feat: major inplace upgrade, deletion protection (#665)

Author: shemau

README.md

@@ -101,6 +101,7 @@ To attach access management tags to resources in this module, you need the follo
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    tags = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_configuration"></a> [configuration](#input\_configuration) | Database configuration parameters, see https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-changing-configuration&interface=api for more details. | <pre>object({<br/>    shared_buffers  = optional(number)<br/>    max_connections = optional(number)<br/>    # below field gives error when sent to provider<br/>    # tracking issue: https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5403<br/>    # max_locks_per_transaction  = optional(number)<br/>    max_prepared_transactions  = optional(number)<br/>    synchronous_commit         = optional(string)<br/>    effective_io_concurrency   = optional(number)<br/>    deadlock_timeout           = optional(number)<br/>    log_connections            = optional(string)<br/>    log_disconnections         = optional(string)<br/>    log_min_duration_statement = optional(number)<br/>    tcp_keepalives_idle        = optional(number)<br/>    tcp_keepalives_interval    = optional(number)<br/>    tcp_keepalives_count       = optional(number)<br/>    archive_timeout            = optional(number)<br/>    wal_level                  = optional(string)<br/>    max_replication_slots      = optional(number)<br/>    max_wal_senders            = optional(number)<br/>  })</pre> | `null` | no |
 | <a name="input_cpu_count"></a> [cpu\_count](#input\_cpu\_count) | Allocated dedicated CPU per member. For shared CPU, set to 0. [Learn more](https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-resources-scaling) | `number` | `0` | no |
+| <a name="input_deletion_protection"></a> [deletion\_protection](#input\_deletion\_protection) | Enable deletion protection within terraform. This is not a property of the resource and does not prevent deletion outside of terraform. The database can not be deleted by terraform when this value is set to 'true'. In order to delete with terraform the value must be set to 'false' and a terraform apply performed before the destroy is performed. The default is 'true'. | `bool` | `true` | no |
 | <a name="input_disk_mb"></a> [disk\_mb](#input\_disk\_mb) | Allocated disk per member. [Learn more](https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-resources-scaling) | `number` | `5120` | no |
 | <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if `use_ibm_owned_encryption_key` is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the `use_same_kms_key_for_backups` and `backup_encryption_key_crn` inputs. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `string` | `null` | no |
 | <a name="input_member_host_flavor"></a> [member\_host\_flavor](#input\_member\_host\_flavor) | Allocated host flavor per member. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database#host_flavor). | `string` | `null` | no |
@@ -117,10 +118,12 @@ To attach access management tags to resources in this module, you need the follo
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'. | `string` | `"private"` | no |
 | <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of IAM authorization policies that permits all Databases for PostgreSQL instances in the given resource group 'Reader' access to the Key Protect or Hyper Protect Crypto Services key that was provided in the `kms_key_crn` and `backup_encryption_key_crn` inputs. This policy is required in order to enable KMS encryption, so only skip creation if there is one already present in your account. No policy is created if `use_ibm_owned_encryption_key` is true. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Optional list of tags to be added to the PostgreSQL instance. | `list(string)` | `[]` | no |
+| <a name="input_timeouts_update"></a> [timeouts\_update](#input\_timeouts\_update) | A database update may require a longer timeout for the update to complete. The default is 120 minutes. Set this variable to change the `update` value in the `timeouts` block. [Learn more](https://developer.hashicorp.com/terraform/language/resources/syntax#operation-timeouts). | `string` | `"120m"` | no |
 | <a name="input_use_default_backup_encryption_key"></a> [use\_default\_backup\_encryption\_key](#input\_use\_default\_backup\_encryption\_key) | When `use_ibm_owned_encryption_key` is set to false, backups will be encrypted with either the key specified in `kms_key_crn`, or in `backup_encryption_key_crn` if a value is passed. If you do not want to use your own key for backups encryption, you can set this to `true` to use the IBM Cloud Databases default encryption for backups. Alternatively set `use_ibm_owned_encryption_key` to true to use the default encryption for both backups and deployment data. | `bool` | `false` | no |
 | <a name="input_use_ibm_owned_encryption_key"></a> [use\_ibm\_owned\_encryption\_key](#input\_use\_ibm\_owned\_encryption\_key) | IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for the `kms_key_crn` input. | `bool` | `true` | no |
 | <a name="input_use_same_kms_key_for_backups"></a> [use\_same\_kms\_key\_for\_backups](#input\_use\_same\_kms\_key\_for\_backups) | Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the `backup_encryption_key_crn` input. Alternatiely set `use_default_backup_encryption_key` to true to use the IBM Cloud Databases default encryption. Applies only if `use_ibm_owned_encryption_key` is false. Bare in mind that backups encryption is only available in certain regions. See [Bring your own key for backups](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect&interface=ui#key-byok) and [Using the HPCS Key for Backup encryption](https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs#use-hpcs-backups). | `bool` | `true` | no |
 | <a name="input_users"></a> [users](#input\_users) | A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service\_credential\_names) is sufficient to control access to the Postgres instance. This blocks creates native postgres database users, more info on that can be found here https://cloud.ibm.com/docs/databases-for-postgresql?topic=databases-for-postgresql-user-management&interface=ui | <pre>list(object({<br/>    name     = string<br/>    password = string # pragma: allowlist secret<br/>    type     = optional(string)<br/>    role     = optional(string)<br/>  }))</pre> | `[]` | no |
+| <a name="input_version_upgrade_skip_backup"></a> [version\_upgrade\_skip\_backup](#input\_version\_upgrade\_skip\_backup) | Whether to skip taking a backup before upgrading the database version. Attention: Skipping a backup is not recommended. Skipping a backup before a version upgrade is dangerous and may result in data loss if the upgrade fails at any stage — there will be no immediate backup to restore from. | `bool` | `false` | no |
 
