineiros-io/terraform-google-cloud-sql.git?ref=v0.1.0"

  tier             = "db-f1-micro"
  database_version = "MYSQL_5_6"
}

See variables.tf and examples/ for details and use-cases.

• module_enabled: (Optional bool)

  Specifies whether resources in the module will be created.

  Default is true.

• module_depends_on: (Optional list(dependency))

  A list of dependencies. Any object can be assigned to this list to define a hidden external dependency.

  Example:

  module_depends_on = [
    google_network.network
  ]

• database_version: (Required string)

  The MySQL or PostgreSQL version to use.

• tier: (Required string)

  The machine type to use.

• project: (Required string)

  The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

• name: (Optional string)

  The name of the instance. If the name is left blank, Terraform will randomly generate one when the instance is first created. This is done because after a name is used, it cannot be reused for up to one week.

• region: (Optional string)

  The region the instance will sit in. If a region is not provided in the resource definition, the provider region will be used instead.

• master_instance_name: (Optional string)

  The name of the existing instance that will act as the master in the replication setup. Note, this requires the master to have binary_log_enabled set, as well as existing backups.

• deletion_protection: (Optional bool)

  Whether or not to allow Terraform to destroy the instance.

  Default is true.

• deletion_protection_enabled: (Optional bool)

  Enables deletion protection of an instance at the GCP level.

  Default is false.

• encryption_key_name: (Optional string)

  The full path to the encryption key used for the CMEK disk encryption.

  Default is null.

• activation_policy: (Optional string)

  This specifies when the instance should be active. Can be either ALWAYS, NEVER or ON_DEMAND.

• activation_policy: (Optional string)

  This specifies when the instance should be active. Can be either ALWAYS, NEVER or ON_DEMAND.

• availability_type: (Optional string)

  The availability type of the Cloud SQL instance, high availability REGIONAL or single zone ZONAL. For MySQL instances, ensure that settings.backup_configuration.enabled and settings.backup_configuration.binary_log_enabled are both set to true.

• disk_autoresize: (Optional bool)

  Configuration to increase storage size automatically.

  Default is true.

• disk_autoresize_limit: (Optional number)

  The maximum size in GB to which storage capacity can be automatically increased. The default value is 0, which specifies that there is no limit.

  Default is 0.

• disk_size: (Optional number)

  The size of data disk, in GB. Size of a running instance cannot be reduced but can be increased.

  Default is 10.

• disk_type: (Optional string)

  The type of data disk: PD_SSD or PD_HDD.

  Default is "PD_SSD".

• pricing_plan: (Optional string)

  Pricing plan for this instance, can only be PER_USE.

• user_labels: (Optional map(string))

  A set of key/value user label pairs to assign to the instance.

• database_flags: (Optional list(database_flag))

  A list of database flags.

  Each database_flag object in the list accepts the following attributes:

  • name: (Required string)

    Name of the flag.

  • value: (Required string)

    Value of the flag.

    Example:

    database_flags = [{
      name  = "long_query_time"
      value = "1"
    }]

• backup_configuration: (Optional object(backup_configuration))

  An object of backup configuration.

  Example:

  backup_configuration = {
    enabled    = true
    start_time = "17:00"
  }

  The backup_configuration object accepts the following attributes:

  • binary_log_enabled: (Optional bool)

    True if binary logging is enabled. If settings.backup_configuration.enabled is false, this must be as well. Cannot be used with Postgres.

  • enabled: (Optional bool)

    True if backup configuration is enabled.

  • start_time: (Optional string)

    HH:MM format time indicating when backup configuration starts.

  • point_in_time_recovery_enabled: (Optional bool)

    True if Point-in-time recovery is enabled. Will restart database if enabled after instance creation. Valid only for PostgreSQL instances.

  • location: (Optional string)

    The region where the backup will be stored.

  • transaction_log_retention_days: (Optional number)

    The number of days of transaction logs we retain for point in time restore, from 1-7.

  • backup_retention_settings: (Optional list(backup_retention_setting))

    A List of backup retention settings.

    Example:

    backup_retention_settings = [{
      retained_backups = 3
      retention_unit   = "COUNT"
    }]

    Each backup_retention_setting object in the list accepts the following attributes:

    • retained_backups: (Optional number)

      Depending on the value of retention_unit, this is used to determine if a backup needs to be deleted. If retention_unit is COUNT, we will retain this many backups.

