Skip to content

fix: add final backup config #786

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix: add final backup config #786

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
75719a3
fix: add final backup config
jmymy Oct 31, 2025
60a3d11
Merge branch 'main' into add-final-backup
imrannayer Nov 5, 2025
01671c9
fix: add safer_mysql
jmymy Nov 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions modules/mssql/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ module "mssql" {
| enable\_default\_db | Enable or disable the creation of the default database | `bool` | `true` | no |
| enable\_default\_user | Enable or disable the creation of the default user | `bool` | `true` | no |
| encryption\_key\_name | The full path to the encryption key used for the CMEK disk encryption | `string` | `null` | no |
| final\_backup\_config | The final\_backup\_config settings for the database. | <pre>object({<br> enabled = optional(bool, false)<br> retention_days = optional(number, 0)<br> })</pre> | `null` | no |
| follow\_gae\_application | A Google App Engine application whose zone to remain in. Must be in the same region as this instance. | `string` | `null` | no |
| insights\_config | The insights\_config settings for the database. | <pre>object({<br> query_plans_per_minute = optional(number, 5)<br> query_string_length = optional(number, 1024)<br> record_application_tags = optional(bool, false)<br> record_client_address = optional(bool, false)<br> })</pre> | `null` | no |
| instance\_type | The type of the instance. The supported values are SQL\_INSTANCE\_TYPE\_UNSPECIFIED, CLOUD\_SQL\_INSTANCE, ON\_PREMISES\_INSTANCE and READ\_REPLICA\_INSTANCE. Set to READ\_REPLICA\_INSTANCE when primary\_instance\_name is provided | `string` | `"CLOUD_SQL_INSTANCE"` | no |
Expand Down
8 changes: 8 additions & 0 deletions modules/mssql/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,14 @@ resource "google_sql_database_instance" "default" {
record_client_address = lookup(insights_config.value, "record_client_address", false)
}
}
dynamic "final_backup_config" {
for_each = var.final_backup_config != null ? [var.final_backup_config] : []

content {
enabled = lookup(final_backup_config.value, "enabled", false)
retention_days = lookup(final_backup_config.value, "retention_days", 0)
}
}

disk_autoresize = var.disk_autoresize
disk_autoresize_limit = var.disk_autoresize_limit
Expand Down
9 changes: 9 additions & 0 deletions modules/mssql/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -385,3 +385,12 @@ variable "insights_config" {
})
default = null
}