 ### Outputs
 

examples/backup/catalogValidationValues.json.template

@@ -33,12 +33,13 @@ module "restored_icd_postgresql" {
   # remove the above line and uncomment the below 2 lines to consume the module from the registry
   # source            = "terraform-ibm-modules/icd-postgresql/ibm"
   # version           = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
-  resource_group_id  = module.resource_group.resource_group_id
-  name               = "${var.prefix}-postgres-restored"
-  postgresql_version = var.postgresql_version
-  region             = var.region
-  tags               = var.resource_tags
-  access_tags        = var.access_tags
-  member_host_flavor = "multitenant"
-  backup_crn         = var.postgresql_db_backup_crn == null ? data.ibm_database_backups.backup_database[0].backups[0].backup_id : var.postgresql_db_backup_crn
+  resource_group_id   = module.resource_group.resource_group_id
+  name                = "${var.prefix}-postgres-restored"
+  postgresql_version  = var.postgresql_version
+  region              = var.region
+  tags                = var.resource_tags
+  access_tags         = var.access_tags
+  deletion_protection = false
+  member_host_flavor  = "multitenant"
+  backup_crn          = var.postgresql_db_backup_crn == null ? data.ibm_database_backups.backup_database[0].backups[0].backup_id : var.postgresql_db_backup_crn
 }

examples/backup/main.tf

@@ -19,14 +19,15 @@ module "database" {
   # remove the above line and uncomment the below 2 lines to consume the module from the registry
   # source            = "terraform-ibm-modules/icd-postgresql/ibm"
   # version           = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
-  resource_group_id  = module.resource_group.resource_group_id
-  name               = "${var.prefix}-data-store"
-  postgresql_version = var.postgresql_version
-  region             = var.region
-  tags               = var.resource_tags
-  access_tags        = var.access_tags
-  service_endpoints  = var.service_endpoints
-  member_host_flavor = var.member_host_flavor
+  resource_group_id   = module.resource_group.resource_group_id
+  name                = "${var.prefix}-data-store"
+  region              = var.region
+  postgresql_version  = var.postgresql_version
+  access_tags         = var.access_tags
+  tags                = var.resource_tags
+  service_endpoints   = var.service_endpoints
+  member_host_flavor  = var.member_host_flavor
+  deletion_protection = false
   service_credential_names = {
     "postgresql_admin" : "Administrator",
     "postgresql_operator" : "Operator",
@@ -54,17 +55,18 @@ resource "time_sleep" "wait_time" {
 ##############################################################################
 
