Terraform module for creating database and associated user on an existing Google CloudSQL instance

This module creates databases and users on an existing CloudSQL instance. The structure of the input variable enforces a 1:1 database/user ratio. The module both creates each pair and applies the required permissions so that the user can access only its database.

To enforce permissions, the module executes SQL commands through the MySQL CLI, which therefore must be installed on the machine running terraform apply. The bundled proxy helper scripts rely on the Cloud SQL Auth Proxy v2 command syntax, so make sure you install proxy version 2.x (the newer ${CLOUDSQL_PROXY_BIN} \"${CONNECTION_NAME}\" --port ... invocation) rather than the legacy 1.x binary that used -instances= flags.

For MySQL 8.x instances, the module automatically removes the default cloudsqlsuperuser role, clears any global privileges and assigns the target database as the only default role so that new users are scoped exclusively to their database.

If you ever need to rerun all local scripts (start proxy → grant privileges → stop proxy) without recreating the module-managed users, set a different value for the permissions_refresh_id variable (use YYYYMMDD or YYYYMMDDHHMM, e.g. 20251110 or 202511101030) and run terraform apply; changing the value forces Terraform to recreate the null resources that execute those scripts while keeping the google_sql_user resources in place (see examples/main.tf for a ready-to-use snippet).

In addition, the module must be able to connect to the CloudSQL instance. If the instance is not directly reachable from the machine running terraform apply, the module can:

1. Start a local instance of CloudSQL Auth Proxy. This creates two null resources per user and requires the proxy executable to be present on the machine running terraform apply.
2. Connect through an existing CloudSQL Auth Proxy instance that is already running elsewhere (outside this module).

IMPORTANT

CloudSQL Auth Proxy needs the CloudSQL instance to expose a public IP address in order to connect to the instance itself.

Providers

Name	Version
google	>= 4.47.0
null	>= 3.2.1
random	>= 3.4.3

Requirements

Name	Version
terraform	>= 1.2
google	>= 4.47.0
null	>= 3.2.1
random	>= 3.4.3

Inputs

Name	Description	Type	Default	Required
cloudsql_instance_name	The name of the existing Google CloudSQL Instance name. MySQL 5.7, 8.0 and 8.4 are supported.	string	n/a	yes
cloudsql_privileged_user_name	The name of the privileged user of the Cloud SQL instance	string	n/a	yes
cloudsql_privileged_user_password	The password of the privileged user of the Cloud SQL instance	string	n/a	yes
cloudsql_proxy_host	The host of the Cloud SQL Auth Proxy; if a value other than localhost or 127.0.0.1 (default) is entered, it is assumed that there is a CloudSQL Auth Proxy instance defined and already configured outside this module, and therefore the proxy will not be launched.	string	"127.0.0.1"	no
cloudsql_proxy_port	Port of the Cloud SQL Auth Proxy	string	"1234"	no
database_and_user_list	The list with all the databases and the relative user. Please note that you can assign only a database to a single user, the same user cannot be assigned to multiple databases. user_host is optional, has a default value of '%' to allow the user to connect from any host, or you can specify it for the given user for a more restrictive access.	list(object({ user = string user_host = optional(string, "%") database = string }))	n/a	yes
permissions_refresh_id	Optional identifier (use format YYYYMMDD or YYYYMMDDHHMM, e.g. 20251110 or 202511101030) used only to force Terraform to rerun the proxy/grant scripts without recreating users. Change the value whenever you need to reapply permissions.	string	""	no
project_id	The ID of the project in which the resource belongs.	string	n/a	yes
region	The region in which the resource belongs.	string	n/a	yes
terraform_start_cloud_sql_proxy	If true terraform will automatically start the Cloud SQL Proxy instance present in the filesystem at the condition that cloudsql_proxy_host is set to a supported value. If false you have to start the Cloud SQL Proxy manually. This variable is used to prevent the creation of a Cloud SQL Proxy instance even if cloudsql_proxy_host has a supported value.	bool	true	no

Outputs

Name	Description
sql_users_creds	The list of the created databases and the relative user username and password. You can use this output to connect to the relative database.

Resources

Name	Type
google_sql_database.sql_database	resource
google_sql_user.sql_user	resource
null_resource.execute_cloud_sql_proxy	resource
null_resource.force_permissions_refresh	resource
null_resource.grant_permissions	resource
null_resource.kill_cloud_sql_proxy	resource
random_password.sql_user_password	resource
google_sql_database_instance.cloudsql_instance	data source

Modules

No modules.