first sync

.gitignore

@@ -32,6 +32,7 @@ crash.*.log
 
 # Ignore transient lock info files created by terraform apply
 .terraform.tfstate.lock.info
+.terraform.lock.hcl
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 *tfplan*

databases.tf

@@ -0,0 +1,22 @@
+# create a database server instance
+resource "google_sql_database_instance" "this" {
+  name             = var.instance_name
+  database_version = "POSTGRES_15"
+
+  region = var.region
+
+  settings {
+    tier            = var.database_tier
+    disk_size       = 20
+    disk_autoresize = true
+    backup_configuration {
+      enabled = true
+    }
+  }
+}
+
+# create a database inside the instance
+resource "google_sql_database" "this" {
+  instance = google_sql_database_instance.this.id
+  name     = var.database_name
+}

google-secret.tf

@@ -0,0 +1,14 @@
+# create a secret in secret manager to store database credentials
+resource "google_secret_manager_secret" "this" {
+  secret_id = "${var.instance_name}/${var.database_name}"
+
+  replication {
+    auto {}
+  }
+}
+
+# store the password in the secret
+resource "google_secret_manager_secret_version" "this" {
+  secret      = google_secret_manager_secret.this.id
+  secret_data = jsonencode(local.database_access)
+}

outputs.tf

@@ -0,0 +1,4 @@
+output "database_dns_name" {
+  description = "the DNS name of the instance"
+  value       = google_sql_database_instance.this.dns_name
+}

provider.tf

@@ -0,0 +1,17 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 5.34.0"
+    }
+    vault = {
+      source  = "hashicorp/vault"
+      version = ">= 4"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3"
+    }
+  }
+  required_version = "> 1.7.5"
+}

user.tf

@@ -0,0 +1,17 @@
+locals {
+  database_access = {
+    database_host = google_sql_database_instance.this.ip_address[0].ip_address
+    username      = google_sql_user.user.name
+    password      = google_sql_user.user.password
+  }
+}
+
+resource "random_password" "user_password" {
+  length = 12
+}
+
+resource "google_sql_user" "user" {
+  instance = google_sql_database_instance.this.id
+  name     = var.database_user_name
+  password = random_password.user_password.result
+}

variables.tf

@@ -0,0 +1,26 @@
+variable "instance_name" {
+  description = "the name of the database instance to create"
+  type        = string
+}
+
+variable "region" {
+  description = "the GCP region to deploy the database to"
+  type        = string
+  default     = "europe-west1"
+}
+
+variable "database_tier" {
+  description = "the database tier to use"
+  type        = string
+  default     = "db-f1-micro"
+}
+
+variable "database_name" {
+  description = "the name of the database to create in the instance"
+  type        = string
+}
+
+variable "database_user_name" {
+  description = "the name of the database user to create"
+  type        = string
+}

vault-secret.tf

@@ -0,0 +1,5 @@
+resource "vault_kv_secret_v2" "this" {
+  mount     = "secret"
+  name      = "${var.instance_name}/${var.database_name}"
+  data_json = jsonencode(local.database_access)
+}