A Terraform module that builds out a Compute Engine VM with the Cloud SQL Proxy installed as well as the required IAP configs to allow a developer to access a Cloud SQL database from their workstation 🤖
To connect to the Cloud SQL instance once the infrastructure has been applied you need to open a tunnel to the VM using the following example command:
gcloud compute start-iap-tunnel cloudsqlproxy-695b 3306 --local-host-port=localhost:3306 --zone=australia-southeast1-c
Replace the VM name and both ports with the relevant ports for your environment.
The above example creates an IAP tunnel to the VM named cloudsqlproxy-695b on port 3306 using the local host port 3306. The Cloud SQL proxy listens on whichever port is relevant to the database you're connecting to (in this example we're connecting to a MySQL Cloud SQL instance, so the Cloud SQL Proxy automatically listens on port 3306).
Once the IAP tunnel has been brought up you are able to connect to the Cloud SQL instance on localhost:3306. Keep in mind that the terminal session where the tunnel is open must remain open so you'll need to open another terminal session to run your SQL queries.
For more information, please refer to the Cloud SQL Proxy documentation here.
- You have a Cloud SQL instance already created
- You have a VPC network and subnetwork already created
If you are having issues connecting to the Cloud SQL instance via the proxy, check the startup script logs on the VM to see if there are any errors. You can do this by running the following command on the instance:
sudo journalctl -u google-startup-scripts.service
module "proxy" {
source = "git::https://github.com/withriley/cloud-sql-proxy.git"
project = "gcp-project"
region = "australia-southeast1"
db_name = "mysql-instance"
network = "vpc-network"
subnetwork = "vpc-subnet"
create_firewall_rule = true
additional_ports = ["3306"]
members = ["user:peter.griffin@withriley.com"]
}| Name | Type |
|---|---|
| google_compute_firewall.default | resource |
| google_compute_instance.default | resource |
| google_iap_tunnel_instance_iam_binding.enable_iap | resource |
| google_project_iam_member.project | resource |
| google_project_service.default | resource |
| google_service_account.default | resource |
| random_id.default | resource |
| random_shuffle.default | resource |
| google_compute_subnetwork.default | data source |
| google_compute_zones.available | data source |
| google_sql_database_instance.default | data source |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_ports | Additional ports to open for IAP tunnelling - only used if create_firewall_rule is true | list(string) |
[] |
no |
| cloud_sql_proxy_version | Version of the Cloud SQL Proxy to download | string |
"v2.7.2" |
no |
| create_firewall_rule | Boolean to enable/disable firewall rule creation for IAP tunnelling | bool |
false |
no |
| db_name | Cloud SQL instance database name | string |
n/a | yes |
| host_project | Project where the firewall rule + VM will be created if using Shared VPC - if not using Shared VPC leave blank | string |
"" |
no |
| members | List of the members to grant IAM permissions for IAP tunnelling. Format: user:, group:, etc. | list(string) |
n/a | yes |
| network | Name of the network | string |
n/a | yes |
| project | Project name where the resources are deployed | string |
n/a | yes |
| psc_connection | Set this to true to connect to your Cloud SQL instance via Private Service Connect. default will connect to SQL via private IP. | bool |
false |
no |
| region | Region to deploy the resources to | string |
n/a | yes |
| subnetwork | Name of the subnetwork | string |
n/a | yes |
No outputs.