From 15afe63589ecc1efea9215b8e896ad25fff5ae14 Mon Sep 17 00:00:00 2001
From: dspeck1 <dspeck@burwood.com>
Date: Fri, 15 May 2026 14:45:28 -0500
Subject: [PATCH 1/8] Add ppdb cloud sql resources.

---
 .../deployments/ppdb/cloudsql/backend.tf      |  11 ++
 environment/deployments/ppdb/cloudsql/main.tf |  57 ++++++++
 .../deployments/ppdb/cloudsql/outputs.tf      |   0
 .../deployments/ppdb/cloudsql/variables.tf    | 137 ++++++++++++++++++
 4 files changed, 205 insertions(+)
 create mode 100644 environment/deployments/ppdb/cloudsql/backend.tf
 create mode 100644 environment/deployments/ppdb/cloudsql/main.tf
 create mode 100644 environment/deployments/ppdb/cloudsql/outputs.tf
 create mode 100644 environment/deployments/ppdb/cloudsql/variables.tf

diff --git a/environment/deployments/ppdb/cloudsql/backend.tf b/environment/deployments/ppdb/cloudsql/backend.tf
new file mode 100644
index 00000000..40eda5e5
--- /dev/null
+++ b/environment/deployments/ppdb/cloudsql/backend.tf
@@ -0,0 +1,11 @@
+# ------------------------------------------------------------
+#   BACKEND BLOCK
+# ------------------------------------------------------------
+
+terraform {
+  backend "gcs" {}
+  required_providers {
+    google      = ">= 6.26"
+    google-beta = ">= 6.26"
+  }
+}
diff --git a/environment/deployments/ppdb/cloudsql/main.tf b/environment/deployments/ppdb/cloudsql/main.tf
new file mode 100644
index 00000000..f865ab2d
--- /dev/null
+++ b/environment/deployments/ppdb/cloudsql/main.tf
@@ -0,0 +1,57 @@
+
+data "terraform_remote_state" "ppdb_project" {
+  backend = "gcs"
+
+  config = {
+    prefix = "ppdb/dev"
+    bucket = var.state_bucket
+  }
+}
+
+
+# Sets up a connection from the VPC to Google services
+module "private-service-access" {
+  source = "../../../../modules/cloudsql/private_service_access"
+
+  project_id  = data.terraform_remote_state.ppdb_project.outputs.project_id
+  vpc_network = data.terraform_remote_state.ppdb_project.outputs.network_name
+}
+
+module "db_ppdb" {
+  source                                        = "../../../../modules/cloudsql/postgres-sql"
+  db_name                                       = "${var.application_name}-${var.environment}"
+  database_version                              = var.ppdb_cloud_sql_database_version
+  deletion_protection                           = true
+  tier                                          = var.ppdb_cloud_sql_tier
+  database_flags                                = var.ppdb_cloud_sql_database_flags
+  data_cache_enabled                            = var.ppdb_cloud_sql_data_cache_enabled
+  disk_size                                     = var.ppdb_cloud_sql_disk_size
+  enable_default_db                             = false
+  enable_default_user                           = false
+  edition                                       = var.ppdb_cloud_sql_edition
+  maintenance_window_day                        = var.ppdb_cloud_sql_db_maintenance_window_day
+  maintenance_window_hour                       = var.ppdb_cloud_sql_db_maintenance_window_hour
+  maintenance_window_update_track               = var.ppdb_cloud_sql_db_maintenance_window_update_track
+  random_instance_name                          = false
+  project_id                                    = data.terraform_remote_state.ppdb_project.outputs.project_id
+  private_network                               = data.terraform_remote_state.ppdb_project.outputs.network_self_link
+  enable_private_path_for_google_cloud_services = var.ppdb_cloud_sql_enable_private_path
+  ipv4_enabled                                  = var.ppdb_cloud_sql_ipv4_enabled
+  authorized_networks                           = var.ppdb_cloud_sql_authorized_networks
+  ssl_mode                                      = var.ppdb_cloud_sql_ssl_mode
+
+  backup_configuration = {
+    enabled                        = var.ppdb_cloud_sql_backups_enabled
+    start_time                     = var.ppdb_cloud_sql_backups_start_time
+    location                       = "us-central1"
+    point_in_time_recovery_enabled = var.ppdb_cloud_sql_backups_point_in_time_recovery_enabled
+  }
+
+  additional_databases = [
+    {
+      name      = "ppdb-chunk-tracking"
+      charset   = "UTF8"
+      collation = "en_US.UTF8"
+    }
+  ]
+}
diff --git a/environment/deployments/ppdb/cloudsql/outputs.tf b/environment/deployments/ppdb/cloudsql/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/environment/deployments/ppdb/cloudsql/variables.tf b/environment/deployments/ppdb/cloudsql/variables.tf
new file mode 100644
index 00000000..57b429f1
--- /dev/null