 module "read_only_replica_postgresql_db" {
-  count              = var.read_only_replicas_count
-  source             = "../.."
-  resource_group_id  = module.resource_group.resource_group_id
-  name               = "${var.prefix}-read-only-replica-${count.index}"
-  region             = var.region
-  tags               = var.resource_tags
-  access_tags        = var.access_tags
-  postgresql_version = var.postgresql_version
-  remote_leader_crn  = module.database.crn
-  member_host_flavor = "multitenant"
-  memory_mb          = 4096 # Must be an increment of 384 megabytes. The minimum size of a read-only replica is 2 GB RAM, new hosting model minimum is 4 GB RAM.
-  disk_mb            = 5120 # Must be an increment of 512 megabytes. The minimum size of a read-only replica is 5 GB of disk
-  depends_on         = [time_sleep.wait_time]
+  count               = var.read_only_replicas_count
+  source              = "../.."
+  resource_group_id   = module.resource_group.resource_group_id
+  name                = "${var.prefix}-read-only-replica-${count.index}"
+  region              = var.region
+  tags                = var.resource_tags
+  access_tags         = var.access_tags
+  postgresql_version  = var.postgresql_version
+  remote_leader_crn   = module.database.crn
+  deletion_protection = false
+  member_host_flavor  = "multitenant"
+  memory_mb           = 4096 # Must be an increment of 384 megabytes. The minimum size of a read-only replica is 2 GB RAM, new hosting model minimum is 4 GB RAM.
+  disk_mb             = 5120 # Must be an increment of 512 megabytes. The minimum size of a read-only replica is 5 GB of disk
+  depends_on          = [time_sleep.wait_time]
 }

examples/basic/catalogValidationValues.json.template

@@ -6,6 +6,11 @@ output "id" {
   value       = module.database.id
 }
 
+output "postgresql_crn" {
+  description = "Postgresql CRN"
+  value       = module.database.crn
+}
+
 output "version" {
   description = "Postgresql instance version"
   value       = module.database.version
@@ -31,8 +36,3 @@ output "certificate_base64" {
   value       = module.database.certificate_base64
   sensitive   = true
 }
-
-output "postgresql_crn" {
-  description = "Postgresql CRN"
-  value       = module.database.crn
-}

examples/basic/main.tf

@@ -6,18 +6,14 @@ variable "ibmcloud_api_key" {
 
 variable "region" {
   type        = string
-  description = "Region to provision all resources created by this example."
+  description = "Region to provision all resources created by this example"
+  default     = "us-south"
 }
 
 variable "prefix" {
   type        = string
   description = "Prefix to append to all resources created by this example"
-}
-
-variable "postgresql_version" {
-  description = "Version of the postgresql instance. If no value passed, the current ICD preferred version is used."
-  type        = string
-  default     = null
+  default     = "pg"
 }
 
 variable "resource_group" {
@@ -26,34 +22,21 @@ variable "resource_group" {
   default     = null
 }
 
-variable "resource_tags" {
-  type        = list(string)
-  description = "Optional list of tags to be added to created resources"
-  default     = []
-}
-
 variable "access_tags" {
   type        = list(string)
   description = "A list of access tags to apply to the PostgreSQL instance created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details"
   default     = []
 }
 
-variable "read_only_replicas_count" {
-  type        = number
-  description = "Number of read-only replicas per leader"
-  default     = 1
-  validation {
-    condition = alltrue([
-      var.read_only_replicas_count >= 1,
-      var.read_only_replicas_count <= 5
-    ])
-    error_message = "There is a limit of five read-only replicas per leader"
-  }
+variable "resource_tags" {
+  type        = list(string)
+  description = "Optional list of tags to be added to created resources"
+  default     = []
 }
 
-variable "member_host_flavor" {
+variable "postgresql_version" {
   type        = string
-  description = "Allocated host flavor per member. For more information, see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database#host_flavor"
+  description = "Version of the postgresql instance. If no value passed, the current ICD preferred version is used."
   default     = null
 }
 
@@ -67,3 +50,23 @@ variable "service_endpoints" {
     error_message = "Valid values for service_endpoints are 'public', 'public-and-private', and 'private'"
   }
 }
+
+variable "member_host_flavor" {
+  type        = string
+  description = "The host flavor per member. [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database#host_flavor)."
+  default     = "multitenant"
+  # Validation is done in the Terraform plan phase by the IBM provider, so no need to add extra validation here.
+}
+
+variable "read_only_replicas_count" {
+  type        = number
+  description = "Number of read-only replicas per leader"
+  default     = 1
+  validation {
+    condition = alltrue([
+      var.read_only_replicas_count >= 1,
+      var.read_only_replicas_count <= 5
+    ])
+    error_message = "There is a limit of five read-only replicas per leader"
+  }
+}

examples/basic/outputs.tf

@@ -124,8 +124,9 @@ module "icd_postgresql" {
     "postgressql_viewer" : "Viewer",
     "postgressql_editor" : "Editor",
   }
-  access_tags        = var.access_tags
-  member_host_flavor = "multitenant"
+  access_tags         = var.access_tags
+  member_host_flavor  = "multitenant"
+  deletion_protection = false
   # Example of setting configuration - none of the below is mandatory - those settings are set in this example for illustation purpose and ensure path is exercised in automated test using this example.
   configuration = {
     shared_buffers             = 32000