IaC Bazaar
Get started
Google CloudStatic-verified

AlloyDB for PostgreSQL Cluster

AlloyDB cluster with primary + read-pool instances, PSC connectivity, automated backups and columnar/vector engine flags.

terraformGCP#gcp

Compare Managed Relational Database across clouds →

gcp-alloydbterraform v1.7

Verification

Static-verified

Passed: validated and lint-clean (provider-schema-validated for AWS/Azure/GCP; Terraform-language lint elsewhere).

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan: findings disclosed (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

gcp-alloydb

An AlloyDB for PostgreSQL cluster — HA primary instance plus optional read-pool instances — with private connectivity (Private Service Access or Private Service Connect), automated weekly backups and continuous backup / PITR, optional CMEK, and the columnar engine flag on by default for analytical and vector/AI workloads. One module call gives you a cluster that is private, encrypted, backed up and deletion-protected by default. Works with Terraform and OpenTofu (>= 1.6), Google provider >= 7.0, < 8.0.

Status: static-validated, live-test pending. Validated with tofu validate + tflint + checkov against the hashicorp/google provider. Not yet applied against a live GCP project (no cloud sandbox; AlloyDB has no free tier and a cluster takes ~10 min to provision), so it ships under live-test quarantine.

Design & secure defaults

  • Private-only connectivity. Choose Private Service Access (psa, the default — the cluster gets a private IP in your VPC) or Private Service Connect (psc). There is no public-IP option in this module. For PSA the module can create the global address + service networking peering for you.
  • Encryption at rest is always on; supply kms_key_name to use CMEK for the cluster, automated backups and continuous backups.
  • Backups on by default: a weekly automated policy (quantity-based retention, 14 backups) plus continuous backup for point-in-time recovery (14-day window). Both are independently toggleable.
  • HA by default: the primary is REGIONAL (multi-zone) unless you opt into ZONAL.
  • Columnar / vector engine on: google_columnar_engine.enabled = on by default — AlloyDB's headline accelerator for analytics and vector similarity search. Extend database_flags (e.g. for pgvector tuning) as needed.
  • Deletion policy DEFAULT: the cluster cannot be deleted while instances exist. Set FORCE only in disposable environments.
  • Secrets stay out of the config: the initial user's password is a separate sensitive variable, sourced from your secret manager — never hardcoded.
  • Cross-field invariants enforced with precondition: PSA requires a network; setting initial_user_name requires initial_user_password.

Requirements

RequirementVersion
Terraform / OpenTofu>= 1.6
hashicorp/google>= 7.0, < 8.0

License

Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.

Usage code & full reference unlock after purchase

The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.

  • Usage
  • Inputs
  • Outputs