IaC Bazaar
Get started
LinodePlan-validated

Linode Managed Database (MySQL/PostgreSQL)

HA managed database cluster with allowlists, maintenance windows, and fork/restore support on the new Aiven platform.

terraformAlt & Specialty Clouds#linode

Compare Managed Relational Database across clouds →

linode-databaseterraform v1.7

Verification

Plan-validated

Passed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan: findings disclosed (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

linode-database

Status: static-validated, live-test pending. Ships under live-test quarantine — no Linode cloud sandbox is wired into the gate yet (Managed Database provisioning takes 10-15 minutes, so the live apply→verify→destroy lane is budgeted separately). Static validation (fmt, validate, tflint) is green.

High-availability Linode Managed Database (MySQL or PostgreSQL) on the new Aiven platform — one module call provisions the cluster, locks inbound access to an explicit allowlist (deny-by-default), sets an automated weekly maintenance window, optionally binds the cluster to a VPC subnet for private-only access, and supports fork/point-in-time restore. The engine selector picks the matching v2 resource (linode_database_mysql_v2 / linode_database_postgresql_v2) at plan time, so a single interface covers both engines. Works with Terraform and OpenTofu (>= 1.6), Linode provider >= 3.14, < 4.0.

Secure defaults

  • Deny-by-default networking. allow_list is empty by default, so no external source can connect until you name your application/VPC CIDRs explicitly. TLS + credentials are always required for any allowed source.
  • TLS enforced by the platform. The Aiven platform requires SSL (ssl_connection); the CA certificate is exported (sensitive) for verified connections.
  • HA by default. cluster_size defaults to 3 (primary + two replicas); drop to 1 only for non-production single-node clusters.
  • Explicit maintenance window. A weekly patch window (Sunday 04:00 UTC, 3h) is configured rather than left implicit.
  • Credentials never leak in plaintext. root_username, root_password, and ca_cert only leave the module through sensitive outputs.
  • Fast-fail invariant. fork_restore_time without fork_source is rejected at plan time (precondition) before any API call.

Usage

module "database" {
  source = "./linode-database"

  label          = "app-pg"
  engine         = "postgresql" # or "mysql"
  engine_version = "16"         # "8" for MySQL
  region         = "us-ord"
  type           = "g6-dedicated-2"
  cluster_size   = 3 # primary + two replicas

  # Deny-by-default — name the sources allowed to connect.
  allow_list = [
    "203.0.113.10/32",
    "10.0.0.0/24",
  ]

  # Private-only: reachable from inside the VPC, no public connectivity.
  private_network = {
    vpc_id        = module.vpc.vpc_id    # linode-vpc module
    subnet_id     = module.vpc.subnet_id
    public_access = false
  }

  updates = {
    day_of_week = 7 # 1=Monday .. 7=Sunday
    hour_of_day = 4
    duration    = 3
  }
}

Inputs

NameTypeDefaultDescription
labelstringUnique cluster label, 3-32 chars (required)
enginestringmysql or postgresql (required)
engine_versionstringEngine major version, e.g. "16" (pg) / "8" (mysql) (required)
regionstringLinode region, e.g. us-ord (required)
typestringg6-dedicated-2Node plan type (minimum sizes apply)
cluster_sizenumber31 (single node) or 3 (HA)
allow_listlist(string)[]Inbound IP/CIDR allowlist — empty = deny all
updatesobject{day_of_week=7, hour_of_day=4, duration=3, frequency="weekly"}Weekly maintenance window (UTC); day_of_week 1=Mon..7=Sun
private_networkobjectnullVPC binding {vpc_id, subnet_id, public_access}
fork_sourcenumbernullSource database ID to fork from
fork_restore_timestringnullRFC3339 point-in-time for the fork (needs fork_source)

Outputs

NameDescription
database_idManaged Database ID
labelCluster label
engineResolved engine (mysql/postgresql)
engine_versionResolved engine version
statusOperating status
host_primaryRead/write host
host_secondaryReplica host (HA)
portListening port
ssl_connectionWhether TLS is required (always true)
root_usernameAdmin username (sensitive)
root_passwordAdmin password (sensitive)
ca_certBase64 CA certificate (sensitive)

Requirements

  • Terraform or OpenTofu >= 1.6
  • linode/linode provider >= 3.14, < 4.0
  • A Linode personal access token with Managed Databases write scope (LINODE_TOKEN or the provider token).
  • Managed Database provisioning takes ~10-15 minutes; minimum plan sizes apply per engine.

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial. IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).