Cloud SQL (PostgreSQL/MySQL) HA Instance
Regional-HA Cloud SQL with private IP (PSA/PSC), automated backups, PITR, read replicas and IAM database auth.
Verification
Plan-validatedPassed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).
Conformance
- Static validation (fmt · validate · tflint)
- Security scan: findings disclosed (Checkov)
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live test pending (no cloud run yet)
Last verified 2026-06-28 · how we verify
Documentation
gcp-cloud-sql
Regional-HA Cloud SQL (PostgreSQL/MySQL) with private IP via Private Service
Access, automated backups, point-in-time recovery, read replicas and IAM
database auth — the PSA networking footgun solved for you. Works with
Terraform and OpenTofu (>= 1.6), Google provider >= 7.0, < 8.0.
Secure defaults:
- No public IP (
ipv4_enabled = false); private IP through a PSA peering the module can create for you (reserved range +servicenetworkingconnection) - TLS-only client connections (
ssl_mode = "ENCRYPTED_ONLY") deletion_protection = true- Regional HA (
availability_type = "REGIONAL"), daily backups + PITR (engine-aware: WAL on PostgreSQL, binlog on MySQL) - IAM database authentication on, with the engine-correct flag spelling
Usage
module "cloud_sql" {
source = "./gcp-cloud-sql"
project_id = "my-project"
name = "prod-postgres"
region = "us-central1"
database_version = "POSTGRES_17"
tier = "db-custom-2-8192"
private_network = "projects/my-project/global/networks/prod-vpc"
databases = ["app"]
users = { app = { type = "BUILT_IN" } }
user_passwords = { app = var.db_password }
read_replicas = {
reporting = { region = "us-east1" }
}
}
Inputs
| Name | Type | Default | Description |
|---|---|---|---|
project_id | string | — | Host project (required) |
name | string | — | Instance name (required) |
region | string | — | Primary region (required) |
database_version | string | POSTGRES_17 | POSTGRES_* or MYSQL_* |
tier | string | db-custom-2-8192 | Machine tier |
edition | string | ENTERPRISE | ENTERPRISE or ENTERPRISE_PLUS |
availability_type | string | REGIONAL | REGIONAL (HA) or ZONAL |
deletion_protection | bool | true | Set false in disposable envs |
disk_type | string | PD_SSD | PD_SSD / PD_HDD / HYPERDISK_BALANCED |
disk_size_gb | number | 20 | Initial disk size |
disk_autoresize | bool | true | Auto-grow disk |
disk_autoresize_limit | number | 0 | Autoresize cap (0 = none) |
ipv4_enabled | bool | false | Public IP |
private_network | string | null | VPC self link for private IP |
create_private_service_access | bool | true | Create PSA range + peering |
psa_prefix_length | number | 16 | Reserved-range prefix length |
ssl_mode | string | ENCRYPTED_ONLY | TLS enforcement |
enable_private_path_for_google_cloud_services | bool | false | Private path for Google services |
authorized_networks | list(object) | [] | Public-IP CIDR allow-list |
backup_enabled | bool | true | Daily backups |
backup_start_time | string | 03:00 | Backup window (UTC) |
point_in_time_recovery | bool | true | PITR |
transaction_log_retention_days | number | 7 | PITR log retention |
retained_backups | number | 7 | Backups kept |
maintenance_window | object | day 7, hour 3, stable | Maintenance preferences |
query_insights_enabled | bool | true | Query Insights |
iam_authentication | bool | true | IAM DB auth flag |
database_flags | map(string) | {} | Extra flags |
read_replicas | map(object) | {} | Replicas keyed by suffix |
databases | list(string) | [] | Logical databases |
users | map(object) | {} | Users (type, host) |
user_passwords | map(string) | {} | Sensitive; keyed like users |
labels | map(string) | {} | user_labels on all instances |
Outputs
instance_name, connection_name, self_link, private_ip_address,
public_ip_address, replica_connection_names,
replica_private_ip_addresses, psa_range_name, database_names.
Notes
- PSA: a VPC can hold only one
servicenetworking.googleapis.comconnection. If yours already has one, setcreate_private_service_access = falseand the instance reuses it. - The instance needs at least one network path — the module fails the plan if
both
ipv4_enabled = falseandprivate_network = null. - Read replicas are always
ZONAL(Cloud SQL does not support HA replicas) and requirebackup_enabled = trueplus PITR logging on the primary. - Instance names cannot be reused for ~7 days after deletion — suffix names in ephemeral environments.
Requirements
- Terraform or OpenTofu
>= 1.6 hashicorp/google>= 7.0, < 8.0- APIs:
sqladmin.googleapis.com, plusservicenetworking.googleapis.comandcompute.googleapis.comwhen using private IP
Verification
Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.
License
Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).