Provision and read-only DB replica in Europe

terraform/environments/production/.terraform.lock.hcl

@@ -24,42 +24,42 @@ provider "registry.terraform.io/cyrilgdn/postgresql" {
 }
 
 provider "registry.terraform.io/hashicorp/google" {
-  version     = "5.27.0"
+  version     = "5.36.0"
   constraints = "~> 5.20"
   hashes = [
-    "h1:WCDkdISBBLVlW4PyIkNn0hr4XMSL3ZZNKBsZ/MKFqRc=",
-    "zh:08301af898c1a78e78ad547482d50c95a43ef65d09fd5058800cf32cd9c8cd53",
-    "zh:1a4f9e5134e990132978e78ea15431d32e06bf8024fd6733a98faa811ae03efb",
-    "zh:383e66659d69dc4b4a1ad5d7cbc6aa4ce75015f380cfb5f47beaeb506c9e2e1c",
-    "zh:3aa4aff7dd9240fb387271dc791e084d010044dc58336a7a690b0f1a8890ab68",
-    "zh:4084b9a61e662bdd79d1304432dffc6cd3cf00021b937b01001ae9fee5727b12",
-    "zh:448f5d281cab53caacb8759fcd3309c7aa1ba5a210d1866b28e8bd77fd4634ab",
-    "zh:75457a1f0b77bc7477efe58e7b223649340147fd735ed8b8fe57a06ec8459c95",
-    "zh:7648c6ea04d5b1d1413cce880ed77bd7373aef1a58cd5a26394edf64dc6cac11",
-    "zh:b43630367e29a4c185d3eab8b3f84f818e8a91f16007f0e81d876ab96af4ee43",
-    "zh:b478e7d36c5e99f0c026cb05c06047ce1f24fc07284692a10e74214a853e7139",
-    "zh:e6f349125299401049f64e608b3d73236b139e960816fffdd208d1ba405e1804",
+    "h1:Ulo187RYb/ibPvfrZYNTWlZvpI9yDQxKaUXPHjVrtgw=",
+    "zh:091f4e82ee4ba77cd37b67d9c24448a1317e8e103bd5f3191f7b4b26b314f2e6",
+    "zh:15aed0b4cc85ee275aa32740ecf745f4ff6da09ed7c705900d93f5d0e454fcd1",
+    "zh:403cc4daf32aa31fe89940aca6d1d320531103801d5c4678107f3c952d126875",
+    "zh:539c774fb97bc2dd6cd67f436ae062c2fc50d9181aa4f4ae626dc428dce1bb82",
+    "zh:5857cf533a5db0853f81f2662681e95556b0972cae0bd5cff02d24f2a0cb395e",
+    "zh:7e802ee04b9ea84f1667ac8e970dc559709628555e1350b4996f07b067da041d",
+    "zh:90a62593c84543f8d8f7848ae3b75d3190e6ad36cf38e2d5ca321771668c77e6",
+    "zh:9e2cf799c61dd4f534f84705db3ab00142d0a5b58ea147a6a67f5bd902f31eba",
+    "zh:b3470f63ef5621eab6501c7024ba74480def676cb58331755484ffcf1c64b3d8",
+    "zh:b6a640f7cbee78880e901512d193e6863339eb18f552903e7298ceb023543486",
+    "zh:cddaca8c950334a22849b6499c0dde289ac8e9767d29ee1504e70872201d8da8",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/google-beta" {
-  version     = "5.27.0"
+  version     = "5.36.0"
   constraints = "~> 5.20"
   hashes = [
-    "h1:Q1TtRjUkcIULvyinqWEVRl+r8VaS5Bqa/EXsWNe7CfE=",
-    "zh:074d29ba9a70de197f14bbed7cb418209764a491e2dcba52aebb7299e8dc7c12",
-    "zh:68638b88b9059fcb7931f2b7e3e136a3cfd3d974d0d424c5435aafaf6ea188b5",
-    "zh:9a1770398dddfdced4d42c9e2d6551dbc38937f733e00cbc0faba2944dd14443",
-    "zh:9cc072528ed4a3163025135f3d2026a6f2f8e8472e3188822fe1e0721f9e5359",
-    "zh:a441ce8a1fe57cb538d8b4301f7d9045bec0e7d796b962d2c97fd47bf9daf4f0",
-    "zh:a704bf6682d0db7c5578d39880f9081da6b81d458547f97f15c59ee94f5638a3",
-    "zh:ab548b6bc8508eeebf6da8cf577758ff5b078d0b655b1a76940b9cc7f107d3b1",
-    "zh:b15c056b140a8ea330efd277253d02930eec350b06831c526cd5a78cf25cd39e",
-    "zh:df79906421ab1d6ff733d9c167875afaafbda3d0e9f58fe581c0c9010523bbce",
-    "zh:ea75a33508d17132152ae3543f981359b215a586ae864546e7b45976de374e1b",
+    "h1:9Oc/wBxoDMp1oP97yED8Kz/6dapkayoulM4niP4Tgf8=",
+    "zh:1516867331b7c1e53d28e929d4bcc77199e9ed2c733b1dd805a0445c7bd55708",
+    "zh:25750a11add3099e8773c512e7820a4c5e04a66b431626a47d37e992308387dc",
+    "zh:5085899f0d71fa03798da4285e6334464abf8ad8bc86017c795942aceeac1b34",
+    "zh:53f2b06d25948ba222a2d8cc4583bb14c588aa37e2eeca4b63eaa609665d9e72",
+    "zh:5a78890d4e88085b4f17b7d3266773ae1d95ac2376a945defb77125831fa3546",
+    "zh:5cdb4c91c65688a3a6341f543aaee5e4645003f9af152189bd324589f3449535",
+    "zh:6cfa032855dbb86325a7c832164346b83fda7ee41a6e679d1b06fb3d4eebd5d6",
+    "zh:9d4c34d545fcafa928d38c41b76d8638109924a176e9d8da74eca835874c0181",
+    "zh:a330ec2300476d553f553863f1d6183053ac669f6e9663f095cf3f712485b666",
+    "zh:d1fa47a22727931d16282a7b14c0476383820db5bc266632e5df5a2506562735",
+    "zh:e243237d3415452935b3e42dd90ab170feb4fc1511819e6a99f895c29e9a73c1",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f734a884346550d5ce0e4563294572ae7546773ced9c1314ed21901f24b9041e",
   ]
 }
 
