RDS PostgreSQL
Based on the RDS PostgreSQL docker image this Terraform module provides a ready to use PostgreSQL server that is backed up to a S3 compatible object store.
The module supports two backup methods either local storage (Hetzner Cloud Volume) or a S3 compatible object store. To avoid data loss it is not possible to run the database without one of the backup methods enabled.
Design Goals
Acknowledging that there are a lot of available solutions to run PostgreSQL in the cloud it is important to emphasize the design goals of this solution to be able to make an informed decision on if and how to use it
- First and foremost goal is to preserve the data stored in the PostgreSQL instance. This is ensured by an extensive set of full integration tests replicating the intended usage scenarios
- Reduced complexity through single node operations. Running a PostgreSQL server with replication or in multi master comes with its own set of diverse failure scenarios and edge-cases. This solution aims at workloads that can easily handled by a single node and if in doubt favours MTTR over MTBF
- Reduced complexity through less moving parts. Features like autoscaling, automatic recovery after zone outages, user interfaces, etc. like they are provided by the Zalando PostgreSQL Operator provide a lot of value but also add multiple layers between the VM and the actual PostgreSQL instance. This solutions explicitly tries to avoid these features trying to keep the stack as simple as running a docker container on a VM.
Usage
data "aws_s3_bucket" "backup" {
bucket = "test-rds-postgresql-backup"
}
data "hcloud_volume" "data" {
name = "rds-postgresql-data"
}
resource "tls_private_key" "ssh_key" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "hcloud_ssh_key" "ssh_key" {
name = "rds-postgresql"
public_key = tls_private_key.ssh_key.public_key_openssh
}
module "rds-postgresql" {
source = "https://github.com/pellepelster/solidblocks/releases/download/v0.4.12/blcks-terraform-rds-postgresql-hetzner-v0.4.12.zip"
name = "rds-postgresql"
location = var.hetzner_location
ssh_keys = [hcloud_ssh_key.ssh_key.id]
data_volume = data.hcloud_volume.data.id
backup_s3_bucket = data.aws_s3_bucket.backup.id
backup_s3_access_key = var.backup_s3_access_key
backup_s3_secret_key = var.backup_s3_secret_key
databases = [
{ id : "database1", user : "user1", password : "password1" }
]
}For more usage examples see Extended Usage
Operations
To access the created instance use one of SSH keys that was provided via ssh_keys. All linux system resources include the provided name to make them distinguishable.
Show Logs
journalctl -u rds@rds-postgresql-${name}.serviceStart/Stop Database
systemctl [start|stop] rds@rds-postgresql-${name}.service Maintenance Mode
In case of errors or the need for manual intervention a maintenance mode is available. Triggering the maintenance mode will set up the VM like it would be set up for database startup, but without actually starting the database. This allows to exec into the container to debug issues.
main.tf
module "rds-postgresql" {
source = "pellepelster/solidblocks-rds-postgresql/hcloud"
# [...]
mode = "maintenance"
# [...]
}docker exec -ti rds-postgresql-${name}_postgresql /bin/bashTerraform Module
Requirements
| Name | Version |
|---|---|
| hcloud | >=1.48.0 |
| http | >= 3.3.0 |
Providers
| Name | Version |
|---|---|
| hcloud | >=1.48.0 |
Resources
| Name | Type |
|---|---|
| hcloud_server.rds | resource |
| hcloud_volume_attachment.backup | resource |
| hcloud_volume_attachment.data | resource |
| hcloud_volume.backup | data source |
| hcloud_volume.data | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| backup_encryption_passphrase | If set the backups will be encrypted using this passphrase | string | null | no |
| backup_full_calendar | systemd timer spec for full backups | string | "*-*-* 20:00:00" | no |
| backup_incr_calendar | systemd timer spec for incremental backups | string | "*-*-* *:00:55" | no |
| backup_local_retention_diff | Local backup number of differential backups to retain. See https://pgbackrest.org/configuration.html#section-repository/option-repo-retention-diff | number | 4 | no |
| backup_local_retention_full | Local backups full backup retention count/time. See https://pgbackrest.org/configuration.html#section-repository/option-repo-retention-full | number | 7 | no |
| backup_local_retention_full_type | Local backups retention policy type [count, time]. See https://pgbackrest.org/configuration.html#section-repository/option-repo-retention-full | string | "count" | no |
| backup_s3_access_key | AWS access key for S3 backups. To enable S3 backups backup_s3_bucket, backup_s3_access_key and backup_s3_secret_key have to be provided. | string | null | no |
| backup_s3_bucket | AWS bucket name for S3 backups. To enable S3 backups backup_s3_bucket, backup_s3_access_key and backup_s3_secret_key have to be provided. | string | null | no |
| backup_s3_host | AWS host S3 backups. | string | "s3.eu-central-1.amazonaws.com" | no |
| backup_s3_region | AWS region for S3 backups. | string | "eu-central-1" | no |
| backup_s3_retention_diff | AWS S3 backup number of differential backups to retain. See https://pgbackrest.org/configuration.html#section-repository/option-repo-retention-diff | number | 4 | no |
| backup_s3_retention_full | AWS S3 backups full backup retention count/time. See https://pgbackrest.org/configuration.html#section-repository/option-repo-retention-full | number | 7 | no |
| backup_s3_retention_full_type | AWS S3 backups retention policy type [count, time]. See https://pgbackrest.org/configuration.html#section-repository/option-repo-retention-full | string | "count" | no |