variable "final_backup_config" {
description = "The final_backup_config settings for the database."
type = object({
enabled = optional(bool, false)
retention_days = optional(number, 0)
})
default = null
}
3 changes: 2 additions & 1 deletion modules/mysql/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ module "mysql-db" {
| enable\_random\_password\_special | Enable special characters in generated random passwords. | `bool` | `false` | no |
| encryption\_key\_name | The full path to the encryption key used for the CMEK disk encryption | `string` | `null` | no |
| failover\_dr\_replica\_name | If the instance is a primary instance, then this field identifies the disaster recovery (DR) replica. The standard format of this field is "your-project:your-instance". You can also set this field to "your-instance", but cloud SQL backend will convert it to the aforementioned standard format. | `string` | `null` | no |
| final\_backup\_config | The final\_backup\_config settings for the database. | <pre>object({<br> enabled = optional(bool, false)<br> retention_days = optional(number, 0)<br> })</pre> | `null` | no |
| follow\_gae\_application | A Google App Engine application whose zone to remain in. Must be in the same region as this instance. | `string` | `null` | no |
| iam\_users | A list of IAM users to be created in your CloudSQL instance. iam.users.type can be CLOUD\_IAM\_USER, CLOUD\_IAM\_SERVICE\_ACCOUNT, CLOUD\_IAM\_GROUP and is required for type CLOUD\_IAM\_GROUP (IAM groups) | <pre>list(object({<br> id = string,<br> email = string,<br> type = optional(string)<br> }))</pre> | `[]` | no |
| insights\_config | The insights\_config settings for the database. | <pre>object({<br> query_plans_per_minute = number<br> query_string_length = number<br> record_application_tags = bool<br> record_client_address = bool<br> })</pre> | `null` | no |
Expand All @@ -94,7 +95,7 @@ module "mysql-db" {
| read\_replica\_deletion\_protection | Used to block Terraform from deleting replica SQL Instances. | `bool` | `false` | no |
| read\_replica\_deletion\_protection\_enabled | Enables protection of a read replica from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform). | `bool` | `false` | no |
| read\_replica\_name\_suffix | The optional suffix to add to the read instance name | `string` | `""` | no |
| read\_replicas | List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption\_key\_name = null | <pre>list(object({<br> name = string<br> name_override = optional(string)<br> tier = optional(string)<br> edition = optional(string)<br> availability_type = optional(string)<br> zone = optional(string)<br> disk_type = optional(string)<br> disk_autoresize = optional(bool)<br> disk_autoresize_limit = optional(number)<br> disk_size = optional(string)<br> user_labels = map(string)<br> database_flags = list(object({<br> name = string<br> value = string<br> }))<br> backup_configuration = optional(object({<br> binary_log_enabled = bool<br> transaction_log_retention_days = string<br> }))<br> insights_config = optional(object({<br> query_plans_per_minute = number<br> query_string_length = number<br> record_application_tags = bool<br> record_client_address = bool<br> }))<br> ip_configuration = object({<br> authorized_networks = optional(list(map(string)), [])<br> ipv4_enabled = optional(bool)<br> private_network = optional(string)<br> ssl_mode = optional(string)<br> allocated_ip_range = optional(string)<br> enable_private_path_for_google_cloud_services = optional(bool, false)<br> psc_enabled = optional(bool, false)<br> psc_allowed_consumer_projects = optional(list(string), [])<br> })<br> encryption_key_name = optional(string)<br> data_cache_enabled = optional(bool)<br> }))</pre> | `[]` | no |
| read\_replicas | List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption\_key\_name = null | <pre>list(object({<br> name = string<br> name_override = optional(string)<br> tier = optional(string)<br> edition = optional(string)<br> availability_type = optional(string)<br> zone = optional(string)<br> disk_type = optional(string)<br> disk_autoresize = optional(bool)<br> disk_autoresize_limit = optional(number)<br> disk_size = optional(string)<br> user_labels = map(string)<br> database_flags = list(object({<br> name = string<br> value = string<br> }))<br> backup_configuration = optional(object({<br> binary_log_enabled = bool<br> transaction_log_retention_days = string<br> }))<br> insights_config = optional(object({<br> query_plans_per_minute = number<br> query_string_length = number<br> record_application_tags = bool<br> record_client_address = bool<br> }))<br> final_backup_config = optional(object({<br> enabled = optional(bool, false)<br> retention_days = optional(number, 1)<br> }), null)<br> ip_configuration = object({<br> authorized_networks = optional(list(map(string)), [])<br> ipv4_enabled = optional(bool)<br> private_network = optional(string)<br> ssl_mode = optional(string)<br> allocated_ip_range = optional(string)<br> enable_private_path_for_google_cloud_services = optional(bool, false)<br> psc_enabled = optional(bool, false)<br> psc_allowed_consumer_projects = optional(list(string), [])<br> })<br> encryption_key_name = optional(string)<br> data_cache_enabled = optional(bool)<br> }))</pre> | `[]` | no |
| region | The region of the Cloud SQL resources | `string` | `"us-central1"` | no |
| replica\_database\_version | The read replica database version to use. This var should only be used during a database update. The update sequence 1. read-replica 2. master, setting this to an updated version will cause the replica to update, then you may update the master with the var database\_version and remove this field after update is complete | `string` | `""` | no |
| retain\_backups\_on\_delete | When this parameter is set to true, Cloud SQL retains backups of the instance even after the instance is deleted. The ON\_DEMAND backup will be retained until customer deletes the backup or the project. The AUTOMATED backup will be retained based on the backups retention setting. | `bool` | `false` | no |
Expand Down
8 changes: 8 additions & 0 deletions modules/mysql/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,14 @@ resource "google_sql_database_instance" "default" {
record_client_address = lookup(insights_config.value, "record_client_address", false)
}
}
dynamic "final_backup_config" {
for_each = var.final_backup_config != null ? [var.final_backup_config] : []

content {
enabled = lookup(final_backup_config.value, "enabled", false)
retention_days = lookup(final_backup_config.value, "retention_days", 0)
}
}
dynamic "data_cache_config" {
for_each = var.edition == "ENTERPRISE_PLUS" ? ["cache_enabled"] : []
content {
Expand Down
9 changes: 9 additions & 0 deletions modules/mysql/read_replica.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,15 @@ resource "google_sql_database_instance" "replicas" {
}
}

