-green?style=plastic){kind=icon}
WARNING: This module does not support major version upgrade or updates to encryption and backup encryption keys: To upgrade version create a new postgresql instance with the updated version and follow the Upgrading PostgreSQL docs
NOTE: Currently the database encryption for backups supports only Key Protect keys, not Hyper Protect Crypto keys. If enabling KMS encryption and no value is passed for 'backup_encryption_key_crn', the value of 'kms_key_crn' is used. If this value is a HPCS key, the module will default the backup encryption to use randomly generated keys due to this current limitation. More info: https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs
provider "ibm" { ibmcloud_api_key = "XXXXXXXXXX" region = "us-south" } module "postgresql_db" { # Replace "main" with a GIT release version to lock into a specific release source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-icd-postgresql?ref=main" resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX" name = "my-instance" region = "us-south" }You need the following permissions to run this module.
- Account Management
- Databases for PostgreSQL service
Editorrole access
- Databases for PostgreSQL service
- Restore from backup example
- Basic with read-only replica example
- Complete example with BYOK encryption, autoscaling, CBR rules, VPE creation, and read-only replica provisioning
- Financial Services Cloud profile example
- Point in time recovery example (PITR)
| Name | Version |
|---|---|
| terraform | >= 1.3.0 |
| ibm | >= 1.49.0 |
| Name | Source | Version |
|---|---|---|
| cbr_rule | git::https://github.com/terraform-ibm-modules/terraform-ibm-cbr//cbr-rule-module | v1.2.0 |
| Name | Type |
|---|---|
| ibm_database.postgresql_db | resource |
| ibm_iam_authorization_policy.kms_policy | resource |
| ibm_resource_key.service_credentials | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| auto_scaling | Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://ibm.biz/autoscaling-considerations in the IBM Cloud Docs. | object({ | null | no |
| backup_crn | The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty. | string | null | no |
| backup_encryption_key_crn | The CRN of a Key Protect key, that you want to use for encrypting disk that holds deployment backups. Only used if var.kms_encryption_enabled is set to true. If no value passed, the value passed for the 'kms_key_crn' variable will be used. BYOK for backups is available only in US regions us-south and us-east, and eu-de. Only keys in the us-south and eu-de are durable to region failures. To ensure that your backups are available even if a region failure occurs, you must use a key from us-south or eu-de. Take note that Hyper Protect Crypto Services for IBM Cloud® Databases backups is not currently supported, so if no value is passed here, but a HPCS value is passed for var.kms_key_crn, databases backup encryption will use the default encryption keys. | string | null | no |
| cbr_rules | (Optional, list) List of CBR rules to create | list(object({ | [] | no |
| configuration | Database configuration | object({ | null | no |
| existing_kms_instance_guid | The GUID of the Hyper Protect or Key Protect instance in which the key specified in var.kms_key_crn and var.backup_encryption_key_crn is coming from. Only required if var.kms_encryption_enabled is 'true', var.skip_iam_authorization_policy is 'false', and passing a value for var.kms_key_crn and/or var.backup_encryption_key_crn. | string | null | no |
| kms_encryption_enabled | Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud® Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs | bool | false | no |
| kms_key_crn | The root key CRN of a Key Management Services like Key Protect or Hyper Protect Crypto Service (HPCS) that you want to use for disk encryption. Only used if var.kms_encryption_enabled is set to true. | string | null | no |
| member_cpu_count | Allocated dedicated CPU per-member. For shared CPU, set to 0. See the following doc for supported values: https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-resources-scaling | number | 0 | no |
| member_disk_mb | Allocated disk per-member. See the following doc for supported values: https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-resources-scaling | number | 5120 | no |
| member_memory_mb | Allocated memory per-member. See the following doc for supported values: https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-resources-scaling | number | 1024 | no |
| members | Allocated number of members. Members can be scaled up but not down. | number | 2 | no |
| name | The name to give the Postgresql instance. | string | n/a | yes |
| pg_version | Version of the PostgreSQL instance to provision. | string | null | no |
| pitr_id | (Optional) The ID of the source deployment PostgreSQL instance that you want to recover back to. The PostgreSQL instance is expected to be in an up and in running state. | string | null | no |
| pitr_time | (Optional) The timestamp in UTC format (%Y-%m-%dT%H:%M:%SZ) that you want to restore to. To retrieve the timestamp, run the command (ibmcloud cdb postgresql earliest-pitr-timestamp ). For more info on Point-in-time Recovery, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-pitr | string | null | no |
| plan_validation | Enable or disable validating the database parameters for PostgreSQL during the plan phase. | bool | true | no |
| region | The region where you want to deploy your instance. | string | "us-south" | no |
| remote_leader_crn | A CRN of the leader database to make the replica(read-only) deployment. The leader database is created by a database deployment with the same service ID. A read-only replica is set up to replicate all of your data from the leader deployment to the replica deployment by using asynchronous replication. For more information, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-read-only-replicas | string | null | no |
| resource_group_id | The resource group ID where the PostgreSQL instance will be created. | string | n/a | yes |
| resource_tags | Optional list of tags to be added to the PostgreSQL instance and the associated service credentials (if creating). | list(string) | [] | no |
| service_credential_names | Map of name, role for service credentials that you want to create for the database | map(string) | {} | no |
| service_endpoints | Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'. | string | "private" | no |
| skip_iam_authorization_policy | Set to true to skip the creation of an IAM authorization policy that permits all PostgreSQL database instances in the given resource group to read the encryption key from the Hyper Protect or Key Protect instance passed in var.existing_kms_instance_guid. If set to 'false', a value must be passed for var.existing_kms_instance_guid. No policy is created if var.kms_encryption_enabled is set to 'false'. | bool | false | no |
| Name | Description |
|---|---|
| cbr_rule_ids | CBR rule ids created to restrict Postgresql |
| crn | Postgresql instance crn |
| guid | Postgresql instance guid |
| id | Postgresql instance id |
| service_credentials_json | Service credentials json map |
| service_credentials_object | Service credentials object |
| version | Postgresql instance version |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.