diff --git a/terraform/modules/cloudsql/cloudsql.tf b/terraform/modules/cloudsql/cloudsql.tf
index ad86b28..b2b5cd8 100644
--- a/terraform/modules/cloudsql/cloudsql.tf
+++ b/terraform/modules/cloudsql/cloudsql.tf
@@ -1,3 +1,5 @@
+# For the cloudsql auth proxy grant roles/cloudsql.instanceUser and
+# roles/cloudsql.client roles to the service account for the proxy.
 variable "project" {
   description = "Project ID."
   type        = string
@@ -25,11 +27,22 @@ variable "private_network_id" {
   type        = string
 }
 
+variable "postgres_password" {
+  description = "Password for the default postgres user."
+  type        = string
+  default     = "hunter2"
+}
+
 output "connection_name" {
   description = "The connection string for connecting to the cloudsql instance (for example, through cloudsql proxy)."
   value       = google_sql_database_instance.instance.connection_name
 }
 
+output "instance" {
+  description = "The google_sql_database_instance object."
+  value       = google_sql_database_instance.instance
+}
+
 # Needed for CloudSQL Auth Proxy
 resource "google_project_service" "sqladmin" {
   project                    = var.project
@@ -55,8 +68,20 @@ resource "google_sql_database_instance" "instance" {
       private_network = var.private_network_id
       require_ssl     = true
     }
+
+    database_flags {
+      name  = "cloudsql.iam_authentication"
+      value = "on"
+    }
   }
 
   deletion_protection = "false"
   # deletion_protection = "true"
 }
+
+resource "google_sql_user" "postgres" {
+  project  = var.project
+  name     = "postgres"
+  instance = google_sql_database_instance.instance.name
+  password = var.postgres_password
+}