diff --git a/deployment/.terraform.lock.hcl b/deployment/.terraform.lock.hcl
index 4529c1c..4a6518c 100644
--- a/deployment/.terraform.lock.hcl
+++ b/deployment/.terraform.lock.hcl
@@ -2,21 +2,62 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/google" {
-  version = "4.83.0"
+  version     = "4.84.0"
+  constraints = ">= 3.33.0, >= 3.53.0, >= 3.83.0, >= 4.25.0, >= 4.64.0, >= 4.74.0, < 5.0.0"
   hashes = [
-    "h1:cWBKJt7QJ+MKerSq73qFICJkIsxHn1JepalZzR/eRk4=",
-    "zh:0310360982c3d42449ef103fab0819770aa96c7813507778d71ed016942bed96",
-    "zh:0d0f82ce5e54267641b1f1d494a3ad1ddd41a7553910dd33abd6a114feab6881",
-    "zh:0eda79e53a1833e8692273f5d7224344200e49303e579aec7b53762f50f39210",
-    "zh:3c0cf4abaf461238563132ab4564965bc6bd571eb3bbeedac89258a9a688b169",
-    "zh:61d619e5163daeeb7909443cc0c67816939a1748aec2fe544ab3f380270aae92",
-    "zh:66d9da66aec8575ee16b70b42a5ae082b2f43f4a84a844363a585806ac75cca0",
-    "zh:875c5596f365130095ccc2150755b6fb8a6d9fe9af4af9f595029716be02cdef",
-    "zh:a9af92cd6ea160618d6433c92297a4e3f3dc7a2e964516e1e7b51ce70f3ec178",
-    "zh:b9566bd1910462b4d92c6976184c4408e42a3ef6a300962b49866aa0f6f29b11",
-    "zh:bae735a81a04244893fd9e81d9b5d6c321d874cb37a7b5aab8a1c8c5044b362d",
-    "zh:d97ae1676d793696498e0eda8324bc02edbd2fbbcd76eb103a949876ec1fe8c0",
+    "h1:1UxlwVhklQbnsyuCelue0dkQZUHA2cMjgYvl8lWRE8Q=",
+    "zh:0b3e945fa76876c312bdddca7b18c93b734998febb616b2ebb84a0a299ae97c2",
+    "zh:1d47d00730fab764bddb6d548fed7e124739b0bcebb9f3b3c6aa247de55fb804",
+    "zh:29bff92b4375a35a7729248b3bc5db8991ca1b9ba640fc25b13700e12f99c195",
+    "zh:382353516e7d408a81f1a09a36f9015429be73ca3665367119aad88713209d9a",
+    "zh:78afa20e25a690d076eeaafd7879993ef9763a8a1b6762e2cbe42330464cc1fa",
+    "zh:8f6422e94de865669b33a2d9fb95a3e392e841988e890f7379a206e9d47e3415",
+    "zh:be5c7b52c893b971c860146aec643f7007f34430106f101eab686ed81eccbd26",
+    "zh:bfc37b641bf3378183eb3b8735554c3949a5cfaa8f76403d7eff38de1474b6d9",
+    "zh:c834f88dc8eb21af992871ed13a221015ae3b051aeca7386662071026f1546b4",
+    "zh:f3296c8c0d57dc28e23cf91717484264531655ac478d994584ebc73f70679471",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f8efe114ff4891776f48f7d2620b8d6963d3ddac6e42ce25bc761343da964c24",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/google-beta" {
+  version     = "4.84.0"
+  constraints = ">= 3.53.0, >= 4.47.0, >= 4.64.0, < 5.0.0"
+  hashes = [
+    "h1:0w1Y03/eJrW6VqsC4GQknCDaiRHSF2eWmiN7c90Tgtk=",
+    "zh:0c17bd21a0d98a5063b5bbdad0feac559913061264953d96b3b82289b9938d83",
+    "zh:138dd45494953f6ce0f837ab29ca61ff91e2001e7cf49356021a962030ccf217",
+    "zh:1846d617cd39cc7da60280686e1ba63239a4a200f30386dd66a633ea5789e307",
+    "zh:38d715a828573923d0129fa258b64360f77fbb437c605e26dba95e6b8cf79b53",
+    "zh:4a041086cabbcaaf9982051297ab864003c7e042b4a8d47c2bfaa47fc83886cb",
+    "zh:78bfc252ad0e56f2fd10abc25d1e79acb7bd95383017ea4ee309e8c5b15a338b",
+    "zh:7f193c7b32851e3c704ecf713f93d3ab78031e82d47ac0b4ccf3ecd6be3dda2d",
+    "zh:8c0f381aee7d3029ec7f0bc1e80ae545a9a522ec764648a9a4e024cfaac3d6f5",
+    "zh:cae23495634d780f92f241fde2718ef627ed6485225241dd90ef375eb710c0ea",
+    "zh:d7ccfb67d072870a6c54e76f5ac5fc9a817bd1392dfac81a964bae4cb36ca096",
+    "zh:e0adbd1e0bf48224c3d352423df5f1bcd62f4e95fe26c981720fbf81f863f57e",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+  version     = "3.2.1"
+  constraints = "~> 3.1"
+  hashes = [
+    "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=",
+    "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840",
+    "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb",
+    "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5",
+    "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238",
+    "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc",
+    "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970",
+    "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2",
+    "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5",
+    "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f",
+    "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694",
   ]
 }
 
