This module implements an instance of the IBM Cloud Databases for PostgreSQL service.
❗ The module does not support major version upgrades or updates to encryption and backup encryption keys. To upgrade the version, create another instance of Databases for PostgreSQL with the updated version and follow the steps in Upgrading PostgreSQL docs in the IBM Cloud Docs.
❗ The module only supports setting the disk encryption and backup encryption key CRNs on creation and no update support is available. The KMS manual or automatic key rotation may be used to change the key value and initiate the re-encryption of the deployment.
IBM Cloud Databases supports:
- Key Protect encryption in
us-south
,us-east
, andeu-de
for backup encryption. For more information, see Bring Your Own Key for Backups in the IBM Cloud Docs. - Hyper Protect Crypto Services in all regions for backup encryption. For more information, see Hyper Protect Crypto Services for Backup encryption in the IBM Cloud Docs.
If you enable key management encryption and no value is passed for 'backup_encryption_key_crn', the value of 'kms_key_crn' is used
provider "ibm" {
ibmcloud_api_key = "XXXXXXXXXX"
region = "us-south"
}
module "postgresql_db" {
source = "terraform-ibm-modules/icd-postgresql/ibm"
version = "latest" # Replace "latest" with a release version to lock into a specific release
resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
name = "my-instance"
region = "us-south"
}
You need the following permissions to run this module.
- Account Management
- Databases for PostgreSQL service
Editor
role access
- Databases for PostgreSQL service
To attach access management tags to resources in this module, you need the following permissions.
- IAM Services
- Tagging service
Administrator
platform access
- Tagging service
- Restore from backup example
- Basic with read-only replica example
- Complete example with BYOK encryption, CBR rules and VPE creation
- Financial Services Cloud profile example with autoscaling enabled
- Point in time recovery example (PITR)
Name | Version |
---|---|
terraform | >= 1.3.0 |
ibm | >= 1.70.0, <2.0.0 |
time | >= 0.9.1 |
Name | Source | Version |
---|---|---|
cbr_rule | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.28.1 |
Name | Type |
---|---|
ibm_database.postgresql_db | resource |
ibm_iam_authorization_policy.kms_policy | resource |
ibm_resource_key.service_credentials | resource |
ibm_resource_tag.postgresql_tag | resource |
time_sleep.wait_for_authorization_policy | resource |
ibm_database_connection.database_connection | data source |
ibm_database_point_in_time_recovery.source_db_earliest_pitr_time | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
access_tags | A list of access tags to apply to the PostgreSQL instance created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details | list(string) |
[] |
no |
admin_pass | The password for the database administrator. If the admin password is null then the admin user ID cannot be accessed. More users can be specified in a user block. | string |
null |
no |
auto_scaling | Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://ibm.biz/autoscaling-considerations in the IBM Cloud Docs. | object({ |
null |
no |
backup_crn | The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty. | string |
null |
no |
backup_encryption_key_crn | The Hyper Protect Crypto Services (HPCS) or Key Protect root key CRN to use for encrypting the disk that holds deployment backups. Only used if var.kms_encryption_enabled is set to true. There are region limitations for backup encryption. See https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups (HPCS) and https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok (Key Protect). | string |
null |
no |
cbr_rules | (Optional, list) List of CBR rules to create | list(object({ |
[] |
no |
configuration | Database configuration parameters, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-changing-configuration&interface=api for more details. | object({ |
null |
no |
existing_kms_instance_guid | The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in var.kms_key_crn and var.backup_encryption_key_crn is coming from. Required only if var.kms_encryption_enabled is set to true, var.skip_iam_authorization_policy is set to false, and you pass a value for var.kms_key_crn, var.backup_encryption_key_crn, or both. | string |
null |
no |
kms_encryption_enabled | Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs | bool |
false |
no |
kms_key_crn | The root key CRN of a Key Management Services like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for disk encryption. Only used if var.kms_encryption_enabled is set to true. | string |
null |
no |
member_cpu_count | Allocated dedicated CPU per member. For shared CPU, set to 0. Learn more. Ignored during restore and point in time recovery operations | number |
0 |
no |
member_disk_mb | Allocated disk per member. Learn more. Ignored during restore and point in time recovery operations | number |
5120 |
no |
member_host_flavor | Allocated host flavor per member. Learn more. Ignored during restore and point in time recovery operations | string |
null |
no |
member_memory_mb | Allocated memory per member. Learn more. Ignored during restore and point in time recovery operations | number |
4096 |
no |
members | Allocated number of members. Members can be scaled up but not down. | number |
2 |
no |
name | The name to give the Postgresql instance. | string |
n/a | yes |
pg_version | Version of the PostgreSQL instance. If no value is passed, the current preferred version of IBM Cloud Databases is used. | string |
null |
no |
pitr_id | (Optional) The ID of the source deployment PostgreSQL instance that you want to recover back to. The PostgreSQL instance is expected to be in an up and in running state. | string |
null |
no |
pitr_time | (Optional) The timestamp in UTC format (%Y-%m-%dT%H:%M:%SZ) for any time in the last 7 days that you want to restore to. If empty string ("") is passed, earliest_point_in_time_recovery_time will be used as pitr_time. To retrieve the timestamp, run the command (ibmcloud cdb postgresql earliest-pitr-timestamp ). For more info on Point-in-time Recovery, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-pitr | string |
null |
no |
region | The region where you want to deploy your instance. | string |
"us-south" |
no |
remote_leader_crn | A CRN of the leader database to make the replica(read-only) deployment. The leader database is created by a database deployment with the same service ID. A read-only replica is set up to replicate all of your data from the leader deployment to the replica deployment by using asynchronous replication. For more information, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-read-only-replicas | string |
null |
no |
resource_group_id | The resource group ID where the PostgreSQL instance will be created. | string |
n/a | yes |
resource_tags | Optional list of tags to be added to the PostgreSQL instance. | list(string) |
[] |
no |
service_credential_names | Map of name, role for service credentials that you want to create for the database | map(string) |
{} |
no |
service_endpoints | Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'. | string |
"private" |
no |
skip_iam_authorization_policy | Set to true to skip the creation of an IAM authorization policy that permits all PostgreSQL database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing_kms_instance_guid variable. In addition, no policy is created if var.kms_encryption_enabled is set to false. | bool |
false |
no |
use_default_backup_encryption_key | Set to true to use default ICD randomly generated keys for backup encryption. | bool |
false |
no |
users | A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service_credential_names) is sufficient to control access to the Postgres instance. This blocks creates native postgres database users, more info on that can be found here https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-user-management&interface=ui | list(object({ |
[] |
no |
Name | Description |
---|---|
adminuser | Database admin user name |
cbr_rule_ids | CBR rule ids created to restrict Postgresql |
certificate_base64 | Database connection certificate |
crn | Postgresql instance crn |
guid | Postgresql instance guid |
hostname | Database connection hostname |
id | Postgresql instance id |
pitr_time | Postgresql instance id |
port | Database connection port |
service_credentials_json | Service credentials json map |
service_credentials_object | Service credentials object |
version | Postgresql instance version |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.