pkg/backend/diy/postgres/README.md
(postgresql-backend)=
The pkg/backend/diy/postgres package provides a PostgreSQL-based backend implementation for Pulumi state storage. It stores Pulumi state in a PostgreSQL database table, allowing you to use PostgreSQL as your state storage mechanism.
The PostgreSQL backend connection string follows the standard PostgreSQL connection string format with a postgres:// prefix:
postgres://username:password@hostname:port/database?param1=value1¶m2=value2
The following query parameters are supported in the connection string:
table: The name of the table to use for state storage (default: pulumi_state)The following PostgreSQL connection parameters can be included in the connection string query parameters:
sslmode: SSL connection mode (disable, allow, prefer, require, verify-ca, verify-full)sslcert: Client certificate file pathsslkey: Client private key file pathsslrootcert: Root certificate file pathsslcrl: Certificate revocation list file pathsslcompression: Enable SSL compression (0 or 1)sslsni: Enable SSL Server Name Indication (0 or 1)connect_timeout: Maximum time to wait for connection (seconds)keepalives_idle: Time before sending keepalive probe (seconds)keepalives_interval: Interval between keepalive probes (seconds)keepalives_count: Number of keepalive probes before giving uptcp_user_timeout: Time for transmitted data to be acknowledged (milliseconds)application_name: Application name for connection identificationclient_encoding: Client character set encodingoptions: Command-line options to send to server on connection startuptimezone: Session timezone settingpassfile: Password file path (alternative to inline password)target_session_attrs: Required session attributes (any, read-write, read-only, primary, standby, prefer-standby)load_balance_hosts: Enable connection load balancing (disable, random)hostaddr: Numeric IP address (can be used instead of or in addition to host)# Basic SSL connection
postgres://user:pass@localhost:5432/mydb?sslmode=require
# Connection with custom table and SSL verification
postgres://user:[email protected]:5432/pulumi?table=my_state&sslmode=verify-full&sslrootcert=/path/to/ca.crt
# Connection with timeout and keepalive settings
postgres://user:pass@localhost:5432/mydb?connect_timeout=30&keepalives_idle=600&keepalives_interval=30
# Read-only replica connection with application name
postgres://user:[email protected]:5432/mydb?target_session_attrs=read-only&application_name=pulumi-state
# Connection with custom search path and timezone
postgres://user:pass@localhost:5432/mydb?search_path=pulumi,public&timezone=UTC
To use PostgreSQL as your Pulumi state backend:
pulumi login postgres://username:password@hostname:port/database
For most secure setups, use environment variables to store your PostgreSQL credentials. The following standard PostgreSQL environment variables are supported:
export PGUSER=username # Defaults to current system user
export PGPASSWORD=password # Required - no default
export PGHOST=hostname # Defaults to "localhost"
export PGPORT=5432 # Defaults to 5432
export PGDATABASE=database # Defaults to the value of PGUSER
# Then login with minimal connection string
pulumi login postgres://
Note: Only PGPASSWORD is required when using environment variables. All others have sensible defaults as noted above.
The PostgreSQL backend will automatically create the necessary table for state storage. The table schema is defined in schema.sql.
sslmode=require or sslmode=verify-full)