Establish PostgreSQL Cloud SQL Standby in GCP (HyOps Blueprint)

Purpose: Stand up the managed GCP DR lane without cutting production traffic.
Owner: Platform engineering / SRE
Trigger: Planned DR readiness work or recurring standby validation drill
Impact: A managed GCP standby exists and publishes a normalized endpoint contract, but applications continue to use the current primary.
Severity: P2
Pre-reqs: hyops init gcp is complete, the on-prem PostgreSQL HA lane is healthy, the Patroni replication credential exists in runtime vault/env, and the selected GCP project/network path is already reachable.
Rollback strategy: Destroy the managed standby lane only; no application cutover reversal is needed because traffic is not changed by this blueprint.

Context

Blueprint ref: dr/postgresql-cloudsql-standby-gcp@v1
Location: hybridops-core/blueprints/dr/postgresql-cloudsql-standby-gcp@v1/blueprint.yml

Default step flow:

1. platform/onprem/postgresql-dr-source
2. org/gcp/cloudsql-external-replica

Important:

• this blueprint does not promote or cut over traffic
• the Cloud SQL target is created through the DMS destination connection profile path used by org/gcp/cloudsql-external-replica
• the resulting state publishes the same endpoint fields used by platform/postgresql-ha

Required operator inputs

At minimum, provide:

• project_state_ref or project_id
• network_state_ref or private_network
• region
• source_connection_profile_name
• destination_connection_profile_name
• migration_job_name
• source_replication_user
• source_replication_password_env

Recommended default:

• source_replication_password_env: PATRONI_REPLICATION_PASSWORD
• source_ssl_type: NONE for the current on-prem PostgreSQL HA lane unless you have explicitly provisioned DMS TLS material
• datamigration.googleapis.com enabled in the destination GCP project before apply_mode=establish

Optional but recommended:

• endpoint_dns_name when you want the managed lane to publish a stable cutover record target
• gcloud_active_account when the runner must assert the exact operator account

Validate and execute

hyops blueprint validate --ref dr/postgresql-cloudsql-standby-gcp@v1
hyops blueprint preflight --env dev --ref dr/postgresql-cloudsql-standby-gcp@v1
hyops blueprint deploy --env dev --ref dr/postgresql-cloudsql-standby-gcp@v1 --execute

Verify

Confirm the replica state publishes:

• cap.db.managed_external_replica = established
• managed_replication_established = true
• endpoint_target
• endpoint_port
• endpoint_cutover_required

If endpoint_dns_name is blank, endpoint_target will be the Cloud SQL private host and endpoint_cutover_required=true.

Related

• HyOps Cloud SQL External Replica Lifecycle
• PostgreSQL DR Operating Model (Restore vs Warm Standby vs Multi-Cloud)