| backup_s3_secret_key | AWS secret key for S3 backups. To enable S3 backups backup_s3_bucket backup_s3_access_key and backup_s3_secret_key have to be provided. | string | null | no |
| backup_volume | backup volume id | string | 0 | no |
| data_volume | data volume id | number | n/a | yes |
| databases | A list of databases to create when the instance is initialized, for example: { id : "database1", user : "user1", password : "password1" }. Changing user and password is supported at any time, the provided config is translated into an config for the Solidblocks RDS PostgreSQL module (https://pellepelster.github.io/solidblocks/rds/index.html), please see https://pellepelster.github.io/solidblocks/rds/index.html#databases for more details of the database configuration. | list(object({ id : string, user : string, password : string })) | n/a | yes |
| db_admin_password | The database admin password. Username is always rds | string | "" | no |
| db_backup_gcs_bucket | Name of the Google Cloud storage bucket | string | null | no |
| db_backup_gcs_service_key | content of the service key json file with appropriate permissions to write to the db_backup_gcs_bucket bucket. | string | null | no |
| environment_variables | A list environment variables to pass to the PostgreSQL docker container | map(string) | {} | no |
| extra_user_data | deprecated, please use pre_script/post_script | string | "" | no |
| firewall_disable | disable automatic firewall configuration | bool | false | no |
| labels | A list of labels to be attached to the server instance. | map(any) | {} | no |
| location | Hetzner location to use for provisioned resources | string | n/a | yes |
| mode | startup mode for the database, can be empty to start the database or ‘maintenance’ to enable the maintenance mode of the underlying docker container to debug issues see also https://pellepelster.github.io/solidblocks//rds/#maintenance | string | null | no |
| name | Unique name for the PostgreSQL instance | string | n/a | yes |
| network_id | network the created sever should be attached to, network_ip also needs to bet set in that case | number | null | no |
| network_ip | ip address in the attached network. when an ip address is provided the database server will automatically be bound to this ip and will not be exposed on any other network interfaces | string | null | no |
| post_script | shell script that will be executed after the server configuration is executed | string | "" | no |
| postgres_extra_config | Extra postgres configurations options for the postgresql.conf, see also https://pellepelster.github.io/solidblocks/rds/index.html#global -> DB_POSTGRES_EXTRA_CONFIG | string | null | no |
| postgres_major_version | PostgreSQL major version to use. Upgrading the version will trigger auto migration based on the underlying RDS PostgreSQL docker image, see also https://pellepelster.github.io/solidblocks/rds/index.html#versions. Please be aware that depending on the amount of data to migrate the migration may Terraforms timeouts, see https://pellepelster.github.io/solidblocks/hetzner/rds-postgresql/index.html#operations for debugging options. | number | 14 | no |
| postgres_stop_timeout | shutdown timeout for the postgres database in seconds, see also https://www.postgresql.org/docs/current/app-pg-ctl.html | number | 60 | no |
| pre_script | shell script that will be executed before the server configuration is executed | string | "" | no |
| public_net_ipv4_enabled | enable/disable public ip addresses, see also https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/server#public_net | bool | true | no |
| public_net_ipv6_enabled | enable/disable public ip addresses, see also https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/server#public_net | bool | true | no |
| restore_pitr | Point in time to recover to, using the recovery type time as defined in https://pgbackrest.org/command.html#command-restore. Format should be YYYY-MM-dd HH:mm:ssz Please be aware that the server hosting the database might be in a different timezone, so always include the timezone when specifying PITR times date +"%Y-%m-%d %H:%M:%S%z" | string | null | no |
| server_type | Hetzner cloud server type, supports x86 and ARM architectures | string | "cx23" | no |
| solidblocks_base_url | override base url for testing purposes | string | "https://github.com" | no |
| solidblocks_rds_version | Solidblocks rds-postgresql version to use | string | "v0.4.12" | no |
| ssh_keys | ssh keys to provision for instance access | list(number) | n/a | yes |
| ssl_acme_server | The URL of the ACME Server to use. Defaults to Let’s Encrypt production environment. | string | "https://acme-v02.api.letsencrypt.org/directory" | no |
| ssl_dns_provider | provider type to use for LetsEncrypt DNS challenge, see https://go-acme.github.io/lego/dns/ for available options | string | "" | no |
| ssl_dns_provider_config | environment configuration variable(s) to use for DNS provider selected via ssl_dns_provider, see documentation of selected provider for required configuration variables | map(string) | {} | no |
| ssl_domains | domains to use for generated certificates | list(string) | [] | no |
| ssl_email | email address to use for LetsEncrypt account creation | string | "" | no |
| ssl_enable | enable automatic ssl certificate creation using LetsEncrypt | bool | false | no |
Outputs
| Name | Description |
|---|---|
| ipv4_address | IPv4 address of the created server if applicable |
| ipv4_address_private | private IPv4 address of the created server if applicable |
| ipv6_address | IPv6 address of the created server if applicable |
| this_server_id | Hetzner ID of the created server |
| user_data | n/a |