AlloyDB Component
The AlloyDB component provisions a fully managed PostgreSQL-compatible database cluster with automatic backups and optional read replicas.
Architecture
Why AlloyDB?
AlloyDB provides:
- PostgreSQL Compatible: Full PostgreSQL compatibility
- High Performance: 4x faster than standard PostgreSQL
- Automatic Scaling: Columnar engine for analytics
- Managed Operations: Automated backups and maintenance
- High Availability: Multi-zone deployment
Resources Created
| Resource | Purpose |
|---|---|
| AlloyDB Cluster | Database cluster |
| Primary Instance | Read/write database instance |
| Read Replica | Read-only replica (prod only) |
Configuration
# Pulumi.dev.yaml
config:
serko-northsky:databaseCpuCount: "2"
serko-northsky:databaseReadReplica: "false"
# Pulumi.prod.yaml
config:
serko-northsky:databaseCpuCount: "4"
serko-northsky:databaseReadReplica: "true"
Instance Sizing
| Environment | vCPUs | RAM | Read Replica |
|---|---|---|---|
| Development | 2 | 16 GB | No |
| Testing | 2 | 16 GB | No |
| Production | 4 | 32 GB | Yes |
Backup Configuration
Automated backups are configured with the following schedule:
| Day | Time Window | Retention |
|---|---|---|
| Monday | 02:00-06:00 UTC | 14 days |
| Wednesday | 02:00-06:00 UTC | 14 days |
| Friday | 02:00-06:00 UTC | 14 days |
| Sunday | 02:00-06:00 UTC | 14 days |
Outputs
interface AlloyDbOutputs {
clusterId: string;
clusterName: string;
primaryInstanceId: string;
primaryIpAddress: string;
readReplicaIpAddress?: string;
databasePassword: string; // Auto-generated
}
Connection Details
Connection String Format
postgresql://postgres:PASSWORD@PRIMARY_IP:5432/postgres
From GKE Pods
Applications connect using the Secret Manager secret:
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: app-secrets
key: database-url
Direct Connection (Development)
For local development, use Cloud SQL Auth Proxy or IAP tunneling:
# Using gcloud
gcloud alloydb instances describe serko-northsky-primary \
--cluster=serko-northsky-cluster \
--region=us-central1 \
--format='value(ipAddress)'
Security
- Private IP Only: No public IP address
- VPC Connectivity: Accessible only within VPC
- Auto-Generated Password: Secure random password
- Encrypted Storage: Data encrypted at rest
- IAM Integration: Database access via IAM
Network Requirements
AlloyDB requires the Private Service Access connection to be established before the cluster can be created. This dependency is handled automatically in the infrastructure code:
const alloydb = new AlloyDb('alloydb', config, {
dependsOn: [network.privateVpcConnection],
});