main.tf

resource "google_compute_global_address" "private_ip_address" {
  provider = google-beta
  project  = var.project

  name          = "private-ip-address"
  purpose       = "VPC_PEERING"
  address_type  = "INTERNAL"
  prefix_length = 16
  network       = data.google_compute_network.network.id
}

resource "google_service_networking_connection" "private_vpc_connection" {
  provider = google-beta

  network                 = data.google_compute_network.network.id
  service                 = "servicenetworking.googleapis.com"
  reserved_peering_ranges = [google_compute_global_address.private_ip_address.name]
}

resource "random_id" "db_name_suffix" {
  byte_length = 4
}

data "external" "current_ip" {
  program = ["bash", "-c", "curl -s 'https://api.ipify.org?format=json'"]
}

resource "google_sql_database_instance" "instance" {
  provider = google-beta
  project  = var.project
  region   = var.region

  name             = "private-instance-${random_id.db_name_suffix.hex}"
  database_version = "POSTGRES_14"

  depends_on = [google_service_networking_connection.private_vpc_connection]

  settings {
    tier = var.db_tier
    ip_configuration {
      ipv4_enabled    = true
      private_network = data.google_compute_network.network.id

      authorized_networks {
        name = "on-prem"
        value = "${data.external.current_ip.result.ip}/32"
      }
    }

    database_flags {
      name  = "cloudsql.logical_decoding"
      value = "on"
    }
  }
}