+++ b/environment/deployments/ppdb/cloudsql/variables.tf
@@ -0,0 +1,137 @@
+
+variable "state_bucket" {
+  type        = string
+  description = "The GCS bucket name for terraform state"
+}
+
+variable "application_name" {
+  description = "The name of application where GCP resources relate"
+  type        = string
+}
+
+variable "environment" {
+  description = "The environment the single project belongs to"
+  type        = string
+}
+
+variable "ppdb_cloud_sql_database_version" {
+  description = "The database version to use for the PPDB PostgreSQL database"
+  type        = string
+  default     = "POSTGRES_18"
+}
+
+variable "ppdb_cloud_sql_tier" {
+  description = "The tier for the database."
+  type        = string
+  default     = "db-custom-2-16384"
+}
+
+variable "ppdb_cloud_sql_database_flags" {
+  description = "List of Cloud SQL flags that are applied to the database server. See [more details](https://cloud.google.com/sql/docs/mysql/flags)"
+  type = list(object({
+    name  = string
+    value = string
+  }))
+  default = [{
+    name  = "cloudsql.iam_authentication"
+    value = "on"
+    }
+  ]
+}
+
+variable "ppdb_cloud_sql_disk_size" {
+  description = "The disk size for the instance in GB.  This value is ignored after initial provisioning with a terraform lifecycle policy in Google module.  This is needed because of auto storage increase is enabled."
+  type        = number
+  default     = 700
+}
+
+variable "ppdb_cloud_sql_disk_type" {
+  description = "The disk type for the instance."
+  type        = string
+  default     = "PD_SSD"
+}
+
+variable "ppdb_cloud_sql_edition" {
+  description = "The edition of the Cloud SQL instance, can be ENTERPRISE or ENTERPRISE_PLUS."
+  type        = string
+  default     = "ENTERPRISE"
+}
+
+
+variable "ppdb_cloud_sql_require_ssl" {
+  description = "True if the instance should require SSL/TLS for users connecting over IP. Note: SSL/TLS is needed to provide security when you connect to Cloud SQL using IP addresses. If you are connecting to your instance only by using the Cloud SQL Proxy or the Java Socket Library, you do not need to configure your instance to use SSL/TLS."
+  type        = bool
+  default     = false
+}
+
+variable "ppdb_cloud_sql_ipv4_enabled" {
+  type        = bool
+  description = "True if enabling public IP on database"
+  default     = false
+}
+
+variable "ppdb_cloud_sql_enable_private_path" {
+  description = "Direct services to use the private path for connectivity to CloudSQL"
+  type        = bool
+  default     = false
+}
+
+variable "ppdb_cloud_sql_authorized_networks" {
+  default     = []
+  type        = list(map(string))
+  description = "List of mapped public networks authorized to access to the instances."
+}
+
+variable "ppdb_cloud_sql_ssl_mode" {
+  description = "Specify how SSL connection should be enforced in DB connections.  Options are ALLOW_UNENCRYPTED_AND_ENCRYPTED, ENCRYPTED_ONLY, and TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+  type        = string
+  default     = "ALLOW_UNENCRYPTED_AND_ENCRYPTED"
+}
+
+variable "ppdb_cloud_sql_database_tier" {
+  description = "The tier for general database"
+  type        = string
+  default     = "db-g1-small"
+}
+
+variable "ppdb_cloud_sql_data_cache_enabled" {
+  description = "Whether data cache is enabled for the instance. Defaults to false. Feature is only available for ENTERPRISE_PLUS tier and supported database_versions"
+  type        = bool
+  default     = false
+}
+
+variable "ppdb_cloud_sql_db_maintenance_window_day" {
+  type        = number
+  description = "The day of week (1-7) for the instance maintenance."
+  default     = 1
+}
+
+variable "ppdb_cloud_sql_db_maintenance_window_hour" {
+  type        = number
+  description = "The hour of day (0-23) maintenance window for the instance maintenance."
+  default     = 23
+}
+
+variable "ppdb_cloud_sql_db_maintenance_window_update_track" {
+  type        = string
+  description = "The update track of maintenance window for the instance maintenance. Can be either `canary` or `stable`."
+  default     = "stable"
+}
+
+variable "ppdb_cloud_sql_backups_enabled" {
+  type        = bool
+  description = "True if backup configuration is enabled"
+  default     = false
+}
+
+variable "ppdb_cloud_sql_backups_start_time" {
+  type        = string
+  description = "Start time for backups"
+  default     = "09:00"
+}
+
+variable "ppdb_cloud_sql_backups_point_in_time_recovery_enabled" {
+  type        = bool
+  description = "Enable Point in Time Recovery for backups"
+  default     = true
+}

