Update database connection string to use private IP with psycopg format

dcmcand · dcmcand · commit aa7c02e7a5a0 · 2025-08-06T11:22:26.000+02:00
- Change from connection_name to private_ip_address:5432
- Use postgresql+psycopg:// format for psycopg3 driver compatibility
- Connection uses private VPC networking (no public IP)
- Standard TCP connection over private network via VPC connector
- Fix terraform formatting and update docs
diff --git a/README.md b/README.md
@@ -179,14 +179,17 @@ No modules.
 | [google_project_iam_member.app_monitoring_writer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_service.required_apis](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |
 | [google_secret_manager_secret.ai_api_keys](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) | resource |
+| [google_secret_manager_secret.config_files](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) | resource |
 | [google_secret_manager_secret.db_connection](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) | resource |
 | [google_secret_manager_secret.db_password](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) | resource |
 | [google_secret_manager_secret.mcp_api_keys](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) | resource |
 | [google_secret_manager_secret_iam_member.app_ai_api_keys](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_member) | resource |
+| [google_secret_manager_secret_iam_member.app_config_files](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_member) | resource |
 | [google_secret_manager_secret_iam_member.app_db_connection](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_member) | resource |
 | [google_secret_manager_secret_iam_member.app_db_password](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_member) | resource |
 | [google_secret_manager_secret_iam_member.app_mcp_api_keys](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_member) | resource |
 | [google_secret_manager_secret_version.ai_api_keys](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_version) | resource |
+| [google_secret_manager_secret_version.config_files](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_version) | resource |
 | [google_secret_manager_secret_version.db_connection](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_version) | resource |
 | [google_secret_manager_secret_version.db_password](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_version) | resource |
 | [google_secret_manager_secret_version.mcp_api_keys](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_version) | resource |
@@ -205,6 +208,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_ai_api_keys"></a> [ai\_api\_keys](#input\_ai\_api\_keys) | Map of AI API keys where key is the environment variable name (e.g., OPENAI\_API\_KEY, ANTHROPIC\_API\_KEY) and value is the actual API key (stored in Secret Manager) | `map(string)` | `{}` | no |
 | <a name="input_app_command"></a> [app\_command](#input\_app\_command) | Command to run the container | `list(string)` | <pre>[<br/>  "hrafnar",<br/>  "serve"<br/>]</pre> | no |
+| <a name="input_app_config_files"></a> [app\_config\_files](#input\_app\_config\_files) | Configuration files to mount as volumes from Secret Manager. Key is the config name, value contains file content and mount path. | <pre>map(object({<br/>    content    = string # File content to store in Secret Manager<br/>    mount_path = string # Path where file will be mounted in container (e.g., "/etc/config/app.yaml")<br/>  }))</pre> | `{}` | no |
 | <a name="input_app_cpu"></a> [app\_cpu](#input\_app\_cpu) | CPU allocation for the hrafnar application | `string` | `"1000m"` | no |
 | <a name="input_app_env_vars"></a> [app\_env\_vars](#input\_app\_env\_vars) | Environment variables for the hrafnar application | `map(string)` | `{}` | no |
 | <a name="input_app_image"></a> [app\_image](#input\_app\_image) | Container image for the hrafnar application (without tag) | `string` | n/a | yes |
diff --git a/iam.tf b/iam.tf
@@ -81,15 +81,15 @@ resource "google_project_iam_member" "app_logging_writer" {
 # Enable required APIs
 resource "google_project_service" "required_apis" {
   for_each = toset([
-    "run.googleapis.com",                     # Cloud Run
-    "secretmanager.googleapis.com",           # Secret Manager
-    "compute.googleapis.com",                 # Compute Engine (for VPC)
-    "servicenetworking.googleapis.com",       # Service Networking (for Cloud SQL private IP)
-    "sqladmin.googleapis.com",                # Cloud SQL Admin API
-    "sql-component.googleapis.com",           # Cloud SQL Component API
-    "vpcaccess.googleapis.com",               # VPC Access (for VPC connector)
-    "iam.googleapis.com",                     # Identity and Access Management
-    "cloudresourcemanager.googleapis.com"    # Cloud Resource Manager
+    "run.googleapis.com",                 # Cloud Run
+    "secretmanager.googleapis.com",       # Secret Manager
+    "compute.googleapis.com",             # Compute Engine (for VPC)
+    "servicenetworking.googleapis.com",   # Service Networking (for Cloud SQL private IP)
+    "sqladmin.googleapis.com",            # Cloud SQL Admin API
+    "sql-component.googleapis.com",       # Cloud SQL Component API
+    "vpcaccess.googleapis.com",           # VPC Access (for VPC connector)
+    "iam.googleapis.com",                 # Identity and Access Management
+    "cloudresourcemanager.googleapis.com" # Cloud Resource Manager
   ])
 
   project = var.project_id
diff --git a/secrets.tf b/secrets.tf
@@ -67,7 +67,7 @@ resource "google_secret_manager_secret" "db_connection" {
 resource "google_secret_manager_secret_version" "db_connection" {
   count       = var.enable_database ? 1 : 0
   secret      = google_secret_manager_secret.db_connection[0].id
-  secret_data = "postgresql://${local.database_user}:${random_password.db_password[0].result}@${google_sql_database_instance.main[0].connection_name}/${local.database_name}"
+  secret_data = "postgresql+psycopg://${local.database_user}:${random_password.db_password[0].result}@${google_sql_database_instance.main[0].private_ip_address}:5432/${local.database_name}"
 }
 
 # Secret Manager secrets for config files

Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ resource "google_secret_manager_secret" "db_connection" {`
`67`	`67`	`resource "google_secret_manager_secret_version" "db_connection" {`
`68`	`68`	`count = var.enable_database ? 1 : 0`
`69`	`69`	`secret = google_secret_manager_secret.db_connection[0].id`
`70`		`- secret_data = "postgresql://${local.database_user}:${random_password.db_password[0].result}@${google_sql_database_instance.main[0].connection_name}/${local.database_name}"`
	`70`	`+ secret_data = "postgresql+psycopg://${local.database_user}:${random_password.db_password[0].result}@${google_sql_database_instance.main[0].private_ip_address}:5432/${local.database_name}"`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`# Secret Manager secrets for config files`