diff --git a/deployment/main.tf b/deployment/main.tf
index b699bd6..d1d2816 100644
--- a/deployment/main.tf
+++ b/deployment/main.tf
@@ -45,42 +45,9 @@ resource "google_project_service" "cloudrun_api" {
 ### Create secrets
 ###
 
-## DB root password
-resource "random_password" "db_root_pwd" {
-  length  = 16
-  special = false
-}
-resource "google_secret_manager_secret" "db_root_pass" {
-  secret_id = "dbrootpasssecret"
-  replication {
-    auto {}
-  }
-  depends_on = [google_project_service.secretmanager_api]
-}
-resource "google_secret_manager_secret_version" "db_root_pass_data" {
-  secret      = google_secret_manager_secret.db_root_pass.id
-  secret_data = random_password.db_root_pwd.result
-}
-
-# DB user name
-locals {
-  dbuser = "distributor-app"
-}
-resource "google_secret_manager_secret" "dbuser" {
-  secret_id = "dbusersecret"
-  replication {
-    auto {}
-  }
-  depends_on = [google_project_service.secretmanager_api]
-}
-resource "google_secret_manager_secret_version" "dbuser_data" {
-  secret = google_secret_manager_secret.dbuser.id
-  secret_data = local.dbuser
-}
-
 # DB user password
 resource "random_password" "db_user_pwd" {
-  length  = 16
+  length  = 32
   special = false
 }
 resource "google_secret_manager_secret" "dbpass" {
@@ -94,68 +61,79 @@ resource "google_secret_manager_secret_version" "dbpass_data" {
   secret      = google_secret_manager_secret.dbpass.id
   secret_data = random_password.db_user_pwd.result
 }
+# Update service accounts to allow secret access
+resource "google_secret_manager_secret_iam_member" "secretaccess_compute_dbpass" {
+  secret_id = google_secret_manager_secret.dbpass.id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com" # Project's compute service account
+}
 
-# Database name
-resource "google_secret_manager_secret" "dbname" {
-  secret_id = "dbnamesecret"
-  replication {
-    auto {}
-  }
-  depends_on = [google_project_service.secretmanager_api]
+resource "random_id" "suffix" {
+  byte_length = 5
 }
-resource "google_secret_manager_secret_version" "dbname_data" {
-  secret      = google_secret_manager_secret.dbname.id
-  secret_data = "distributor"
+
+locals {
+  /*
+    Random instance name needed because:
+    "You cannot reuse an instance name for up to a week after you have deleted an instance."
+    See https://cloud.google.com/sql/docs/mysql/delete-instance for details.
+  */
+  network_name = "${var.network_name}-safer-${random_id.suffix.hex}"
 }
 
 ###
-### Update service accounts to allow secret access
+### Networking
 ###
-resource "google_secret_manager_secret_iam_member" "secretaccess_compute_dbname" {
-  secret_id = google_secret_manager_secret.dbname.id
-  role      = "roles/secretmanager.secretAccessor"
-  member    = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com" # Project's compute service account
+module "network-safer-mysql-simple" {
+  source  = "terraform-google-modules/network/google"
+  version = "7.4.0"
+
+  project_id   = var.project_id
+  network_name = local.network_name
+
+  subnets = [
+  ]
 }
-resource "google_secret_manager_secret_iam_member" "secretaccess_compute_dbuser" {
-  secret_id = google_secret_manager_secret.dbuser.id
-  role      = "roles/secretmanager.secretAccessor"
-  member    = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com" # Project's compute service account
+
+module "private-service-access" {
+  source      = "GoogleCloudPlatform/sql-db/google//modules/private_service_access"
+  project_id  = var.project_id
+  vpc_network = module.network-safer-mysql-simple.network_name
 }
-resource "google_secret_manager_secret_iam_member" "secretaccess_compute_dbpass" {
-  secret_id = google_secret_manager_secret.dbpass.id
-  role      = "roles/secretmanager.secretAccessor"
-  member    = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com" # Project's compute service account
+
+locals {
+  dbname = "distributor"
+  dbuser = "distributor-app"
 }
 
