From 74b56eba6d6c2126af0925b16c013b0b81f9d058 Mon Sep 17 00:00:00 2001 From: patrickmoore-nc <94625903+patrickmoore-nc@users.noreply.github.com> Date: Wed, 11 Dec 2024 17:05:30 +0000 Subject: [PATCH] feat: Automate Postgreql password auth (#113) Co-authored-by: Nimmo --- .azuredevops/pipelines/cd-infrastructure-dev-audit.yaml | 2 +- .azuredevops/pipelines/cd-infrastructure-dev-core.yaml | 2 +- .azuredevops/pipelines/cd-infrastructure-int-audit.yaml | 2 +- .azuredevops/pipelines/cd-infrastructure-int-core.yaml | 2 +- .azuredevops/pipelines/cd-infrastructure-nft-audit.yaml | 2 +- .azuredevops/pipelines/cd-infrastructure-nft-core.yaml | 2 +- .azuredevops/pipelines/cd-infrastructure-prd-audit.yaml | 2 +- .azuredevops/pipelines/cd-infrastructure-prd-core.yaml | 2 +- .azuredevops/pipelines/cd-infrastructure-pre-audit.yaml | 2 +- .azuredevops/pipelines/cd-infrastructure-pre-core.yaml | 2 +- infrastructure/tf-core/data.tf | 7 ------- infrastructure/tf-core/function_app.tf | 7 ++++--- infrastructure/tf-core/key_vault.tf | 2 +- infrastructure/tf-core/postgresql.tf | 6 ++++++ infrastructure/tf-core/rbac.tf | 8 +++++++- 15 files changed, 28 insertions(+), 22 deletions(-) diff --git a/.azuredevops/pipelines/cd-infrastructure-dev-audit.yaml b/.azuredevops/pipelines/cd-infrastructure-dev-audit.yaml index a8490eea..59351f94 100644 --- a/.azuredevops/pipelines/cd-infrastructure-dev-audit.yaml +++ b/.azuredevops/pipelines/cd-infrastructure-dev-audit.yaml @@ -14,7 +14,7 @@ resources: - repository: dtos-devops-templates type: github name: NHSDigital/dtos-devops-templates - ref: fa58dc978491f04e1efab73cbf8e2228a351bf81 + ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3 endpoint: NHSDigital variables: diff --git a/.azuredevops/pipelines/cd-infrastructure-dev-core.yaml b/.azuredevops/pipelines/cd-infrastructure-dev-core.yaml index c2536611..a439bbe3 100644 --- a/.azuredevops/pipelines/cd-infrastructure-dev-core.yaml +++ b/.azuredevops/pipelines/cd-infrastructure-dev-core.yaml @@ -14,7 +14,7 @@ resources: - repository: dtos-devops-templates type: github name: NHSDigital/dtos-devops-templates - ref: fa58dc978491f04e1efab73cbf8e2228a351bf81 + ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3 endpoint: NHSDigital variables: diff --git a/.azuredevops/pipelines/cd-infrastructure-int-audit.yaml b/.azuredevops/pipelines/cd-infrastructure-int-audit.yaml index 58b5a875..b3df81c1 100644 --- a/.azuredevops/pipelines/cd-infrastructure-int-audit.yaml +++ b/.azuredevops/pipelines/cd-infrastructure-int-audit.yaml @@ -14,7 +14,7 @@ resources: - repository: dtos-devops-templates type: github name: NHSDigital/dtos-devops-templates - ref: fa58dc978491f04e1efab73cbf8e2228a351bf81 + ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3 endpoint: NHSDigital variables: diff --git a/.azuredevops/pipelines/cd-infrastructure-int-core.yaml b/.azuredevops/pipelines/cd-infrastructure-int-core.yaml index c7ea1a8e..f09cc300 100644 --- a/.azuredevops/pipelines/cd-infrastructure-int-core.yaml +++ b/.azuredevops/pipelines/cd-infrastructure-int-core.yaml @@ -14,7 +14,7 @@ resources: - repository: dtos-devops-templates type: github name: NHSDigital/dtos-devops-templates - ref: fa58dc978491f04e1efab73cbf8e2228a351bf81 + ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3 endpoint: NHSDigital variables: diff --git a/.azuredevops/pipelines/cd-infrastructure-nft-audit.yaml b/.azuredevops/pipelines/cd-infrastructure-nft-audit.yaml index f6c99376..e3cd7f89 100644 --- a/.azuredevops/pipelines/cd-infrastructure-nft-audit.yaml +++ b/.azuredevops/pipelines/cd-infrastructure-nft-audit.yaml @@ -14,7 +14,7 @@ resources: - repository: dtos-devops-templates type: github name: NHSDigital/dtos-devops-templates - ref: fa58dc978491f04e1efab73cbf8e2228a351bf81 + ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3 