    • retention_unit: (Optional string)

      The unit that retained_backups represents.

      Default is "COUNT".

• ip_configuration: (Optional object(ip_configuration))

  An object of ip configuration.

  Example:

  ip_configuration = {
    ipv4_enabled = true
  }

  The ip_configuration object accepts the following attributes:

  • ipv4_enabled: (Optional bool)

    Whether this Cloud SQL instance should be assigned a public IPV4 address. At least ipv4_enabled must be enabled or a private_network must be configured.

  • private_network: (Optional string)

    The VPC network from which the Cloud SQL instance is accessible for private IP. For example, projects/myProject/global/networks/default. Specifying a network enables private IP. At least ipv4_enabled must be enabled or a private_network must be configured. This setting can be updated, but it cannot be removed after it is set. This setting only works if the VPC network has a peering connection configured with servicenetworking.googleapis.com.

  • require_ssl: (Optional bool)

    Whether SSL connections over IP are enforced or not.

  • ssl_mode: (Optional string)

    Specify how SSL connection should be enforced in DB connections. To change this field, also set the correspoding value in require_ssl. Check the value pairs API reference

  • allocated_ip_range : (Optional string)

    The name of the allocated ip range for the private ip CloudSQL instance. For example: google-managed-services-default. If set, the instance ip will be created in the allocated range. The range name must comply with RFC 1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z?.

  • authorized_networks: (Optional list(authorized_network))

    A List of public IPs/networks authorized to access the CloudSQL instance.

    Example:

    authorized_networks = [{
      value = "35.35.35.35/32"
    }]

    Each authorized_network object in the list accepts the following attributes:

    • expiration_time: (Optional string)

      The RFC 3339 formatted date time string indicating when this whitelist expires.

    • name: (Optional string)

      A name for this whitelist entry.

    • value: (Required string)

      A CIDR notation public IPv4 or IPv6 address that is allowed to access this instance. Must be set even if other two attributes are not for the whitelist to become active.

  • psc_config: (Optional list(psc_config))

    Settings for Private Service Connect.

    Example:

    psc_enabled = true
    allowed_consumer_projects = ["test123"]

    Each psc_config object in the list accepts the following attributes:

    • psc_enabled: (Optional bool)

      Whether PSC connectivity is enabled for this instance.

    • allowed_consumer_projects: (Optional list(string))

      List of consumer projects that are allow-listed for PSC connections to this instance.

• location_preference: (Optional object(location_preference))

  An object of location preferences.

  Example:

  location_preference = {
    zone = "us-central1-a"
  }

  The location_preference object accepts the following attributes:

  • follow_gae_application: (Optional string)

    A GAE application whose zone to remain in. Must be in the same region as this instance.

  • zone: (Optional string)

    The preferred compute engine zone.

• maintenance_window: (Optional object(maintenance_window))

  An object of maintenance window.

  Example:

  maintenance_window = {
    day          = 1
    hour         = 0
    update_track = "stable"
  }

  The maintenance_window object accepts the following attributes:

  • day: (Optional number)

    Day of week (1-7), starting on Monday.

  • hour: (Optional number)

    Hour of day (0-23), ignored if day not set.

  • update_track: (Optional string)

    Receive updates earlier canary or later stable.

• deny_maintenance_period: (Optional object(deny_maintenance_period))

  An object of maintenance window.

  Example:

  deny_maintenance_period = {
    start_date          = "2020-11-01"
    end_date            = "2020-11-01"
    time                = "00:00:00"
  }

  The deny_maintenance_period object accepts the following attributes:

  • start_date: (Optional string)

    (Required) "deny maintenance period" start date. If the year of the start date is empty, the year of the end date also must be empty. In this case, it means the deny maintenance period recurs every year.

  • end_date: (Optional string)

    (Required) "deny maintenance period" end date. If the year of the end date is empty, the year of the start date also must be empty. In this case, it means the no maintenance interval recurs every year.

  • time: (Optional string)

    (Required) Time in UTC when the "deny maintenance period" starts on startDate and ends on endDate.

• insights_config: (Optional object(insights_config))

  An object of insight config.

