OVHcloud Managed Database
Managed PG/MySQL/Kafka with users, IP restrictions, and private network egress.
Verification
Static-verifiedPassed: validated and lint-clean (provider-schema-validated for AWS/Azure/GCP; Terraform-language lint elsewhere).
Conformance
- Static validation (fmt · validate · tflint)
- No applicable security policies for this provider
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live test pending (no cloud run yet)
Last verified 2026-06-28 · how we verify
Documentation
ovh-managed-database
An OVHcloud Managed Database cluster — PostgreSQL, MySQL, Kafka, MongoDB, Redis/Valkey, OpenSearch, Cassandra, M3DB or Grafana — with a deny-by-default IP trust list, optional generic users, and private-network (vRack) node placement.
Status: static-validated, live-test pending. Validated with
tofu validate+tflint+checkovagainst theovh/ovhprovider. Not yet applied against a live OVHcloud project, so it ships under live-test quarantine (no cloud sandbox account yet).
Design & secure defaults
- Deny-by-default ingress. The cluster authorizes no inbound source
until you populate
ip_restrictionswith explicit CIDR blocks. Each entry is CIDR-validated. (This uses the standaloneovh_cloud_project_database_ip_restrictionresource, keyed for clean diffs.) - Deletion protection on.
deletion_protection = trueguards against accidental teardown; setfalseto allow destroy. - Private networking ready. Each node block accepts a
network_id(vRack/openstackId) +subnet_id; a validation enforces that all nodes share the same region and network so you cannot mix public and private nodes. - Generic users handled safely.
userscreates accounts via the generic user resource, which OVH supports only formysql,cassandra,kafka, andgrafana. A precondition rejectsuserson other engines (postgresql, mongodb, redis use dedicated user resources) rather than silently failing. Generated passwords are exposed only through thesensitiveoutput. - No hardcoded secrets. Credentials come from the provider block / environment.
The engine matrix is wide; OVH constrains valid
version/flavor/plancombinations per engine. Test one engine per run.
Usage
module "database" {
source = "github.com/ITfreak/iacbazaar//artifacts/terraform/ovh-managed-database"
service_name = "00000000000000000000000000000000"
engine = "postgresql"
engine_version = "16"
plan = "essential"
flavor = "db1-4"
nodes = [{ region = "GRA" }]
ip_restrictions = {
office = { ip = "203.0.113.0/24", description = "office egress" }
}
}
See examples/basic for a complete configuration.
Key inputs
| Variable | Description | Default |
|---|---|---|
service_name | Public cloud project id (project-scoped API keys) | required |
engine | Engine (postgresql, mysql, kafka, …) | required |
engine_version | Engine version (e.g. 16) | required |
plan | essential / business / enterprise | essential |
flavor | Node flavor (e.g. db1-4) | db1-4 |
nodes | List of node blocks (region, optional network_id/subnet_id) | one GRA node |
disk_size | Disk size in GB | null (flavor default) |
ip_restrictions | Map of allowed CIDR blocks (deny-by-default) | {} |
users | Generic users (mysql/cassandra/kafka/grafana only) | [] |
deletion_protection | Block accidental deletes | true |
advanced_configuration | Engine key/value tuning | {} |
backup_time / maintenance_time | Daily/weekly windows (HH:MM:SS UTC) | null |
Outputs
cluster_id, status, engine, version, network_type, disk_type,
endpoints (sensitive), user_ids, user_passwords (sensitive),
ip_restriction_status.
Provider
ovh/ovh >= 2.0, < 3.0. Requires Terraform/OpenTofu >= 1.6.
License
Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.