Exoscale DBaaS
Managed PG/MySQL/Kafka with IP filters and TF-managed users.
Verification
Plan-validatedPassed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).
Conformance
- Static validation (fmt · validate · tflint)
- No applicable security policies for this provider
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live test pending (no cloud run yet)
Last verified 2026-06-28 · how we verify
Documentation
exoscale-dbaas
An Exoscale DBaaS managed database — PostgreSQL, MySQL, or Kafka (Aiven-backed) — with a deny-by-default IP filter, termination protection, and, for PostgreSQL, declaratively-managed logical databases and users. Targets EU-sovereign zones (CH / AT / DE).
Status: static-validated, live-test pending. Validated with
tofu validate+tflint+checkovagainst theexoscale/exoscaleprovider. Not yet applied against a live Exoscale account, so it ships under live-test quarantine.
Design & secure defaults
- One engine, selected by
type. Settypetopg,mysql, orkafka; the module renders the matching engine block (the blocks are mutually exclusive). Engine version, backup schedule, and raw engine settings are shared inputs applied to whichever engine is active. - Deny-by-default network exposure.
ip_filteris empty by default, which denies all external sources. Add operator/app CIDRs explicitly; TLS is always required (the CA certificate is exported as a sensitive output). - Termination protection on to prevent accidental deletion / power-off.
- Kafka enforces mTLS.
kafka_enable_cert_auth = trueby default; SASL is off unless explicitly enabled. - Managed PostgreSQL objects.
pg_databasesandpg_userscreate logical databases and users whentype = "pg". User passwords are generated by the service and surfaced via the sensitivepg_user_passwordsoutput — secrets are never used asfor_eachkeys. A precondition rejects pg-only objects for non-pg engines.
Plan names drift. DBaaS plans are Aiven-backed and renamed over time. Confirm the current plan for your
type/zonewithexo dbaas type show <type> --plansbefore applying.
Usage
module "pg" {
source = "github.com/ITfreak/iacbazaar//artifacts/terraform/exoscale-dbaas"
name = "orders"
type = "pg"
plan = "startup-4"
zone = "ch-gva-2"
ip_filter = ["203.0.113.0/24"]
pg_databases = { app = {} }
pg_users = { app_rw = {} }
}
See examples/basic for a complete configuration.
Key inputs
| Variable | Description | Default |
|---|---|---|
name | Service name | required |
type | pg / mysql / kafka | pg |
plan | Aiven-backed plan slug | startup-4 |
zone | Exoscale zone (CH/AT/DE sovereign) | ch-gva-2 |
ip_filter | Allowed inbound CIDRs | [] (deny all) |
termination_protection | Block deletion | true |
engine_version | Engine major version | null (engine default) |
backup_schedule | Daily backup HH:MM (pg/mysql) | null |
pg_settings / mysql_settings / kafka_settings | Raw JSON engine settings | null |
kafka_enable_cert_auth / kafka_enable_sasl_auth | Kafka auth | true / false |
pg_databases | Logical DBs (pg only) | {} |
pg_users | DB users (pg only) | {} |
maintenance_dow / maintenance_time | Maintenance window | sunday / 03:00:00 |
Outputs
service_id, service_name, type, zone, state, nodes, disk_size,
ca_certificate (sensitive), pg_database_names, pg_user_names,
pg_user_passwords (sensitive map).
Provider
exoscale/exoscale ~> 0.69. Requires Terraform/OpenTofu >= 1.6.
License
Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.