jprdonnelly/private-ip-cloud-sql-db
0
0
Fork 0
mirror of https://github.com/ryboe/private-ip-cloud-sql-db.git synced 2025-12-19 10:00:37 -05:00
Code Issues Projects Releases Wiki Activity
Files
f7ef3d241aff28d12f30ff36b213cac8b12ad9e6
private-ip-cloud-sql-db/modules/dbproxy/main.tf
Ryan Boehning f7ef3d241a Initial commit
2020-04-19 03:40:44 -07:00

72 lines
2.2 KiB
HCL
Raw Blame History

data "google_compute_subnetwork" "regional_subnet" {
name = var.vpc_name
region = var.region
}
resource "google_compute_instance" "db_proxy" {
name = "db-proxy"
description = <<-EOT
A public-facing instance that proxies traffic to the database. This allows
the db to only have a private IP address, but still be reachable from
outside the VPC.
EOT
machine_type = var.machine_type
zone = var.zone
desired_status = "RUNNING"
allow_stopping_for_update = true
# Our firewall looks for this tag when deciding whether to allow SSH traffic
# to an instance.
tags = ["ssh-enabled"]
boot_disk {
initialize_params {
image = "cos-cloud/cos-stable" # latest stable Container-Optimized OS.
size = 10 # smallest disk possible is 10 GB.
type = "pd-ssd" # use an SSD, not an HDD, because c'mon.
}
}
metadata = {
enable-oslogin = "TRUE"
}
metadata_startup_script = templatefile("${path.module}/run_cloud_sql_proxy.tpl", {
"db_instance_name" = var.db_instance_name,
"service_account_key" = module.serviceaccount.private_key,
})
network_interface {
network = var.vpc_name
subnetwork = data.google_compute_subnetwork.regional_subnet.self_link
# The access_config block must be set for the instance to have a public IP,
# even if it's empty.
access_config {}
}
scheduling {
# Migrate to another physical host during OS updates to avoid downtime.
on_host_maintenance = "MIGRATE"
}
service_account {
email = module.serviceaccount.email
# These are OAuth scopes for the various Google Cloud APIs. We're already
# using IAM roles (specifically, Cloud SQL Editor) to control what this
# instance can and cannot do. We don't need another layer of OAuth
# permissions on top of IAM, so we grant cloud-platform scope to the
# instance. This is the maximum possible scope. It gives the instance
# access to all Google Cloud APIs through OAuth.
scopes = ["cloud-platform"]
}
}
module "serviceaccount" {
source = "../serviceaccount"
name = "cloud-sql-proxy"
role = "roles/cloudsql.editor"
}
Reference in New Issue View Git Blame Copy Permalink