  Example:

  insights_config = {
    query_insights_enabled = true
  }

  The insights_config object accepts the following attributes:

  • query_insights_enabled: (Optional bool)

    True if Query Insights feature is enabled.

  • query_string_length: (Optional number)

    Maximum query length stored in bytes. Between 256 and 4500. Default to 1024.

    Default is 1024.

  • record_application_tags: (Optional bool)

    True if Query Insights will record application tags from query when enabled.

  • record_client_address: (Optional bool)

    True if Query Insights will record client address when enabled.

• password_validation_policy: (Optional object(password_validation_policy))

  An object of password_validation_policy config.

  Example:

  password_validation_policy = {
    min_length                  = 15
    complexity                  = "COMPLEXITY_DEFAULT"
    reuse_interval              = 10
    disallow_username_substring = true
    password_change_interval    = "10d"
    enable_password_policy      = true
  }

  The password_validation_policy object accepts the following attributes:

  • min_length: (Optional number)

    Specifies the minimum number of characters that the password must have.

  • complexity: (Optional string)

    Checks if the password is a combination of lowercase, uppercase, numeric, and non-alphanumeric characters.

  • reuse_interval: (Optional number)

    Specifies the number of previous passwords that you can't reuse.

  • disallow_username_substring: (Optional bool)

    Prevents the use of the username in the password.

  • password_change_interval: (Optional string)

    Specifies the minimum duration after which you can change the password.

  • enable_password_policy: (Optional bool)

    Enables or disable the password validation policy.

• data_cache_config: (Optional object(advanced_machine_features))

  An object if data cache config.

  Example:

  data_cache_config = {
    data_cache_enabled = true
  }

  The advanced_machine_features object accepts the following attributes:

  • data_cache_enabled: (Optional bool)

    Whether data cache is enabled for the instance (MYSQL,PostgreSQL).

• replica_configuration: (Optional object(replica_configuration))

  An object of replica configuration.

  Example:

  replica_configuration = {
    failover_target = true
  }

  The replica_configuration object accepts the following attributes:

  • ca_certificate: (Optional string)

    PEM representation of the trusted CA's x509 certificate.

  • client_certificate: (Optional string)

    PEM representation of the replica's x509 certificate.

  • client_key: (Optional string)

    PEM representation of the replica's private key. The corresponding public key in encoded in the client_certificate.

  • connect_retry_interval: (Optional number)

    The number of seconds between connect retries.

    Default is 60.

  • dump_file_path: (Optional string)

    Path to a SQL file in GCS from which replica instances are created. Format is gs://bucket/filename.

  • failover_target: (Optional bool)

    Specifies if the replica is the failover target. If the field is set to true the replica will be designated as a failover replica. If the master instance fails, the replica instance will be promoted as the new master instance.

  • master_heartbeat_period: (Optional number)

    Time in ms between replication heartbeats.

  • password: (Optional string)

    Password for the replication connection.

  • ssl_cipher: (Optional string)

    Permissible ciphers for use in SSL encryption.

  • username: (Optional string)

    Username for replication connection.

  • verify_server_certificate: (Optional bool)

    True if the master's common name value is checked during the SSL handshake.

• module_timeouts: (Optional map(module_timeout))

  resource_timeouts are keyed by resource type and define default timeouts for various terraform operations (see Operation Timeouts)

  Example:

  module_timeouts = {
    google_sql_database_instance = {
      create = "30m"
      update = "30m"
      delete = "30m"
    }
  }

  Each module_timeout object in the map accepts the following attributes:

  • google_sql_database_instance: (Optional map(string))

    • create: (Optional)

      Used for sql database instance creation.

      Default is "30m".

    • update: (Optional)

      Used for sql database instance manipulation.

      Default is "30m".

    • delete: (Optional)

      Used for sql database instance deletion.

      Default is "30m".

    Default is "30m".

  • google_sql_database: (Optional map(string))

    • create: (Optional)

      Used for sql database creation.

      Default is "15m".

    • update: (Optional)

      Used for sql database manipulation.

      Default is "10m".

    • delete: (Optional)

      Used for sql database deletion.

      Default is "10m".

    Default is "15m".

  • google_sql_ssl_cert: (Optional map(string))

    • create: (Optional)

      Used for sql user creation.

      Default is "10m".

    • delete: (Optional)

      Used for sql user deletion.

      Default is "10m".

    Default is "10m".

