This solution guides users to establish a private connection between Cloud SQL instance and Compute Engine instance by setting up a host and a service project, creating a Cloud SQL instance and a Compute Engine instance in the service project, and connecting the Compute Engine instance to the Cloud SQL instance using the VM's private IP address. The host project contains the VPC networks, subnets and firewall rules.
Here is a brief overview of the components being created by the terraform solution :
- Creates a VPC Network and subnets in the host project
- Establishes a host and a service project
- Creates a Cloud SQL instance in the service project
- Creates a Compute Engine instance in the service project
- Establishes a connection between the Compute Engine instance to the Cloud SQL instance using the private IP address
This example is a good starting point for anyone who needs to quickly and easily connect a Compute Engine instance to a Cloud SQL instance using private IP address of the Cloud SQL instance.
- User should have terraform and gcloud SDK installed in the machine from which they plan to execute this script.
- User should have two Google Cloud projects which will be used as part of this guide. One of the Google Cloud project will act as a Host Project and the other will act as a Service Project.
- User planning to run this script should have following permissions asssigned to them in the respective projects as described below. User can either use Google Cloud Platform console or gcloud SDK to assign these permission to the user identity using which these scripts will be executed. User can follow either step
3.a.or3.b.or3.c.to complete this step.-
Host Project
- roles/compute.networkAdmin
- roles/compute.securityAdmin
- roles/iam.serviceAccountAdmin
- roles/serviceusage.serviceUsageAdmin
- roles/resourcemanager.projectIamAdmin
-
Service Project
- roles/compute.instanceAdmin
- roles/cloudsql.admin
- roles/iam.serviceAccountAdmin
- roles/serviceusage.serviceUsageAdmin
- roles/resourcemanager.projectIamAdmin
-
Compute XpnPermission
- User should have
roles/compute.xpnAdminpermission at a common folder owning the host and service project. This is required to associate the service project with the host project.
a. Using Webconsole : User can either use GCP web console to assign the IAM permission to the user who plans to run this script.
b. Using gcloud SDK : User can either use gcloud SDK to assign IAM permission to the user who plans to run the script.
c. [Optionally] There is a helper script provided which can be used to create a Service Account with relevant permission at location
cloudsql-easy-networking/helper-scripts/1.createserviceaccount.sh.User can then use this Service Account and impersonate this Service Account while running the terraform code.
Once you have created this service account you can then update
providers.tf.templatefile by updating theimpersonate_service_accountfield with the service account you have created with appropriate permission as described above and renaming theproviders.tf.templatetoproviders.tffile.Once the providers.tf file is updated. The Updated content of
providers.tffile may look likeprovider "google" { impersonate_service_account = "iac-sa@<GCP-HOST-PROJECT-ID>.iam.gserviceaccount.com" } provider "google-beta" { impersonate_service_account = "iac-sa@<GCP-HOST-PROJECT-ID>.iam.gserviceaccount.com" }Note : User should have service account admin and project iam admin permissions in the respective Google Cloud projects in order to assign the above mentioned permissions.
- User should have
-
- User should have authenticated using gcloud command
gcloud auth application-default logincommand in the CLI/machine using which user plans to execute the terraform code. - User can now cd in to the example directory
cloudsql-easy-networking/examples/1.Host-Service-Projectin order to execute the terraform code. - Update the variables in terraform.tfvars as per your configuration like host_project_id, service_project_id etc. User can also go through the Inputs section of this readme that describes the list of input variables that can be updated. Here are two examples of the terraform.tfvars file which can be referred while updating your terraform.tfvars file.
- Enter command
terraform init. This command initializes the working directory containing terraform configuration files. - Enter command
terraform validateto validate the configuration files present in this directory. - Enter command
terraform plan. This command creates an execution plan, which lets you preview the changes that terraform plans to make in your infrastructure. Review the content displayed in the plan stage and if all looks good then move to next step. - Enter
terraform applyand typeyeswhen asked for confirmation/approval. This command executes the actions proposed in a terraform plan and applies the configuration changes. - Deleting resources : Enter
terraform destroyand typeyeswhen asked for confirmation/approval. This command will delete the resources created using the terraform.