From 277d9a5597526d4297809d8c31ed575fa254f071 Mon Sep 17 00:00:00 2001
From: dspeck1 <dspeck@burwood.com>
Date: Fri, 15 May 2026 14:45:49 -0500
Subject: [PATCH 2/8] Add data cache setting to cloud sql module and set to be
 disabled by default.

---
 modules/cloudsql/postgres-sql/variables.tf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/cloudsql/postgres-sql/variables.tf b/modules/cloudsql/postgres-sql/variables.tf
index aa199cd8..202fcb95 100644
--- a/modules/cloudsql/postgres-sql/variables.tf
+++ b/modules/cloudsql/postgres-sql/variables.tf
@@ -205,3 +205,9 @@ variable "ssl_mode" {
   type        = string
   default     = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
 }
+
+variable "data_cache_enabled" {
+  description = "Whether data cache is enabled for the instance. Defaults to false. Feature is only available for ENTERPRISE_PLUS tier and supported database_versions"
+  type        = bool
+  default     = false
+}
\ No newline at end of file

From 42e879d27d29917bd83873f5e78a82a7beb75912 Mon Sep 17 00:00:00 2001
From: dspeck1 <dspeck@burwood.com>
Date: Fri, 15 May 2026 14:47:33 -0500
Subject: [PATCH 3/8] Add dev cloud sql tfvars.

---
 .../deployments/ppdb/env/dev-cloudsql.tfvars  | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 environment/deployments/ppdb/env/dev-cloudsql.tfvars

diff --git a/environment/deployments/ppdb/env/dev-cloudsql.tfvars b/environment/deployments/ppdb/env/dev-cloudsql.tfvars
new file mode 100644
index 00000000..b6ec2e2b
--- /dev/null
+++ b/environment/deployments/ppdb/env/dev-cloudsql.tfvars
@@ -0,0 +1,19 @@
+# Cloud SQL
+environment      = "dev"
+application_name = "ppdb"
+
+# Butler Registry DP02 Database
+ppdb_cloud_sql_db_tier                                = "db-custom-2-7680"
+ppdb_cloud_sql_db_maintenance_window_day              = 1
+ppdb_cloud_sql_db_maintenance_window_hour             = 23
+ppdb_cloud_sql_db_maintenance_window_update_track     = "stable"
+ppdb_cloud_sql_backups_enabled                        = false
+ppdb_cloud_sql_backups_point_in_time_recovery_enabled = false
+
+ppdb_cloud_sql_edition = "ENTERPRISE_PLUS"
+
+# If you didn't make any other changes to this file, increase this number to
+# force Terraform to update this environment. You may need to do this if you
+# changed .tf files in this environment, or if you changed any modules that
+# this environment uses, but you didn't change any variables in this file.
+# Serial: 2

From 902e45dd801ba1e6aaf348eadb8c3d6203f53fd8 Mon Sep 17 00:00:00 2001
From: dspeck1 <dspeck@burwood.com>
Date: Tue, 19 May 2026 16:49:01 -0500
Subject: [PATCH 4/8] Add private path variable to module and default to false
 which is the default for the module.

