UpCloud Managed Database
Managed PG/MySQL with properties tuning, users, and logical DBs.
Verification
Static-verifiedPassed: validated and lint-clean (provider-schema-validated for AWS/Azure/GCP; Terraform-language lint elsewhere).
Conformance
- Static validation (fmt · validate · tflint)
- No applicable security policies for this provider
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live test pending (no cloud run yet)
Last verified 2026-06-28 · how we verify
Documentation
upcloud-managed-database
A hardened UpCloud Managed PostgreSQL service: private-by-default endpoint
with a deny-all IP filter, managed encrypted storage, termination
protection, a daily backup window, common tuning properties, and
declaratively-managed additional users and logical databases. Works with
Terraform and OpenTofu (>= 1.6), UpCloud provider >= 5.0, < 6.0.
EU/Nordic-sovereign infrastructure, MIT-licensed provider.
Status: static-validated, live-test pending. Validated with
tofu validate+tflint+checkovagainst theUpCloudLtd/upcloudprovider. Not yet applied against a live UpCloud account (no cloud sandbox yet; a managed service takes several minutes to provision), so it ships under live-test quarantine.
Design & secure defaults
- Not publicly exposed.
public_access = falseby default. The inboundip_filterdefaults to empty = deny all external sources; connect over the SDN private network or the utility-network allow list. A precondition refusespublic_access = trueunless you also supply anip_filter, so you can never open the database to all of the internet by accident. - Encryption + TLS are intrinsic to UpCloud Managed Databases (storage
encrypted at rest; connections require TLS — see the
sslmodeoutput). - Termination protection on by default — destroying the service is blocked until you flip the flag.
- Daily managed backups at a configurable UTC
backup_hour/backup_minute. - Per-engine resource model. This module uses the engine-specific
upcloud_managed_database_postgresql(not a generic resource), plusupcloud_managed_database_userandupcloud_managed_database_logical_database. - Secret hygiene. Users are keyed by username (non-sensitive
for_each); optional explicit passwords come from a separatesensitivemap, never used as a key. Generated passwords and the connection URI are exported as sensitive outputs.
Usage
module "database" {
source = "./upcloud-managed-database"
name = "app-pg"
zone = "de-fra1"
plan = "2x2xCPU-4GB-100GB"
pg_version = "17"
ip_filter = ["203.0.113.0/24"] # office / bastion CIDR
users = {
app = { allow_replication = false }
reporter = { allow_replication = false }
}
logical_databases = {
app = { character_set = "UTF8", collation = "en_US.UTF-8" }
}
labels = { environment = "prod" }
}
Inputs
| Name | Type | Default | Description |
|---|---|---|---|
name | string | — | Service name / hostname prefix (required) |
zone | string | — | UpCloud zone slug, e.g. de-fra1 (required) |
plan | string | 1x1xCPU-2GB-25GB | Managed-database plan slug (node count, vCPU, RAM, disk) |
title | string | null | Console title (defaults to name) |
pg_version | string | 17 | PostgreSQL major version |
termination_protection | bool | true | Block deletion while enabled |
maintenance_window_dow | string | sunday | Maintenance weekday (lowercase) |
maintenance_window_time | string | 03:00:00 | Maintenance start HH:MM:SS (UTC) |
public_access | bool | false | Expose a public endpoint (requires non-empty ip_filter) |
ip_filter | list(string) | [] | Allowed inbound CIDRs; empty = deny all |
automatic_utility_network_ip_filter | bool | true | Auto-allow same utility-network servers |
backup_hour | number | 2 | UTC hour (0–23) for the daily backup |
backup_minute | number | 0 | Minute (0–59) for the daily backup |
private_network | object | null | SDN attachment {name, uuid, family} |
log_min_duration_statement | number | -1 | Log statements slower than N ms (-1 = off) |
idle_in_transaction_session_timeout | number | 0 | Kill idle-in-transaction after N ms (0 = off) |
work_mem | number | null | Per-operation work memory in MB |
pg_timezone | string | null | Default server timezone (PGTZ) |
users | map(object) | {} | Additional users keyed by username |
user_passwords | map(string) | {} (sensitive) | Optional explicit passwords keyed by username |
logical_databases | map(object) | {} | Logical databases keyed by name (character_set, collation) |
labels | map(string) | {} | Labels applied to the service |
Outputs
| Name | Description |
|---|---|
service_id | Service UUID |
service_host | Primary connection hostname |
service_port | Primary connection port |
service_username | Default (admin) username |
service_password | Default (admin) password (sensitive) |
service_uri | Full connection URI (sensitive) |
primary_database | Primary logical database name |
sslmode | Required TLS mode |
state | Operational state |
user_names | Additional usernames created |
user_passwords | Map username => password (sensitive) |
logical_database_names | Additional logical database names |
Requirements
| Requirement | Version |
|---|---|
| Terraform / OpenTofu | >= 1.6 |
UpCloudLtd/upcloud | >= 5.0, < 6.0 |
License
Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.