-
This example leverages the existing network and subnetwork. Network information like network_name, network_id and subnetwork_id should be passed in the terraform.tfvars file. The terraform.tfvars should look like
host_project_id = "<GCP-HOST-PROJECT-ID>" service_project_id = "<GCP-SERVICE-PROJECT-ID>" database_version = "MYSQL_8_0" cloudsql_instance_name = "cn-sqlinstance10" region = "us-central1" zone = "us-central1-a" create_network = false create_subnetwork = false network_name = "cloudsql-easy" subnetwork_name = "cloudsql-easy-subnet" -
This example creates new network and subnetwork with the provided CIDR.
host_project_id = "<GCP-HOST-PROJECT-ID>" service_project_id = "<GCP-SERVICE-PROJECT-ID>" database_version = "MYSQL_8_0" cloudsql_instance_name = "cn-sqlinstance10" region = "us-central1" zone = "us-central1-a" create_network = true create_subnetwork = true network_name = "cloudsql-easy" subnetwork_name = "cloudsql-easy-subnet" subnetwork_ip_cidr = "10.2.0.0/16"
No requirements.
| Name | Version |
|---|---|
| 4.81.0 | |
| template | 2.2.0 |
| Name | Source | Version |
|---|---|---|
| firewall_rules | ../../modules/firewall-rules | n/a |
| gce_sa | ../../modules/iam-service-account | n/a |
| google_compute_instance | ../../modules/computeinstance | n/a |
| host-vpc | ../../modules/net-vpc | n/a |
| host_project | ../../modules/services | n/a |
| nat | ../../modules/net-cloudnat | n/a |
| project_services | ../../modules/services | n/a |
| sql-db | ../../modules/cloudsql | n/a |
| terraform_service_accounts | ../../modules/iam-service-account | n/a |
| Name | Type |
|---|---|
| google_compute_network.host_vpc | data source |
| google_compute_subnetwork.host_vpc_subnetwork | data source |
| template_file.mysql_installer | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cloudsql_instance_name | Name of the cloud sql instance which will be created. | string |
n/a | yes |
| database_version | Database version of the mysql in Cloud SQL . | string |
n/a | yes |
| host_project_id | Project Id of the Host GCP Project. | string |
n/a | yes |
| network_name | Name of the VPC network to be created if var.create_network is marked as true or Name of the already existing network if var.create_network is false. | string |
n/a | yes |
| region | Name of a GCP region. | string |
n/a | yes |
| service_project_id | Project Id of the Service GCP Project attached to the Host GCP project. | string |
n/a | yes |
| subnetwork_ip_cidr | CIDR range for the subnet to be created if var.create_subnetwork is set to true. | string |
n/a | yes |
| subnetwork_name | Name of the sub network to be created if var.create_subnetwork is marked as true or Name of the already existing sub network if var.create_subnetwork is false. | string |
n/a | yes |
| zone | Name of a GCP zone, should be in the same region as specified in the region variable. | string |
n/a | yes |
| access_config | Access configurations, i.e. IPs via which the VM instance can be accessed via the Internet. | object({ |
null |
no |
| cloudsql_private_range_cidr | Cidr of the private IP range. | string |
"" |
no |
| cloudsql_private_range_name | Name of the default IP range. | string |
"privateip-range" |
no |
| cloudsql_private_range_prefix_length | Prefix length of the private IP range. | string |
"20" |
no |
| create_nat | Boolean variable to create the Cloud NAT for allowing the VM to connect to external Internet. | bool |
true |
no |
| create_network | Variable to determine if a new network should be created or not. | bool |
true |
no |
| create_subnetwork | Variable to determine if a new sub network should be created or not. | bool |
true |
no |
| deletion_protection | Enable delete protection. | bool |
true |
no |
| gce_tags | List of tags to be applied to gce instance. | list(string) |
[ |
no |
| nat_name | Name of the cloud nat to be created. | string |
"sqleasy-nat" |
no |
| network_routing_mode | Network Routing Mode to be used, Could be REGIONAL or GLOBAL. | string |
"GLOBAL" |
no |
| network_tier | Networking tier to be used. | string |
"PREMIUM" |
no |
| router_name | Name of the router to be used by the NAT. | string |
"sqleasynatrouter" |
no |
| source_image | Source disk image. If neither source_image nor source_image_family is specified, defaults to the latest public image. | string |
"" |
no |
| source_image_family | Source image family. If neither source_image nor source_image_family is specified, defaults to the latest public image. | string |
"ubuntu-2204-lts" |
no |
| source_image_project | Project where the source image comes from. The default project contains images. | string |
"ubuntu-os-cloud" |
no |
| test_dbname | Database Name to be created from startup script. | string |
"test_db" |
no |
| Name | Description |
|---|---|
| cloudsql_instance_name | Name of the my cloud sql instance created in the service project. |
| host_network_id | Network ID for the host VPC network created in the host project. |
| host_subnetwork_id | Sub Network ID created inside the host VPC network created in the host project. |
| host_vpc_name | Name of the VPC created in the host project. |