diff --git a/environment/deployments/ppdb/cloudsql/backend.tf b/environment/deployments/ppdb/cloudsql/backend.tf new file mode 100644 index 00000000..40eda5e5 --- /dev/null +++ b/environment/deployments/ppdb/cloudsql/backend.tf @@ -0,0 +1,11 @@ +# ------------------------------------------------------------ +# BACKEND BLOCK +# ------------------------------------------------------------ + +terraform { + backend "gcs" {} + required_providers { + google = ">= 6.26" + google-beta = ">= 6.26" + } +} diff --git a/environment/deployments/ppdb/cloudsql/main.tf b/environment/deployments/ppdb/cloudsql/main.tf new file mode 100644 index 00000000..b0600531 --- /dev/null +++ b/environment/deployments/ppdb/cloudsql/main.tf @@ -0,0 +1,57 @@ + +data "terraform_remote_state" "ppdb_project" { + backend = "gcs" + + config = { + prefix = "${var.application_name}/${var.environment}" + bucket = var.state_bucket + } +} + + +# Sets up a connection from the VPC to Google services +module "private-service-access" { + source = "../../../../modules/cloudsql/private_service_access" + + project_id = data.terraform_remote_state.ppdb_project.outputs.project_id + vpc_network = data.terraform_remote_state.ppdb_project.outputs.network_name +} + +module "db_ppdb" { + source = "../../../../modules/cloudsql/postgres-sql" + db_name = "${var.application_name}-${var.environment}" + database_version = var.ppdb_cloud_sql_database_version + deletion_protection = true + tier = var.ppdb_cloud_sql_tier + database_flags = var.ppdb_cloud_sql_database_flags + data_cache_enabled = var.ppdb_cloud_sql_data_cache_enabled + disk_size = var.ppdb_cloud_sql_disk_size + enable_default_db = false + enable_default_user = false + edition = var.ppdb_cloud_sql_edition + maintenance_window_day = var.ppdb_cloud_sql_db_maintenance_window_day + maintenance_window_hour = var.ppdb_cloud_sql_db_maintenance_window_hour + maintenance_window_update_track = var.ppdb_cloud_sql_db_maintenance_window_update_track + random_instance_name = false + project_id = data.terraform_remote_state.ppdb_project.outputs.project_id + private_network = data.terraform_remote_state.ppdb_project.outputs.network_self_link + enable_private_path_for_google_cloud_services = var.ppdb_cloud_sql_enable_private_path + ipv4_enabled = var.ppdb_cloud_sql_ipv4_enabled + authorized_networks = var.ppdb_cloud_sql_authorized_networks + ssl_mode = var.ppdb_cloud_sql_ssl_mode + + backup_configuration = { + enabled = var.ppdb_cloud_sql_backups_enabled + start_time = var.ppdb_cloud_sql_backups_start_time + location = "us-central1" + point_in_time_recovery_enabled = var.ppdb_cloud_sql_backups_point_in_time_recovery_enabled + } + + additional_databases = [ + { + name = "ppdb-chunk-tracking" + charset = "UTF8" + collation = "en_US.UTF8" + } + ] +} diff --git a/environment/deployments/ppdb/cloudsql/outputs.tf b/environment/deployments/ppdb/cloudsql/outputs.tf new file mode 100644 index 00000000..e69de29b diff --git a/environment/deployments/ppdb/cloudsql/variables.tf b/environment/deployments/ppdb/cloudsql/variables.tf new file mode 100644 index 00000000..57b429f1 --- /dev/null +++ b/environment/deployments/ppdb/cloudsql/variables.tf @@ -0,0 +1,137 @@ + +variable "state_bucket" { + type = string + description = "The GCS bucket name for terraform state" +} + +variable "application_name" { + description = "The name of application where GCP resources relate" + type = string +} + +variable "environment" { + description = "The environment the single project belongs to" + type = string +} + +variable "ppdb_cloud_sql_database_version" { + description = "The database version to use for the PPDB PostgreSQL database" + type = string + default = "POSTGRES_18" +} + +variable "ppdb_cloud_sql_tier" { + description = "The tier for the database." + type = string + default = "db-custom-2-16384" +} + +variable "ppdb_cloud_sql_database_flags" { + description = "List of Cloud SQL flags that are applied to the database server. See [more details](https://cloud.google.com/sql/docs/mysql/flags)" + type = list(object({ + name = string + value = string + })) + default = [{ + name = "cloudsql.iam_authentication" + value = "on" + } + ] +} + +variable "ppdb_cloud_sql_disk_size" { + description = "The disk size for the instance in GB. This value is ignored after initial provisioning with a terraform lifecycle policy in Google module. This is needed because of auto storage increase is enabled." + type = number + default = 700 +} + +variable "ppdb_cloud_sql_disk_type" { + description = "The disk type for the instance." + type = string + default = "PD_SSD" +} + +variable "ppdb_cloud_sql_edition" { + description = "The edition of the Cloud SQL instance, can be ENTERPRISE or ENTERPRISE_PLUS." + type = string + default = "ENTERPRISE" +} + + +variable "ppdb_cloud_sql_require_ssl" { + description = "True if the instance should require SSL/TLS for users connecting over IP. Note: SSL/TLS is needed to provide security when you connect to Cloud SQL using IP addresses. If you are connecting to your instance only by using the Cloud SQL Proxy or the Java Socket Library, you do not need to configure your