  • google_sql_user: (Optional map(string))

    • create: (Optional)

      Used for sql user creation.

      Default is "10m".

    • update: (Optional)

      Used for sql user manipulation.

      Default is "10m".

    • delete: (Optional)

      Used for sql user deletion.

      Default is "10m".

    Default is "10m".

• sql_databases: (Optional list(sql_database))

  A list of SQL databases.

  Example:

  sql_databases = [{
    name = "db"
  }]

  Each sql_database object in the list accepts the following attributes:

  • name: (Required string)

    The Name of the database.

  • charset: (Optional string)

    The charset value. Postgres databases only support a value of UTF8 at creation time.

  • collation: (Optional string)

    The collation value. Postgres databases only support a value of en_US.UTF8 at creation time.

  • deletion_policy: (Optional string)

    (Optional) The deletion policy for the database. Possible values are: "ABANDON", "DELETE". Defaults to "DELETE".

• sql_ssl_certs: (Optional list(sql_ssl_cert))

  List of SQL SSL certs. You can create up to 10 client certificates for each instance.

  Example:

  sql_ssl_certs = [{
    common_name = "ssl-name"
  }]

  Each sql_ssl_cert object in the list accepts the following attributes:

  • common_name: (Required string)

    The common name to be used in the certificate to identify the client. Constrained to [a-zA-Z.-_ ]+. Changing this forces a new resource to be created.

• sql_users: (Optional list(sql_user))

  List of SQL users.

  Example:

  sql_users = [{
    name     = "user"
    password = "changeme"
  }]

  Each sql_user object in the list accepts the following attributes:

  • name: (Required string)

    The Name of the user.

  • password: (Optional string)

    The password for the user. Can be updated. For Postgres instances this is a Required field.

  • type: (Optional string)

    The user type. It determines the method to authenticate the user during login. The default is the database's built-in user type. Flags include BUILT_IN, CLOUD_IAM_USER, or CLOUD_IAM_SERVICE_ACCOUNT.

  • deletion_policy: (Optional string)

    The deletion policy for the user. Setting ABANDON allows the resource to be abandoned rather than deleted. This is useful for Postgres, where users cannot be deleted from the API if they have been granted SQL roles. Possible values are: ABANDON.

  • host: (Optional string)

    The host the user can connect from. This is only supported for MySQL instances. Don't set this field for PostgreSQL instances. Can be an IP address. Changing this forces a new resource to be created.

The following attributes are exported in the outputs of the module:

• module_enabled: (bool)

  Whether this module is enabled.

• instance: (object(instance))

  SQL Database Instance.

• databases: (map(database))

  All SQL Databases.

• certs: (map(cert))

  All SQL Certs.

• users: (map(user))

  All SQL Users.

• Available database version on GCP (SQL Server is not supported by this module): https://cloud.google.com/sql/docs/db-versions
• Configuring SSL/TLS certificates: https://cloud.google.com/sql/docs/mysql/configure-ssl-instance

• https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance
• https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database
• https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_ssl_cert
• https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_user

This Module follows the principles of Semantic Versioning (SemVer).

Given a version number MAJOR.MINOR.PATCH, we increment the:

1. MAJOR version when we make incompatible changes,
2. MINOR version when we add functionality in a backwards compatible manner, and
3. PATCH version when we make backwards compatible bug fixes.

• Backwards compatibility in versions 0.0.z is not guaranteed when z is increased. (Initial development)
• Backwards compatibility in versions 0.y.z is not guaranteed when y is increased. (Pre-release)

Mineiros is a remote-first company headquartered in Berlin, Germany that solves development, automation and security challenges in cloud infrastructure.

Our vision is to massively reduce time and overhead for teams to manage and deploy production-grade and secure cloud infrastructure.

We offer commercial support for all of our modules and encourage you to reach out if you have any questions or need help. Feel free to email us at hello@mineiros.io or join our Community Slack channel.

We use GitHub Issues to track community reported issues and missing features.

Contributions are always encouraged and welcome! For the process of accepting changes, we use Pull Requests. If you'd like more information, please see our Contribution Guidelines.

This repository comes with a handy Makefile. Run make help to see details on each available target.

This module is licensed under the Apache License Version 2.0, January 2004. Please see LICENSE for full details.

Copyright © 2020-2022 Mineiros GmbH