feat: Automate Postgreql password auth (#113)

Co-authored-by: Nimmo <[email protected]>
NHSDigital · Dec 11, 2024 · 74b56eb · 74b56eb
1 parent 5066869
commit 74b56eb
Show file tree

Hide file tree

Showing 15 changed files with 28 additions and 22 deletions.
diff --git a/.azuredevops/pipelines/cd-infrastructure-dev-audit.yaml b/.azuredevops/pipelines/cd-infrastructure-dev-audit.yaml
@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: fa58dc978491f04e1efab73cbf8e2228a351bf81
+      ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3
       endpoint: NHSDigital
 
 variables:

diff --git a/.azuredevops/pipelines/cd-infrastructure-dev-core.yaml b/.azuredevops/pipelines/cd-infrastructure-dev-core.yaml
@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: fa58dc978491f04e1efab73cbf8e2228a351bf81
+      ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3
       endpoint: NHSDigital
 
 variables:

diff --git a/.azuredevops/pipelines/cd-infrastructure-int-audit.yaml b/.azuredevops/pipelines/cd-infrastructure-int-audit.yaml
@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: fa58dc978491f04e1efab73cbf8e2228a351bf81
+      ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3
       endpoint: NHSDigital
 
 variables:

diff --git a/.azuredevops/pipelines/cd-infrastructure-int-core.yaml b/.azuredevops/pipelines/cd-infrastructure-int-core.yaml
@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: fa58dc978491f04e1efab73cbf8e2228a351bf81
+      ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3
       endpoint: NHSDigital
 
 variables:

diff --git a/.azuredevops/pipelines/cd-infrastructure-nft-audit.yaml b/.azuredevops/pipelines/cd-infrastructure-nft-audit.yaml
@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: fa58dc978491f04e1efab73cbf8e2228a351bf81
+      ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3
       endpoint: NHSDigital
 
 variables:

diff --git a/.azuredevops/pipelines/cd-infrastructure-nft-core.yaml b/.azuredevops/pipelines/cd-infrastructure-nft-core.yaml
@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: fa58dc978491f04e1efab73cbf8e2228a351bf81
+      ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3
       endpoint: NHSDigital
 
 variables:

diff --git a/.azuredevops/pipelines/cd-infrastructure-prd-audit.yaml b/.azuredevops/pipelines/cd-infrastructure-prd-audit.yaml
@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: fa58dc978491f04e1efab73cbf8e2228a351bf81
+      ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3
       endpoint: NHSDigital
 
 variables:

diff --git a/.azuredevops/pipelines/cd-infrastructure-prd-core.yaml b/.azuredevops/pipelines/cd-infrastructure-prd-core.yaml
@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: fa58dc978491f04e1efab73cbf8e2228a351bf81
+      ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3
       endpoint: NHSDigital
 
 variables:

diff --git a/.azuredevops/pipelines/cd-infrastructure-pre-audit.yaml b/.azuredevops/pipelines/cd-infrastructure-pre-audit.yaml
@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: fa58dc978491f04e1efab73cbf8e2228a351bf81
+      ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3
       endpoint: NHSDigital
 
 variables:

diff --git a/.azuredevops/pipelines/cd-infrastructure-pre-core.yaml b/.azuredevops/pipelines/cd-infrastructure-pre-core.yaml
@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: fa58dc978491f04e1efab73cbf8e2228a351bf81
+      ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3
       endpoint: NHSDigital
 
 variables:

diff --git a/infrastructure/tf-core/data.tf b/infrastructure/tf-core/data.tf
@@ -99,13 +99,6 @@ data "azurerm_key_vault_key" "private_key" {
   key_vault_id = module.key_vault[each.key].key_vault_id
 }
 
-data "azurerm_key_vault_secret" "database_password" {
-  for_each = var.regions
-
-  name         = "DATABASE-PASSWORD"
-  key_vault_id = module.key_vault[each.key].key_vault_id
-}
-
 data "azuread_group" "postgres_sql_admin_group" {
   display_name = var.postgresql.postgres_sql_admin_group
 }
diff --git a/infrastructure/tf-core/function_app.tf b/infrastructure/tf-core/function_app.tf
@@ -114,8 +114,9 @@ locals {
             config.database_required ? {
               DATABASE_NAME     = "communication_management"
               DATABASE_HOST     = "${module.regions_config[region].names.postgres-sql-server}.postgres.database.azure.com"
-              DATABASE_USER     = "postgresql_commgt_uks_admin"
-              DATABASE_PASSWORD = "@Microsoft.KeyVault(SecretUri=${data.azurerm_key_vault_secret.database_password[region].versionless_id})"
+              DATABASE_USER     = "commgt_db_user"
+              DATABASE_PASSWORD = "@Microsoft.KeyVault(SecretUri=${module.postgresql_flexible_db[region].db_admin_pwd_keyvault_secret})"
+              # DATABASE_USER     = var.postgresql.postgres_sql_admin_group
             } : {}
 
           )
@@ -125,7 +126,7 @@ locals {
 
             # Key Vault
             var.key_vault != {} ? [
-              for role in local.rbac_roles_key_vault : {
+              for role in local.rbac_roles_key_vault_user : {
                 role_definition_name = role
                 scope                = module.key_vault[region].key_vault_id
               }

diff --git a/infrastructure/tf-core/key_vault.tf b/infrastructure/tf-core/key_vault.tf
@@ -13,7 +13,7 @@ module "key_vault" {
   sku_name                 = var.key_vault.sku_name
 
   enable_rbac_authorization = true
-  rbac_roles                = local.rbac_roles_key_vault
+  rbac_roles                = local.rbac_roles_key_vault_officer
 
   log_analytics_workspace_id                       = data.terraform_remote_state.audit.outputs.log_analytics_workspace_id[local.primary_region]
   monitor_diagnostic_setting_keyvault_enabled_logs = local.monitor_diagnostic_setting_keyvault_enabled_logs

diff --git a/infrastructure/tf-core/postgresql.tf b/infrastructure/tf-core/postgresql.tf
@@ -15,6 +15,12 @@ module "postgresql_flexible_db" {
   postgresql_admin_principal_type = "Group"
   public_network_access_enabled   = var.postgresql.public_network_access_enabled
 
+  # To be amended to use Managed Identity in Entra ID group after pilot
+  password_auth_enabled           = true
+  administrator_login             = "commgt_db_user"
+  key_vault_id                    = module.key_vault[each.key].key_vault_id
+  key_vault_admin_pwd_secret_name = "DATABASE-PASSWORD"
+
   sku_name     = var.postgresql.dbs.commgt.sku_name
   storage_mb   = var.postgresql.dbs.commgt.storage_mb
   storage_tier = var.postgresql.dbs.commgt.storage_tier

diff --git a/infrastructure/tf-core/rbac.tf b/infrastructure/tf-core/rbac.tf
@@ -1,10 +1,16 @@
 locals {
-  rbac_roles_key_vault = [
+  rbac_roles_key_vault_user = [
     "Key Vault Certificate User",
     "Key Vault Crypto User",
     "Key Vault Secrets User"
   ]
 
+  rbac_roles_key_vault_officer = [
+    "Key Vault Certificates Officer",
+    "Key Vault Crypto Officer",
+    "Key Vault Secrets Officer"
+  ]
+
   rbac_roles_storage = [
     "Storage Account Contributor",
     "Storage Blob Data Owner",