---
 environment/deployments/ppdb/env/dev-cloudsql.tfvars | 11 +++++++----
 modules/cloudsql/postgres-sql/main.tf                |  9 +++++----
 modules/cloudsql/postgres-sql/variables.tf           |  6 ++++++
 3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/environment/deployments/ppdb/env/dev-cloudsql.tfvars b/environment/deployments/ppdb/env/dev-cloudsql.tfvars
index b6ec2e2b..a198bf04 100644
--- a/environment/deployments/ppdb/env/dev-cloudsql.tfvars
+++ b/environment/deployments/ppdb/env/dev-cloudsql.tfvars
@@ -2,15 +2,18 @@
 environment      = "dev"
 application_name = "ppdb"
 
-# Butler Registry DP02 Database
+# PPDB CloudSQL Database
+ppdb_cloud_sql_backups_enabled                        = false
+ppdb_cloud_sql_backups_point_in_time_recovery_enabled = false
 ppdb_cloud_sql_db_tier                                = "db-custom-2-7680"
 ppdb_cloud_sql_db_maintenance_window_day              = 1
 ppdb_cloud_sql_db_maintenance_window_hour             = 23
 ppdb_cloud_sql_db_maintenance_window_update_track     = "stable"
-ppdb_cloud_sql_backups_enabled                        = false
-ppdb_cloud_sql_backups_point_in_time_recovery_enabled = false
+ppdb_cloud_sql_edition                                = "ENTERPRISE_PLUS"
+ppdb_cloud_sql_ipv4_enabled                           = "true"
+
+
 
-ppdb_cloud_sql_edition = "ENTERPRISE_PLUS"
 
 # If you didn't make any other changes to this file, increase this number to
 # force Terraform to update this environment. You may need to do this if you
diff --git a/modules/cloudsql/postgres-sql/main.tf b/modules/cloudsql/postgres-sql/main.tf
index 4d0eccd0..4f1fbb21 100644
--- a/modules/cloudsql/postgres-sql/main.tf
+++ b/modules/cloudsql/postgres-sql/main.tf
@@ -33,9 +33,10 @@ module "cloudsql-db" {
   database_flags      = var.database_flags
 
   ip_configuration = {
-    ipv4_enabled        = var.ipv4_enabled
-    private_network     = var.private_network
-    ssl_mode            = var.ssl_mode
-    authorized_networks = var.authorized_networks
+    ipv4_enabled                                  = var.ipv4_enabled
+    private_network                               = var.private_network
+    enable_private_path_for_google_cloud_services = var.enable_private_path_for_google_cloud_services
+    ssl_mode                                      = var.ssl_mode
+    authorized_networks                           = var.authorized_networks
   }
 }
diff --git a/modules/cloudsql/postgres-sql/variables.tf b/modules/cloudsql/postgres-sql/variables.tf
index 202fcb95..6227f2bf 100644
--- a/modules/cloudsql/postgres-sql/variables.tf
+++ b/modules/cloudsql/postgres-sql/variables.tf
@@ -200,6 +200,12 @@ variable "private_network" {
   default     = null
 }
 
+variable "enable_private_path_for_google_cloud_services" {
+  description = "Direct services to use the private path for connectivity to CloudSQL"
+  type        = bool
+  default     = false
+}
+
 variable "ssl_mode" {
   description = "Specify how SSL connection should be enforced in DB connections.  Options are ALLOW_UNENCRYPTED_AND_ENCRYPTED, ENCRYPTED_ONLY, and TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
   type        = string

From 5ec079aa9d590f5cc4554be0a786feee68d9b48c Mon Sep 17 00:00:00 2001
From: dspeck1 <dspeck@burwood.com>
Date: Tue, 19 May 2026 16:49:49 -0500
Subject: [PATCH 5/8] Enable private path in dev.

