Terraform backup_restore without trusted sources

Currently we are working on a feature-level preview infrastructure for our application using the digitalocean terrafom provider ( In doing so, we’d like to spin up the testable version of our digitalocean app as well as a new database cluster based on the backup of of one of our existing clusters to be able to test with real data. As per the docs this should not be an issue if we use the backup_restore feature:

However, we are running into the issue, that the database is created successfully from the backup but the new database includes the trusted sources config of the existing database cluster which causes the app deployment to fail as it cannot access the db.

As such we’d need to be able to spin up the db cluster from backup without the trusted sources which would be added separately for our new instance. Has anyone experienced something similar or come up with a solution for this?

the config we’re using is

resource "digitalocean_database_cluster" "db_cluster" {
  name       = <our-db-name>
  engine     = "pg"
  version    = "14"
  size       = "db-s-1vcpu-1gb"
  region     = "fra1"
  node_count = 1
  depends_on = [

resource "digitalocean_app" "our-app" {
  spec {
   ... our working app spec

  depends_on = [ digitalocean_database_cluster.db_cluster ]

resource "digitalocean_database_firewall" "db_firewall" {
  cluster_id =

  rule {
    type  = "app"
    value =

  depends_on = [ digitalocean_app.our-app ]

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
March 25, 2024


I believe that this might indeed not be possible, but what I could suggest here is to request this as a feature via the DigitalOcean Terraform repo:

A potential workaround to solve this issue would be to do the following:

  1. After the database cluster is restored from the backup, you can modify the trusted sources by updating the digitalocean_database_firewall configuration. This would involve removing the unwanted trusted sources and adding the new ones relevant to your test environment:

  1. You can try using a Terraform null_resource with local-exec or remote-exec provisioner to run a script or a set of commands to modify the trusted sources directly via DigitalOcean’s API or CLI after the database is created. This is more of a workaround and can introduce complexity and potential points of failure in your infrastructure code.



Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel