DigitalOcean Managed Database
Managed PG/MySQL/Valkey cluster with firewall trust list, users, DBs, and replicas.
Verification
Plan-validatedPassed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).
Conformance
- Static validation (fmt · validate · tflint)
- No applicable security policies for this provider
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live test pending (no cloud run yet)
Last verified 2026-06-28 · how we verify
Documentation
do-managed-database
Managed PG/MySQL/Valkey cluster with firewall trust list, users, DBs, and
replicas. One module call provisions the cluster (single-node to 3-node HA),
locks inbound access to an explicit trust list, creates additional users and
logical databases, and stamps out read replicas — with engine-conditional
arguments (sql_mode, eviction_policy) wired automatically so a single
interface covers all three engines. Works with Terraform and OpenTofu
(>= 1.6), DigitalOcean provider >= 2.0, < 3.0.
Opinionated defaults:
- Explicit weekly maintenance window (Sunday 04:00 UTC)
- Engine-conditional preconditions fail fast at plan time (users/DBs/replicas on Valkey are rejected before any API call)
- Credentials only leave the module through
sensitiveoutputs
Usage
module "db" {
source = "./do-managed-database"
name = "app-pg"
engine = "pg"
engine_version = "17"
region = "fra1"
node_count = 2 # primary + standby
private_network_uuid = digitalocean_vpc.main.id
trusted_sources = [
{ type = "tag", value = "app" }, # droplets tagged "app"
{ type = "ip_addr", value = "203.0.113.10" },
]
users = ["app_rw"]
databases = ["app"]
read_replicas = {
reporting = { size = "db-s-2vcpu-4gb" }
}
tags = ["env:prod"]
}
Inputs
| Name | Type | Default | Description |
|---|---|---|---|
name | string | — | Cluster name (required) |
engine | string | — | pg, mysql, or valkey (required) |
engine_version | string | — | Engine major version, e.g. "17" (required) |
size | string | db-s-1vcpu-1gb | Node size slug |
region | string | — | DO region slug (required) |
node_count | number | 1 | 1–3 nodes (2+ = HA standbys) |
private_network_uuid | string | null | VPC for the cluster (null = region default) |
storage_size_mib | number | null | Extra disk (pg/mysql) |
sql_mode | string | null | MySQL sql_mode (ignored otherwise) |
eviction_policy | string | null | Valkey eviction policy (ignored otherwise) |
maintenance_window | object | {day="sunday", hour="04:00"} | Weekly window (UTC) |
trusted_sources | list(object) | [] | Firewall rules {type, value}; type ∈ ip_addr/droplet/k8s/tag/app |
users | list(string) | [] | Additional users (pg/mysql) |
databases | list(string) | [] | Additional logical DBs (pg/mysql) |
read_replicas | map(object) | {} | Replicas keyed by name: {size, region, private_network_uuid} |
tags | list(string) | [] | DO tags |
Outputs
cluster_id, cluster_urn, host, private_host, port,
default_database, default_user, default_password (sensitive), uri
(sensitive), private_uri (sensitive), user_passwords (sensitive),
database_names, replica_hosts, replica_private_hosts, replica_uris
(sensitive).
Notes
- Set
trusted_sourcesin production. Without it, DigitalOcean leaves the cluster reachable from any source (TLS + password still required). - Provisioning takes ~10 minutes; replicas add a few more each.
- Valkey clusters do not support extra users, logical DBs, or replicas — the module rejects those combinations at plan time.
Requirements
- Terraform or OpenTofu
>= 1.6 digitalocean/digitaloceanprovider>= 2.0, < 3.0(thevalkeyengine needs a recent 2.x — latest recommended)
Verification
Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.
License
Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).