dynamic "final_backup_config" {
for_each = var.final_backup_config != null ? [var.final_backup_config] : []

content {
enabled = lookup(final_backup_config.value, "enabled", false)
retention_days = lookup(final_backup_config.value, "retention_days", 0)
}
}

dynamic "ip_configuration" {
for_each = [lookup(each.value, "ip_configuration", {})]
content {
Expand Down
13 changes: 13 additions & 0 deletions modules/mysql/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,15 @@ variable "insights_config" {
default = null
}

variable "final_backup_config" {
description = "The final_backup_config settings for the database."
type = object({
enabled = optional(bool, false)
retention_days = optional(number, 0)
})
default = null
}

variable "ip_configuration" {
description = "The ip_configuration settings subblock"
type = object({
Expand Down Expand Up @@ -387,6 +396,10 @@ variable "read_replicas" {
record_application_tags = bool
record_client_address = bool
}))
final_backup_config = optional(object({
enabled = optional(bool, false)
retention_days = optional(number, 1)
}), null)
ip_configuration = object({
authorized_networks = optional(list(map(string)), [])
ipv4_enabled = optional(bool)
Expand Down
3 changes: 2 additions & 1 deletion modules/postgresql/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,7 @@ module "pg" {
| enable\_random\_password\_special | Enable special characters in generated random passwords. | `bool` | `false` | no |
| encryption\_key\_name | The full path to the encryption key used for the CMEK disk encryption | `string` | `null` | no |
| failover\_dr\_replica\_name | If the instance is a primary instance, then this field identifies the disaster recovery (DR) replica. The standard format of this field is "your-project:your-instance". You can also set this field to "your-instance", but cloud SQL backend will convert it to the aforementioned standard format. | `string` | `null` | no |
| final\_backup\_config | The final\_backup\_config settings for the database. | <pre>object({<br> enabled = optional(bool, false)<br> retention_days = optional(number, 1)<br> })</pre> | `null` | no |
| follow\_gae\_application | A Google App Engine application whose zone to remain in. Must be in the same region as this instance. | `string` | `null` | no |
| iam\_users | A list of IAM users to be created in your CloudSQL instance. iam.users.type can be CLOUD\_IAM\_USER, CLOUD\_IAM\_SERVICE\_ACCOUNT, CLOUD\_IAM\_GROUP and is required for type CLOUD\_IAM\_GROUP (IAM groups) | <pre>list(object({<br> id = string,<br> email = string,<br> type = optional(string)<br> }))</pre> | `[]` | no |
| insights\_config | The insights\_config settings for the database. | <pre>object({<br> query_plans_per_minute = optional(number, 5)<br> query_string_length = optional(number, 1024)<br> record_application_tags = optional(bool, false)<br> record_client_address = optional(bool, false)<br> })</pre> | `null` | no |
Expand All @@ -168,7 +169,7 @@ module "pg" {
| read\_replica\_deletion\_protection | Used to block Terraform from deleting replica SQL Instances. | `bool` | `false` | no |
| read\_replica\_deletion\_protection\_enabled | Enables protection of replica instance from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform). | `bool` | `false` | no |
| read\_replica\_name\_suffix | The optional suffix to add to the read instance name | `string` | `""` | no |
| read\_replicas | List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption\_key\_name = null | <pre>list(object({<br> name = string<br> name_override = optional(string)<br> tier = optional(string)<br> edition = optional(string)<br> availability_type = optional(string)<br> zone = optional(string)<br> disk_type = optional(string)<br> disk_autoresize = optional(bool)<br> disk_autoresize_limit = optional(number)<br> disk_size = optional(string)<br> user_labels = map(string)<br> database_flags = optional(list(object({<br> name = string<br> value = string<br> })), [])<br> insights_config = optional(object({<br> query_plans_per_minute = optional(number, 5)<br> query_string_length = optional(number, 1024)<br> record_application_tags = optional(bool, false)<br> record_client_address = optional(bool, false)<br> }), null)<br> ip_configuration = object({<br> authorized_networks = optional(list(map(string)), [])<br> ipv4_enabled = optional(bool)<br> private_network = optional(string)<br> ssl_mode = optional(string)<br> allocated_ip_range = optional(string)<br> enable_private_path_for_google_cloud_services = optional(bool, false)<br> psc_enabled = optional(bool, false)<br> psc_allowed_consumer_projects = optional(list(string), [])<br> })<br> encryption_key_name = optional(string)<br> data_cache_enabled = optional(bool)<br> }))</pre> | `[]` | no |
| read\_replicas | List of read replicas to create. Encryption key is required for replica in different region. For replica in same region as master set encryption\_key\_name = null | <pre>list(object({<br> name = string<br> name_override = optional(string)<br> tier = optional(string)<br> edition = optional(string)<br> availability_type = optional(string)<br> zone = optional(string)<br> disk_type = optional(string)<br> disk_autoresize = optional(bool)<br> disk_autoresize_limit = optional(number)<br> disk_size = optional(string)<br> user_labels = map(string)<br> database_flags = optional(list(object({<br> name = string<br> value = string<br> })), [])<br> insights_config = optional(object({<br> query_plans_per_minute = optional(number, 5)<br> query_string_length = optional(number, 1024)<br> record_application_tags = optional(bool, false)<br> record_client_address = optional(bool, false)<br> }), null)<br> final_backup_config = optional(object({<br> enabled = optional(bool, false)<br> retention_days = optional(number, 1)<br> }), null)<br> ip_configuration = object({<br> authorized_networks = optional(list(map(string)), [])<br> ipv4_enabled = optional(bool)<br> private_network = optional(string)<br> ssl_mode = optional(string)<br> allocated_ip_range = optional(string)<br> enable_private_path_for_google_cloud_services = optional(bool, false)<br> psc_enabled = optional(bool, false)<br> psc_allowed_consumer_projects = optional(list(string), [])<br> })<br> encryption_key_name = optional(string)<br> data_cache_enabled = optional(bool)<br> }))</pre> | `[]` | no |
| region | The region of the Cloud SQL resources | `string` | `"us-central1"` | no |
| retain\_backups\_on\_delete | When this parameter is set to true, Cloud SQL retains backups of the instance even after the instance is deleted. The ON\_DEMAND backup will be retained until customer deletes the backup or the project. The AUTOMATED backup will be retained based on the backups retention setting. | `bool` | `false` | no |
| root\_password | Initial root password during creation | `string` | `null` | no |
Expand Down
8 changes: 8 additions & 0 deletions modules/postgresql/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,14 @@ resource "google_sql_database_instance" "default" {
record_client_address = lookup(insights_config.value, "record_client_address", false)
}
}
dynamic "final_backup_config" {
for_each = var.final_backup_config != null ? [var.final_backup_config] : []