-###
-### Creates SQL instance (~15 minutes to fully spin up)
-###
-resource "google_sql_database_instance" "default" {
-  name             = "distributor-mysql-instance-1"
-  project          = var.project_id
-  region           = var.region
-  database_version = "MYSQL_8_0"
-  root_password    = random_password.db_root_pwd.result
+module "safer-mysql-db" {
+  source               = "GoogleCloudPlatform/sql-db/google//modules/safer_mysql"
+  name                 = "distributor-mysql-instance-1"
+  random_instance_name = true
+  project_id           = var.project_id
 
-  settings {
-    tier = "db-f1-micro"
-  }
-  # set `deletion_protection` to true, will ensure that one cannot accidentally delete this instance by
-  # use of Terraform whereas `deletion_protection_enabled` flag protects this instance at the GCP level.
   deletion_protection = false
-  depends_on          = [google_project_service.sqladmin_api]
-}
 
-resource "google_sql_database" "distributordb" {
-  name     = "distributor"
-  instance = google_sql_database_instance.default.name
-  charset  = "utf8"
-}
+  database_version = "MYSQL_8_0"
+  region           = var.region
+  zone             = "${var.region}-c"
+  tier             = "db-n1-standard-1"
+  assign_public_ip = "true"
+  vpc_network      = module.network-safer-mysql-simple.network_self_link
+
+  user_name = local.dbuser
+  user_password = random_password.db_user_pwd.result
 
-resource "google_sql_user" "db_user" {
-  name     = local.dbuser
-  instance = google_sql_database_instance.default.name
-  password = random_password.db_user_pwd.result
+  additional_databases = [
+    {
+      name      = local.dbname,
+      charset   = "",
+      collation = "",
+    },
+  ]
+
+  // Optional: used to enforce ordering in the creation of resources.
+  module_depends_on = [module.private-service-access.peering_completed]
 }
 
 ###
@@ -164,26 +142,24 @@ resource "google_sql_user" "db_user" {
 resource "google_cloud_run_v2_service" "default" {
   name     = "distributor-service"
   location = "us-central1"
+  launch_stage = "BETA"
 
   template {
     containers {
       image = "gcr.io/trillian-opensource-ci/distributor:latest" # Image to deploy
       args  = [ "--use_cloud_sql" ]
 
-      # Sets a environment variable for instance connection name
       env {
         name  = "INSTANCE_CONNECTION_NAME"
-        value = google_sql_database_instance.default.connection_name
+        value = module.safer-mysql-db.instance_connection_name
+      }
+      env {
+        name = "DB_NAME"
+        value = local.dbname
       }
-      # Sets a secret environment variable for database user secret
       env {
         name = "DB_USER"
-        value_source {
-          secret_key_ref {
-            secret  = google_secret_manager_secret.dbuser.secret_id # secret name
-            version = "latest"                                      # secret version number or 'latest'
-          }
-        }
+        value = local.dbuser
       }
       # Sets a secret environment variable for database password secret
       env {
@@ -195,16 +171,6 @@ resource "google_cloud_run_v2_service" "default" {
           }
         }
       }
-      # Sets a secret environment variable for database name secret
-      env {
-        name = "DB_NAME"
-        value_source {
-          secret_key_ref {
-            secret  = google_secret_manager_secret.dbname.secret_id # secret name
-            version = "latest"                                      # secret version number or 'latest'
-          }
-        }
-      }
 
       volume_mounts {
         name       = "cloudsql"
@@ -214,7 +180,7 @@ resource "google_cloud_run_v2_service" "default" {
     volumes {
       name = "cloudsql"
       cloud_sql_instance {
-        instances = [google_sql_database_instance.default.connection_name]
+        instances = [module.safer-mysql-db.instance_connection_name]
       }
     }
   }
diff --git a/deployment/outputs.tf b/deployment/outputs.tf
index 51b72d0..3d77853 100644
--- a/deployment/outputs.tf
+++ b/deployment/outputs.tf
@@ -14,14 +14,9 @@
  * limitations under the License.
  */
 
-output "mysql_uri" {
-  description = "The URI of the created resource"
-  value       = google_sql_database_instance.default.self_link
-}
-
 output "mysql_conn" {
   description = "The connection name of the master instance to be used in connection strings"
-  value       = google_sql_database_instance.default.connection_name
+  value       = module.safer-mysql-db.instance_connection_name
 }
 
 output "distributor_uri" {
diff --git a/deployment/variables.tf b/deployment/variables.tf
index e6c4078..2866e6c 100644
--- a/deployment/variables.tf
+++ b/deployment/variables.tf
@@ -22,3 +22,8 @@ variable "region" {
   description = "The region to host the cluster in"
 }
 
+variable "network_name" {
+  default = "mysql-private"
+  type    = string
+}
+