5.3 KiB
Cloud SQL instance with multi-region read replicas
This example creates a Cloud SQL instance with multi-region read replicas as described in the Cloud SQL for PostgreSQL disaster recovery article.
The solution is resilient to a regional outage. To get familiar with the procedure needed in the unfortunate case of a disaster recovery, please follow steps described in part two of the aforementioned article.
The solution will use:
- A VPC with Private Service Access to deploy the instances
- Postgre SQL instanced with Private IP
This is the high level diagram:
Requirements
This example will deploy all its resources into the project defined by the project_id variable. Please note that we assume this project already exists. However, if you provide the appropriate values to the project_create variable, the project will be created as part of the deployment.
If project_create is left to null, the identity performing the deployment needs the owner role on the project defined by the project_id variable. Otherwise, the identity performing the deployment needs resourcemanager.projectCreator on the resource hierarchy node specified by project_create.parent and billing.user on the billing account specified by project_create.billing_account_id.
Deployment
Configure the Terraform variables in your terraform.tfvars file. You need to specify at least the project_id and prefix variables. See terraform.tfvars.sample as starting point.
Run Terraform init:
$ terraform init
$ terraform apply
You should see the output of the Terraform script with resources created and some commands that you'll need in the following steps below.
Move to real use case consideration
This implementation is intentionally minimal and easy to read. A real world use case should consider:
- Using a Shared VPC
- Using VPC-SC to mitigate data exfiltration
Test your environment
We assume all those steps are run using a user listed on data_eng_principals. You can authenticate as the user using the following command:
$ gcloud init
$ gcloud auth application-default login
Below you can find commands to connect to the VM instance and Cloud SQL instance.
$ gcloud compute ssh sql-test --project PROJECT_ID --zone ZONE
sql-test:~$ cloud_sql_proxy -instances=CLOUDSQL_INSTANCE=tcp:5432
sql-test:~$ psql 'host=127.0.0.1 port=5432 sslmode=disable dbname=DATABASE user=USER'
You can find computed commands on the Terraform demo_commands output.
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| postgres_user_password | postgres user password. |
string |
✓ | |
| prefix | Unique prefix used for resource names. Not used for project if 'project_create' is null. | string |
✓ | |
| project_id | Project id, references existing project if project_create is null. |
string |
✓ | |
| cmek_encryption | Flag to enable CMEK on GCP resources created. | bool |
false |
|
| data_eng_principals | Groups with Service Account Token creator role on service accounts in IAM format, only user supported on CloudSQL, eg 'user@domain.com'. | list(string) |
[] |
|
| postgres_database | postgres database. |
string |
"guestbook" |
|
| project_create | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) |
null |
|
| regions | Map of instance_name => location where instances will be deployed. | map(string) |
{…} |
|
| sql_configuration | Cloud SQL configuration | object({…}) |
{…} |
Outputs
| name | description | sensitive |
|---|---|---|
| connection_names | Connection name of each instance. | |
| demo_commands | Demo commands. | |
| ips | IP address of each instance. | |
| project_id | ID of the project containing all the instances. |