GoogleCloudPlatform · juliocc · Nov 24, 2023 · Oct 18, 2023 · Nov 21, 2023 · Nov 22, 2023
diff --git a/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf b/blueprints/data-solutions/cloudsql-multiregion/cloudsql.tf
@@ -17,11 +17,17 @@ module "db" {
   project_id          = module.project.project_id
   availability_type   = var.sql_configuration.availability_type
   encryption_key_name = var.service_encryption_keys != null ? try(var.service_encryption_keys[var.regions.primary], null) : null
-  network             = local.vpc_self_link
-  name                = "${var.prefix}-db"
-  region              = var.regions.primary
-  database_version    = var.sql_configuration.database_version
-  tier                = var.sql_configuration.tier
+  network_config = {
+    connectivity = {
+      psa_config = {
+        private_network = local.vpc_self_link
+      }
+    }
+  }
+  name             = "${var.prefix}-db"
+  region           = var.regions.primary
+  database_version = var.sql_configuration.database_version
+  tier             = var.sql_configuration.tier
   flags = {
     "cloudsql.iam_authentication" = "on"
   }

diff --git a/blueprints/third-party-solutions/phpipam/cloudsql.tf b/blueprints/third-party-solutions/phpipam/cloudsql.tf
@@ -22,10 +22,16 @@ module "cloudsql" {
   database_version    = local.cloudsql_conf.database_version
   deletion_protection = var.deletion_protection
   databases           = [local.cloudsql_conf.db]
-  network             = local.network
-  prefix              = var.prefix
-  region              = var.region
-  tier                = local.cloudsql_conf.tier
+  network_config = {
+    connectivity = {
+      psa_config = {
+        private_network = local.network
+      }
+    }
+  }
+  prefix = var.prefix
+  region = var.region
+  tier   = local.cloudsql_conf.tier
   users = {
     "${local.cloudsql_conf.user}" = {
       password = var.cloudsql_password

diff --git a/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf b/blueprints/third-party-solutions/wordpress/cloudrun/cloudsql.tf
@@ -52,9 +52,15 @@ resource "google_vpc_access_connector" "connector" {
 
 # Set up CloudSQL
 module "cloudsql" {
-  source           = "../../../../modules/cloudsql-instance"
-  project_id       = module.project.project_id
-  network          = module.vpc.self_link
+  source     = "../../../../modules/cloudsql-instance"
+  project_id = module.project.project_id
+  network_config = {
+    connectivity = {
+      psa_config = {
+        private_network = module.vpc.self_link
+      }
+    }
+  }
   name             = "${var.prefix}-mysql"
   region           = var.region
   database_version = local.cloudsql_conf.database_version

diff --git a/modules/cloudsql-instance/README.md b/modules/cloudsql-instance/README.md
diff --git a/modules/cloudsql-instance/main.tf b/modules/cloudsql-instance/main.tf
@@ -68,18 +68,25 @@ resource "google_sql_database_instance" "primary" {
     connector_enforcement       = var.connector_enforcement
 
     ip_configuration {
-      ipv4_enabled       = var.ipv4_enabled
-      private_network    = var.network
-      allocated_ip_range = var.allocated_ip_ranges.primary
-      require_ssl        = var.require_ssl
+      ipv4_enabled       = var.network_config.connectivity.public_ipv4
+      private_network    = try(var.network_config.connectivity.psa_config.private_network, null)
+      allocated_ip_range = try(var.network_config.connectivity.psa_config.allocated_ip_ranges.primary, null)
+      require_ssl        = var.network_config.require_ssl
       dynamic "authorized_networks" {
-        for_each = var.authorized_networks != null ? var.authorized_networks : {}
+        for_each = var.network_config.authorized_networks != null ? var.network_config.authorized_networks : {}
         iterator = network
         content {
           name  = network.key
           value = network.value
         }
       }
+      dynamic "psc_config" {
+        for_each = var.network_config.connectivity.psc_allowed_consumer_projects != null ? [""] : []
+        content {
+          psc_enabled               = true
+          allowed_consumer_projects = var.network_config.connectivity.psc_allowed_consumer_projects
+        }
+      }
     }
 
     dynamic "backup_configuration" {
@@ -149,17 +156,24 @@ resource "google_sql_database_instance" "replicas" {
     activation_policy = var.activation_policy
 