instance to use SSL/TLS." + type = bool + default = false +} + +variable "ppdb_cloud_sql_ipv4_enabled" { + type = bool + description = "True if enabling public IP on database" + default = false +} + +variable "ppdb_cloud_sql_enable_private_path" { + description = "Direct services to use the private path for connectivity to CloudSQL" + type = bool + default = false +} + +variable "ppdb_cloud_sql_authorized_networks" { + default = [] + type = list(map(string)) + description = "List of mapped public networks authorized to access to the instances." +} + +variable "ppdb_cloud_sql_ssl_mode" { + description = "Specify how SSL connection should be enforced in DB connections. Options are ALLOW_UNENCRYPTED_AND_ENCRYPTED, ENCRYPTED_ONLY, and TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + type = string + default = "ALLOW_UNENCRYPTED_AND_ENCRYPTED" +} + +variable "ppdb_cloud_sql_database_tier" { + description = "The tier for general database" + type = string + default = "db-g1-small" +} + +variable "ppdb_cloud_sql_data_cache_enabled" { + description = "Whether data cache is enabled for the instance. Defaults to false. Feature is only available for ENTERPRISE_PLUS tier and supported database_versions" + type = bool + default = false +} + +variable "ppdb_cloud_sql_db_maintenance_window_day" { + type = number + description = "The day of week (1-7) for the instance maintenance." + default = 1 +} + +variable "ppdb_cloud_sql_db_maintenance_window_hour" { + type = number + description = "The hour of day (0-23) maintenance window for the instance maintenance." + default = 23 +} + +variable "ppdb_cloud_sql_db_maintenance_window_update_track" { + type = string + description = "The update track of maintenance window for the instance maintenance. Can be either `canary` or `stable`." + default = "stable" +} + +variable "ppdb_cloud_sql_backups_enabled" { + type = bool + description = "True if backup configuration is enabled" + default = false +} + +variable "ppdb_cloud_sql_backups_start_time" { + type = string + description = "Start time for backups" + default = "09:00" +} + +variable "ppdb_cloud_sql_backups_point_in_time_recovery_enabled" { + type = bool + description = "Enable Point in Time Recovery for backups" + default = true +} diff --git a/environment/deployments/ppdb/env/dev-cloudsql.tfvars b/environment/deployments/ppdb/env/dev-cloudsql.tfvars new file mode 100644 index 00000000..338108d3 --- /dev/null +++ b/environment/deployments/ppdb/env/dev-cloudsql.tfvars @@ -0,0 +1,23 @@ +# Cloud SQL +environment = "dev" +application_name = "ppdb" + +# PPDB CloudSQL Database +ppdb_cloud_sql_backups_enabled = false +ppdb_cloud_sql_backups_point_in_time_recovery_enabled = false +ppdb_cloud_sql_data_cache_enabled = true +ppdb_cloud_sql_db_tier = "db-custom-2-7680" +ppdb_cloud_sql_db_maintenance_window_day = 1 +ppdb_cloud_sql_db_maintenance_window_hour = 23 +ppdb_cloud_sql_db_maintenance_window_update_track = "stable" +ppdb_cloud_sql_edition = "ENTERPRISE_PLUS" +ppdb_cloud_sql_ipv4_enabled = "true" +ppdb_cloud_sql_enable_private_path = "true" + + + +# If you didn't make any other changes to this file, increase this number to +# force Terraform to update this environment. You may need to do this if you +# changed .tf files in this environment, or if you changed any modules that +# this environment uses, but you didn't change any variables in this file. +# Serial: 3 diff --git a/modules/cloudsql/postgres-sql/main.tf b/modules/cloudsql/postgres-sql/main.tf index 4d0eccd0..4f1fbb21 100644 --- a/modules/cloudsql/postgres-sql/main.tf +++ b/modules/cloudsql/postgres-sql/main.tf @@ -33,9 +33,10 @@ module "cloudsql-db" { database_flags = var.database_flags ip_configuration = { - ipv4_enabled = var.ipv4_enabled - private_network = var.private_network - ssl_mode = var.ssl_mode - authorized_networks = var.authorized_networks + ipv4_enabled = var.ipv4_enabled + private_network = var.private_network + enable_private_path_for_google_cloud_services = var.enable_private_path_for_google_cloud_services + ssl_mode = var.ssl_mode + authorized_networks = var.authorized_networks } } diff --git a/modules/cloudsql/postgres-sql/variables.tf b/modules/cloudsql/postgres-sql/variables.tf index aa199cd8..6227f2bf 100644 --- a/modules/cloudsql/postgres-sql/variables.tf +++ b/modules/cloudsql/postgres-sql/variables.tf @@ -200,8 +200,20 @@ variable "private_network" { default = null } +variable "enable_private_path_for_google_cloud_services" { + description = "Direct services to use the private path for connectivity to CloudSQL" + type = bool + default = false +} + variable "ssl_mode" { description = "Specify how SSL connection should be enforced in DB connections. Options are ALLOW_UNENCRYPTED_AND_ENCRYPTED, ENCRYPTED_ONLY, and TRUSTED_CLIENT_CERTIFICATE_REQUIRED" type = string default = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" } + +variable "data_cache_enabled" { + description = "Whether data cache is enabled for the instance. Defaults to false. Feature is only available for ENTERPRISE_PLUS tier and supported database_versions" + type = bool + default = false +} \ No newline at end of file