---
 environment/deployments/ppdb/env/dev-cloudsql.tfvars | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/environment/deployments/ppdb/env/dev-cloudsql.tfvars b/environment/deployments/ppdb/env/dev-cloudsql.tfvars
index a198bf04..e4b143ec 100644
--- a/environment/deployments/ppdb/env/dev-cloudsql.tfvars
+++ b/environment/deployments/ppdb/env/dev-cloudsql.tfvars
@@ -11,7 +11,7 @@ ppdb_cloud_sql_db_maintenance_window_hour             = 23
 ppdb_cloud_sql_db_maintenance_window_update_track     = "stable"
 ppdb_cloud_sql_edition                                = "ENTERPRISE_PLUS"
 ppdb_cloud_sql_ipv4_enabled                           = "true"
-
+ppdb_cloud_sql_enable_private_path                    = "true"
 
 
 

From 8857ed9483f571162211e7be25d1e6d1e0653be6 Mon Sep 17 00:00:00 2001
From: dspeck1 <dspeck@burwood.com>
Date: Tue, 19 May 2026 16:53:21 -0500
Subject: [PATCH 6/8] Enable data cache in dev.

---
 environment/deployments/ppdb/env/dev-cloudsql.tfvars | 1 +
 1 file changed, 1 insertion(+)

diff --git a/environment/deployments/ppdb/env/dev-cloudsql.tfvars b/environment/deployments/ppdb/env/dev-cloudsql.tfvars
index e4b143ec..b4555cbd 100644
--- a/environment/deployments/ppdb/env/dev-cloudsql.tfvars
+++ b/environment/deployments/ppdb/env/dev-cloudsql.tfvars
@@ -5,6 +5,7 @@ application_name = "ppdb"
 # PPDB CloudSQL Database
 ppdb_cloud_sql_backups_enabled                        = false
 ppdb_cloud_sql_backups_point_in_time_recovery_enabled = false
+ppdb_cloud_sql_data_cache_enabled                     = true
 ppdb_cloud_sql_db_tier                                = "db-custom-2-7680"
 ppdb_cloud_sql_db_maintenance_window_day              = 1
 ppdb_cloud_sql_db_maintenance_window_hour             = 23

From 5d6248b538fff43f179d4cee7c0bafa38602cb1c Mon Sep 17 00:00:00 2001
From: dspeck1 <dspeck@burwood.com>
Date: Wed, 20 May 2026 15:21:15 -0500
Subject: [PATCH 7/8] Set prefix to be populated by application and environment
 variables.

---
 environment/deployments/ppdb/cloudsql/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/environment/deployments/ppdb/cloudsql/main.tf b/environment/deployments/ppdb/cloudsql/main.tf
index f865ab2d..b0600531 100644
--- a/environment/deployments/ppdb/cloudsql/main.tf
+++ b/environment/deployments/ppdb/cloudsql/main.tf
@@ -3,7 +3,7 @@ data "terraform_remote_state" "ppdb_project" {
   backend = "gcs"
 
   config = {
-    prefix = "ppdb/dev"
+    prefix = "${var.application_name}/${var.environment}"
     bucket = var.state_bucket
   }
 }

From f95256de931da24f364529b29298230af1b0a72e Mon Sep 17 00:00:00 2001
From: dspeck1 <dspeck@burwood.com>
Date: Thu, 21 May 2026 08:02:12 -0500
Subject: [PATCH 8/8] Bump serial to run GHA.

---
 environment/deployments/ppdb/env/dev-cloudsql.tfvars | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/environment/deployments/ppdb/env/dev-cloudsql.tfvars b/environment/deployments/ppdb/env/dev-cloudsql.tfvars
index b4555cbd..338108d3 100644
--- a/environment/deployments/ppdb/env/dev-cloudsql.tfvars
+++ b/environment/deployments/ppdb/env/dev-cloudsql.tfvars
@@ -20,4 +20,4 @@ ppdb_cloud_sql_enable_private_path                    = "true"
 # force Terraform to update this environment. You may need to do this if you
 # changed .tf files in this environment, or if you changed any modules that
 # this environment uses, but you didn't change any variables in this file.
-# Serial: 2
+# Serial: 3