uvlava/terraform/do/database.tf

###############################################################################
# Managed Postgres — the canonical store that fixes the disaster.
#
# Black kept every backup on its own disk and died with them. DO Managed PG
# gives offsite daily backups + point-in-time recovery for free, and the
# cluster lives INSIDE the VPC with trusted-sources = the backend droplet only,
# so it never answers on the public internet. The edge (vps-0) reaches it as:
#     vps-0 --(WireGuard)--> droplet pgBouncer --(VPC)--> this cluster
###############################################################################

resource "digitalocean_database_cluster" "pg" {
  name       = "${var.project_name}-pg"
  engine     = "pg"
  version    = var.pg_version
  size       = var.pg_size
  region     = var.region
  node_count = var.pg_node_count

  # Bind the cluster to the private VPC — no public-network reachability.
  private_network_uuid = digitalocean_vpc.store.id

  tags = var.tags
}

# Logical databases mirroring black's layout (quinn, quinn_admin).
resource "digitalocean_database_db" "dbs" {
  for_each = toset(var.pg_databases)

  cluster_id = digitalocean_database_cluster.pg.id
  name       = each.value
}

# Application role used by the backend services / pgBouncer bridge.
resource "digitalocean_database_user" "app" {
  cluster_id = digitalocean_database_cluster.pg.id
  name       = "quinn_app"
}

# Trusted sources = ONLY the backend droplet. This is the hard private boundary:
# nothing else — not the internet, not vps-0 directly — can open a PG connection.
resource "digitalocean_database_firewall" "pg" {
  cluster_id = digitalocean_database_cluster.pg.id

  rule {
    type  = "droplet"
    value = digitalocean_droplet.backend.id
  }
}