@@ -84,22 +84,22 @@ provider "registry.terraform.io/hashicorp/null" {
 }
 
 provider "registry.terraform.io/hashicorp/random" {
-  version     = "3.6.1"
+  version     = "3.6.2"
   constraints = "~> 3.6"
   hashes = [
-    "h1:a+Goawwh6Qtg4/bRWzfDtIdrEFfPlnVy0y4LdUQY3nI=",
-    "zh:2a0ec154e39911f19c8214acd6241e469157489fc56b6c739f45fbed5896a176",
-    "zh:57f4e553224a5e849c99131f5e5294be3a7adcabe2d867d8a4fef8d0976e0e52",
-    "zh:58f09948c608e601bd9d0a9e47dcb78e2b2c13b4bda4d8f097d09152ea9e91c5",
-    "zh:5c2a297146ed6fb3fe934c800e78380f700f49ff24dbb5fb5463134948e3a65f",
+    "h1:VavG5unYCa3SYISMKF9pzc3718M0bhPlcbUZZGl7wuo=",
+    "zh:0ef01a4f81147b32c1bea3429974d4d104bbc4be2ba3cfa667031a8183ef88ec",
+    "zh:1bcd2d8161e89e39886119965ef0f37fcce2da9c1aca34263dd3002ba05fcb53",
+    "zh:37c75d15e9514556a5f4ed02e1548aaa95c0ecd6ff9af1119ac905144c70c114",
+    "zh:4210550a767226976bc7e57d988b9ce48f4411fa8a60cd74a6b246baf7589dad",
+    "zh:562007382520cd4baa7320f35e1370ffe84e46ed4e2071fdc7e4b1a9b1f8ae9b",
+    "zh:5efb9da90f665e43f22c2e13e0ce48e86cae2d960aaf1abf721b497f32025916",
+    "zh:6f71257a6b1218d02a573fc9bff0657410404fb2ef23bc66ae8cd968f98d5ff6",
     "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:7ce41e26f0603e31cdac849085fc99e5cd5b3b73414c6c6d955c0ceb249b593f",
-    "zh:8c9e8d30c4ef08ee8bcc4294dbf3c2115cd7d9049c6ba21422bd3471d92faf8a",
-    "zh:93e91be717a7ffbd6410120eb925ebb8658cc8f563de35a8b53804d33c51c8b0",
-    "zh:982542e921970d727ce10ed64795bf36c4dec77a5db0741d4665230d12250a0d",
-    "zh:b9d1873f14d6033e216510ef541c891f44d249464f13cc07d3f782d09c7d18de",
-    "zh:cfe27faa0bc9556391c8803ade135a5856c34a3fe85b9ae3bdd515013c0c87c1",
-    "zh:e4aabf3184bbb556b89e4b195eab1514c86a2914dd01c23ad9813ec17e863a8a",
+    "zh:9647e18f221380a85f2f0ab387c68fdafd58af6193a932417299cdcae4710150",
+    "zh:bb6297ce412c3c2fa9fec726114e5e0508dd2638cad6a0cb433194930c97a544",
+    "zh:f83e925ed73ff8a5ef6e3608ad9225baa5376446349572c2449c0c0b3cf184b7",
+    "zh:fbef0781cb64de76b1df1ca11078aecba7800d82fd4a956302734999cfd9a4af",
   ]
 }
 