     ip_configuration {
-      ipv4_enabled       = var.ipv4_enabled
-      private_network    = var.network
-      allocated_ip_range = var.allocated_ip_ranges.replica
+      ipv4_enabled       = var.network_config.connectivity.public_ipv4
+      private_network    = try(var.network_config.connectivity.psa_config.private_network, null)
+      allocated_ip_range = try(var.network_config.connectivity.psa_config.allocated_ip_ranges.replica, null)
       dynamic "authorized_networks" {
-        for_each = var.authorized_networks != null ? var.authorized_networks : {}
+        for_each = var.network_config.authorized_networks != null ? var.network_config.authorized_networks : {}
         iterator = network
         content {
           name  = network.key
           value = network.value
         }
       }
+      dynamic "psc_config" {
+        for_each = var.network_config.connectivity.psc_allowed_consumer_projects != null ? [""] : []
+        content {
+          psc_enabled               = true
+          allowed_consumer_projects = var.network_config.connectivity.psc_allowed_consumer_projects
+        }
+      }
     }
 
     dynamic "database_flags" {

diff --git a/modules/cloudsql-instance/outputs.tf b/modules/cloudsql-instance/outputs.tf
@@ -34,6 +34,19 @@ output "connection_names" {
   }
 }
 
+output "dns_name" {
+  description = "The dns name of the instance."
+  value       = google_sql_database_instance.primary.dns_name
+}
+
+output "dns_names" {
+  description = "Dns names of all instances."
+  value = {
+    for id, instance in local._all_instances :
+    id => instance.dns_name
+  }
+}
+
 output "id" {
   description = "Fully qualified primary instance id."
   value       = google_sql_database_instance.primary.private_ip_address
@@ -85,6 +98,19 @@ output "postgres_client_certificates" {
   sensitive   = true
 }
 
+output "psc_service_attachment_link" {
+  description = "The link to service attachment of PSC instance."
+  value       = google_sql_database_instance.primary.psc_service_attachment_link
+}
+
+output "psc_service_attachment_links" {
+  description = "Links to service attachment of PSC instances."
+  value = {
+    for id, instance in local._all_instances :
+    id => instance.psc_service_attachment_link
+  }
+}
+
 output "self_link" {
   description = "Self link of the primary instance."
   value       = google_sql_database_instance.primary.self_link

diff --git a/modules/cloudsql-instance/variables.tf b/modules/cloudsql-instance/variables.tf
@@ -24,21 +24,6 @@ variable "activation_policy" {
   nullable = false
 }
 
-variable "allocated_ip_ranges" {
-  description = "(Optional)The name of the allocated ip range for the private ip CloudSQL instance. For example: \"google-managed-services-default\". If set, the instance ip will be created in the allocated range. The range name must comply with RFC 1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z?."
-  type = object({
-    primary = optional(string)
-    replica = optional(string)
-  })
-  default  = {}
-  nullable = false
-}
-variable "authorized_networks" {
-  description = "Map of NAME=>CIDR_RANGE to allow to connect to the database(s)."
-  type        = map(string)
-  default     = null
-}
-
 variable "availability_type" {
   description = "Availability type for the primary replica. Either `ZONAL` or `REGIONAL`."
   type        = string
@@ -152,12 +137,6 @@ variable "insights_config" {
   default = null
 }
 
-variable "ipv4_enabled" {
-  description = "Add a public IP address to database instance."
-  type        = bool
-  default     = false
-}
-
 variable "labels" {
   description = "Labels to be attached to all instances."
   type        = map(string)
@@ -169,9 +148,27 @@ variable "name" {
   type        = string
 }
 
-variable "network" {
-  description = "VPC self link where the instances will be deployed. Private Service Networking must be enabled and configured in this VPC."
-  type        = string
+variable "network_config" {
+  description = "Network configuration for the instance. Only one between private_network and psc_config can be used."
+  type = object({
+    authorized_networks = optional(map(string))
+    require_ssl         = optional(bool)
+    connectivity = object({
+      public_ipv4 = optional(bool, false)
+      psa_config = optional(object({
+        private_network = string
+        allocated_ip_ranges = optional(object({
+          primary = optional(string)
+          replica = optional(string)
+        }))
+      }))
+      psc_allowed_consumer_projects = optional(list(string))
+    })
+  })
+  validation {
+    condition     = (var.network_config.connectivity.psa_config != null ? 1 : 0) + (var.network_config.connectivity.psc_allowed_consumer_projects != null ? 1 : 0) < 2
+    error_message = "Only one between private network and psc can be specified."
+  }
 }
 
 variable "postgres_client_certificates" {
@@ -209,12 +206,6 @@ variable "replicas" {
   default = {}
 }
 
-variable "require_ssl" {
-  description = "Enable SSL connections only."
-  type        = bool
-  default     = null
-}
-
 variable "root_password" {
   description = "Root password of the Cloud SQL instance. Required for MS SQL Server."
   type        = string