-brightgreen){kind=icon}
Important
Databases for EnterpriseDB is deprecated. As of 16 June 2025 you can't deploy new instances. Existing instances are supported until 15 October 2025. Any instances that still exist on that date will be deleted. For more information, see Deprecation of Databases for EnterpriseDB.
This module implements an instance of the IBM Cloud Databases for EnterpriseDB service.
❗ The module does not support major version upgrades or updates to encryption and backup encryption keys. To upgrade the version, create another instance of Databases for EnterpriseDBs with the updated version.
❗ The module only supports setting the disk encryption and backup encryption key CRNs on creation and no update support is available. The KMS manual or automatic key rotation may be used to change the key value and initiate the re-encryption of the deployment.
IBM Cloud Databases supports:
- Key Protect encryption in
us-south,us-east, andeu-defor backup encryption. For more information, see Bring Your Own Key for Backups in the IBM Cloud Docs. - Hyper Protect Crypto Services in all regions for backup encryption. For more information, see Hyper Protect Crypto Services for Backup encryption in the IBM Cloud Docs.
If you enable key management encryption and no value is passed for 'backup_encryption_key_crn', the value of 'kms_key_crn' is used.
provider "ibm" {
ibmcloud_api_key = "xxXXxx" # pragma: allowlist secret
region = "us-south"
}
module "enterprise_db" {
# Replace "main" with a GIT release version to lock into a specific release
source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-icd-edb?ref=main"
resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
name = "my-instance"
region = "us-south"
}You need the following permissions to run this module.
- Account Management
- Databases for EnterpriseDB service
Editorrole access
- Databases for EnterpriseDB service
To attach access management tags to resources in this module, you need the following permissions.
- IAM Services
- Tagging service
Administratorplatform access
- Tagging service
| Name | Version |
|---|---|
| terraform | >= 1.3.0 |
| ibm | >= 1.70.0, < 2.0.0 |
| time | >= 0.9.1, < 1.0.0 |
| Name | Source | Version |
|---|---|---|
| backup_key_crn_parser | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 |
| cbr_rule | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.29.0 |
| kms_key_crn_parser | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 |
| Name | Type |
|---|---|
| ibm_database.enterprise_db | resource |
| ibm_iam_authorization_policy.backup_kms_policy | resource |
| ibm_iam_authorization_policy.kms_policy | resource |
| ibm_resource_key.service_credentials | resource |
| ibm_resource_tag.enterprisedb_tag | resource |
| time_sleep.wait_for_authorization_policy | resource |
| time_sleep.wait_for_backup_kms_authorization_policy | resource |
| ibm_database_connection.database_connection | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_tags | A list of access tags to apply to the Enterprise DB instance created by the module, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial for more details | list(string) |
[] |
no |
| admin_pass | The password for the database administrator. If the admin password is null then the admin user ID cannot be accessed. More users can be specified in a user block. | string |
null |
no |
| auto_scaling | Optional rules to allow the database to increase resources in response to usage. Only a single autoscaling block is allowed. Make sure you understand the effects of autoscaling, especially for production environments. See https://ibm.biz/autoscaling-considerations in the IBM Cloud Docs. | object({ |
null |
no |
| backup_crn | The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty. | string |
null |
no |
| backup_encryption_key_crn | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key that you want to use for encrypting the disk that holds deployment backups. Applies only if use_ibm_owned_encryption_key is false and use_same_kms_key_for_backups is false. If no value is passed, and use_same_kms_key_for_backups is true, the value of kms_key_crn is used. Alternatively set use_default_backup_encryption_key to true to use the IBM Cloud Databases default encryption. Bare in mind that backups encryption is only available in certain regions. See Bring your own key for backups and Using the HPCS Key for Backup encryption. |
string |
null |
no |
| cbr_rules | (Optional, list) List of CBR rules to create | list(object({ |
[] |
no |
| configuration | Database configuration. Learn more | object({ |
null |
no |
| edb_version | Version of the Enterprise DB instance to provision. If no value is passed, the current preferred version of IBM Cloud Databases is used. For our version policy, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-versioning-policy for more details | string |
null |
no |
| kms_key_crn | The CRN of a Key Protect or Hyper Protect Crypto Services encryption key to encrypt your data. Applies only if use_ibm_owned_encryption_key is false. By default this key is used for both deployment data and backups, but this behaviour can be altered using the use_same_kms_key_for_backups and backup_encryption_key_crn inputs. Bare in mind that backups encryption is only available in certain regions. See Bring your own key for backups and Using the HPCS Key for Backup encryption. |