terraform/environments/production/bi.tf

@@ -102,9 +102,8 @@ module "metabase" {
       value = random_password.metabase_db_password.result
     },
     {
-      # TODO: create a read replica for analytics
       name  = "MB_DB_HOST"
-      value = module.google-cloud-sql.bi_instance_ip_address
+      value = module.google-cloud-sql.master_instance_ip_address
     },
     {
       name  = "MB_SITE_NAME"

terraform/environments/production/main.tf

@@ -147,7 +147,7 @@ resource "google_storage_bucket_iam_member" "public-firezone-binary-artifacts" {
   member = "allUsers"
 }
 
-# Create a VPC
+# Create a VPCs
 module "google-cloud-vpc" {
   source = "../../modules/google-cloud/vpc"
 
@@ -191,7 +191,13 @@ module "google-cloud-sql" {
   database_highly_available = true
   database_backups_enabled  = true
 
-  database_read_replica_locations = []
+  database_read_replica_locations = [
+    {
+      ipv4_enabled = true
+      region       = local.region
+      network      = module.google-cloud-vpc.id
+    }
+  ]
 
   database_flags = {
     # Increase the connections count a bit, but we need to set it to Ecto ((pool_count * pool_size) + 50)

terraform/modules/google-cloud/sql/main.tf

@@ -67,6 +67,7 @@ resource "google_sql_database_instance" "master" {
     }
 
     backup_configuration {
+      # Backups must be enabled if read replicas are enabled
       enabled    = length(var.database_read_replica_locations) > 0 ? true : var.database_backups_enabled
       start_time = "10:00"
 
@@ -79,7 +80,7 @@ resource "google_sql_database_instance" "master" {
     }
 
     ip_configuration {
-      ipv4_enabled    = length(var.database_read_replica_locations) > 0 ? false : true
+      ipv4_enabled    = true
       private_network = var.network
     }
 
@@ -141,7 +142,9 @@ resource "google_sql_database_instance" "master" {
 
 # Create followers for the main Cloud SQL instance
 resource "google_sql_database_instance" "read-replica" {
-  for_each = toset(var.database_read_replica_locations)
+  for_each = tomap({
+    for location in var.database_read_replica_locations : location.region => location
+  })
 
   project = var.project_id
 
@@ -171,8 +174,8 @@ resource "google_sql_database_instance" "read-replica" {
     }
 
     ip_configuration {
-      ipv4_enabled    = true
-      private_network = var.network
+      ipv4_enabled    = each.value.ipv4_enabled
+      private_network = each.value.network
     }
 
     insights_config {
@@ -180,7 +183,7 @@ resource "google_sql_database_instance" "read-replica" {
       record_application_tags = true
       record_client_address   = false
 
-      query_plans_per_minute = 25
+      query_plans_per_minute = 20
       query_string_length    = 4500
     }
 

terraform/modules/google-cloud/sql/outputs.tf

@@ -15,5 +15,5 @@ output "read-replicas" {
 }
 
 output "bi_instance_ip_address" {
-  value = length(var.database_read_replica_locations) > 0 ? lookup(values(google_sql_database_instance.read-replica)[0], "ip_address", google_sql_database_instance.master.private_ip_address) : google_sql_database_instance.master.private_ip_address
+  value = try(google_sql_database_instance.read-replica[var.database_read_replica_locations[0].region].ip_address[0], google_sql_database_instance.master.private_ip_address)
 }

terraform/modules/google-cloud/sql/variables.tf

@@ -44,7 +44,9 @@ variable "database_backups_enabled" {
 variable "database_read_replica_locations" {
   description = "List of read-only replicas to create."
   type = list(object({
-    region = string
+    region       = string
+    ipv4_enabled = bool
+    network      = string
   }))
   default = []
 }