content {
enabled = lookup(final_backup_config.value, "enabled", false)
retention_days = lookup(final_backup_config.value, "retention_days", 1)
}
}

dynamic "password_validation_policy" {
for_each = !local.is_secondary_instance && var.password_validation_policy_config != null ? [var.password_validation_policy_config] : []
Expand Down
9 changes: 9 additions & 0 deletions modules/postgresql/read_replica.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,15 @@ resource "google_sql_database_instance" "replicas" {
}
}

dynamic "final_backup_config" {
for_each = lookup(each.value, "final_backup_config") != null ? [lookup(each.value, "final_backup_config")] : []

content {
enabled = lookup(final_backup_config.value, "enabled", false)
retention_days = lookup(final_backup_config.value, "retention_days", 1)
}
}

disk_autoresize = lookup(each.value, "disk_autoresize", var.disk_autoresize)
disk_autoresize_limit = lookup(each.value, "disk_autoresize_limit", var.disk_autoresize_limit)
disk_size = lookup(each.value, "disk_size", var.disk_size)
Expand Down
13 changes: 13 additions & 0 deletions modules/postgresql/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -296,6 +296,15 @@ variable "backup_configuration" {
default = {}
}

variable "final_backup_config" {
description = "The final_backup_config settings for the database."
type = object({
enabled = optional(bool, false)
retention_days = optional(number, 1)
})
default = null
}

variable "insights_config" {
description = "The insights_config settings for the database."
type = object({
Expand Down Expand Up @@ -362,6 +371,10 @@ variable "read_replicas" {
record_application_tags = optional(bool, false)
record_client_address = optional(bool, false)
}), null)
final_backup_config = optional(object({
enabled = optional(bool, false)
retention_days = optional(number, 1)
}), null)
ip_configuration = object({
authorized_networks = optional(list(map(string)), [])
ipv4_enabled = optional(bool)
Expand Down
Loading