string |
null |
no |
| member_cpu_count | Allocated dedicated CPU per member. Minimum number of CPU allowed is 3. Learn more | number |
3 |
no |
| member_disk_mb | Allocated disk per member. Learn more | number |
20480 |
no |
| member_host_flavor | Allocated host flavor per member. Learn more. | string |
null |
no |
| member_memory_mb | Allocated memory per member. Learn more | number |
4096 |
no |
| members | Allocated number of members. Members can be scaled up but not down. | number |
3 |
no |
| name | The name given to the Enterprise DB instance. | string |
n/a | yes |
| pitr_id | (Optional) The ID of the source deployment EDB instance that you want to recover back to. The EDB instance is expected to be in an up and in running state. | string |
null |
no |
| pitr_time | (Optional) The timestamp in UTC format (%Y-%m-%dT%H:%M:%SZ) that you want to restore to. To retrieve the timestamp, run the command (ibmcloud cdb postgresql earliest-pitr-timestamp ). For more info on Point-in-time Recovery, see https://cloud.ibm.com/docs/databases-for-enterprisedb?topic=databases-for-enterprisedb-pitr | string |
null |
no |
| region | The region where you want to deploy your instance. | string |
"us-south" |
no |
| remote_leader_crn | A CRN of the leader database to make the replica(read-only) deployment. The leader database is created by a database deployment with the same service ID. A read-only replica is set up to replicate all of your data from the leader deployment to the replica deployment by using asynchronous replication. For more information, see https://cloud.ibm.com/docs/databases-for-enterprisedb?topic=databases-for-enterprisedb-read-only-replicas | string |
null |
no |
| resource_group_id | The resource group ID where Enterprise DB instance will be created. | string |
n/a | yes |
| resource_tags | Optional list of tags to be added to the Enterprise DB instance. | list(string) |
[] |
no |
| service_credential_names | Map of name, role for service credentials that you want to create for the database | map(string) |
{} |
no |
| service_endpoints | Specify whether you want to enable the public, private, or both service endpoints. Supported values are 'public', 'private', or 'public-and-private'. | string |
"private" |
no |
| skip_iam_authorization_policy | Set to true to skip the creation of IAM authorization policies that permits all Databases for EnterpriseDB instances in the given resource group 'Reader' access to the Key Protect or Hyper Protect Crypto Services key that was provided in the kms_key_crn and backup_encryption_key_crn inputs. This policy is required in order to enable KMS encryption, so only skip creation if there is one already present in your account. No policy is created if use_ibm_owned_encryption_key is true. |
bool |
false |
no |
| use_default_backup_encryption_key | When use_ibm_owned_encryption_key is set to false, backups will be encrypted with either the key specified in kms_key_crn, or in backup_encryption_key_crn if a value is passed. If you do not want to use your own key for backups encryption, you can set this to true to use the IBM Cloud Databases default encryption for backups. Alternatively set use_ibm_owned_encryption_key to true to use the default encryption for both backups and deployment data. |
bool |
false |
no |
| use_ibm_owned_encryption_key | IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for the kms_key_crn input. |
bool |
true |
no |
| use_same_kms_key_for_backups | Set this to false if you wan't to use a different key that you own to encrypt backups. When set to false, a value is required for the backup_encryption_key_crn input. Alternatiely set use_default_backup_encryption_key to true to use the IBM Cloud Databases default encryption. Applies only if use_ibm_owned_encryption_key is false. Bare in mind that backups encryption is only available in certain regions. See Bring your own key for backups and Using the HPCS Key for Backup encryption. |
bool |
true |
no |
| users | A list of users that you want to create on the database. Multiple blocks are allowed. The user password must be in the range of 10-32 characters. Be warned that in most case using IAM service credentials (via the var.service_credential_names) is sufficient to control access to the Enterprise Db instance. This blocks creates native enterprise database users, more info on that can be found here https://cloud.ibm.com/docs/databases-for-enterprisedb?topic=databases-for-enterprisedb-user-management&interface=api | list(object({ |
[] |
no |
| Name | Description |
|---|---|
| adminuser | Database admin user name |
| cbr_rule_ids | CBR rule ids created to restrict Enterprise DB |
| certificate_base64 | Database connection certificate |
| crn | Enterprise DB instance crn |
| guid | Enterprise DB instance guid |
| hostname | Database connection hostname |
| id | Enterprise DB instance id |
| port | Database connection port |
| service_credentials_json | Service credentials json map |
| service_credentials_object | Service credentials object |
| version | Enterprise DB instance version |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.