endpoint: NHSDigital variables: diff --git a/.azuredevops/pipelines/cd-infrastructure-nft-core.yaml b/.azuredevops/pipelines/cd-infrastructure-nft-core.yaml index 9a2a181f..c9bcff41 100644 --- a/.azuredevops/pipelines/cd-infrastructure-nft-core.yaml +++ b/.azuredevops/pipelines/cd-infrastructure-nft-core.yaml @@ -14,7 +14,7 @@ resources: - repository: dtos-devops-templates type: github name: NHSDigital/dtos-devops-templates - ref: fa58dc978491f04e1efab73cbf8e2228a351bf81 + ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3 endpoint: NHSDigital variables: diff --git a/.azuredevops/pipelines/cd-infrastructure-prd-audit.yaml b/.azuredevops/pipelines/cd-infrastructure-prd-audit.yaml index 400f94ce..021b441c 100644 --- a/.azuredevops/pipelines/cd-infrastructure-prd-audit.yaml +++ b/.azuredevops/pipelines/cd-infrastructure-prd-audit.yaml @@ -14,7 +14,7 @@ resources: - repository: dtos-devops-templates type: github name: NHSDigital/dtos-devops-templates - ref: fa58dc978491f04e1efab73cbf8e2228a351bf81 + ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3 endpoint: NHSDigital variables: diff --git a/.azuredevops/pipelines/cd-infrastructure-prd-core.yaml b/.azuredevops/pipelines/cd-infrastructure-prd-core.yaml index 87a27e20..51b1f3e7 100644 --- a/.azuredevops/pipelines/cd-infrastructure-prd-core.yaml +++ b/.azuredevops/pipelines/cd-infrastructure-prd-core.yaml @@ -14,7 +14,7 @@ resources: - repository: dtos-devops-templates type: github name: NHSDigital/dtos-devops-templates - ref: fa58dc978491f04e1efab73cbf8e2228a351bf81 + ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3 endpoint: NHSDigital variables: diff --git a/.azuredevops/pipelines/cd-infrastructure-pre-audit.yaml b/.azuredevops/pipelines/cd-infrastructure-pre-audit.yaml index e15f5977..987ae61e 100644 --- a/.azuredevops/pipelines/cd-infrastructure-pre-audit.yaml +++ b/.azuredevops/pipelines/cd-infrastructure-pre-audit.yaml @@ -14,7 +14,7 @@ resources: - repository: dtos-devops-templates type: github name: NHSDigital/dtos-devops-templates - ref: fa58dc978491f04e1efab73cbf8e2228a351bf81 + ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3 endpoint: NHSDigital variables: diff --git a/.azuredevops/pipelines/cd-infrastructure-pre-core.yaml b/.azuredevops/pipelines/cd-infrastructure-pre-core.yaml index ae116190..0cd503b5 100644 --- a/.azuredevops/pipelines/cd-infrastructure-pre-core.yaml +++ b/.azuredevops/pipelines/cd-infrastructure-pre-core.yaml @@ -14,7 +14,7 @@ resources: - repository: dtos-devops-templates type: github name: NHSDigital/dtos-devops-templates - ref: fa58dc978491f04e1efab73cbf8e2228a351bf81 + ref: d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3 endpoint: NHSDigital variables: diff --git a/infrastructure/tf-core/data.tf b/infrastructure/tf-core/data.tf index 776c3489..3f666c2b 100644 --- a/infrastructure/tf-core/data.tf +++ b/infrastructure/tf-core/data.tf @@ -99,13 +99,6 @@ data "azurerm_key_vault_key" "private_key" { key_vault_id = module.key_vault[each.key].key_vault_id } -data "azurerm_key_vault_secret" "database_password" { - for_each = var.regions - - name = "DATABASE-PASSWORD" - key_vault_id = module.key_vault[each.key].key_vault_id -} - data "azuread_group" "postgres_sql_admin_group" { display_name = var.postgresql.postgres_sql_admin_group } diff --git a/infrastructure/tf-core/function_app.tf b/infrastructure/tf-core/function_app.tf index 1f3e2ae5..a59c019e 100644 --- a/infrastructure/tf-core/function_app.tf +++ b/infrastructure/tf-core/function_app.tf @@ -114,8 +114,9 @@ locals { config.database_required ? { DATABASE_NAME = "communication_management" DATABASE_HOST = "${module.regions_config[region].names.postgres-sql-server}.postgres.database.azure.com" - DATABASE_USER = "postgresql_commgt_uks_admin" - DATABASE_PASSWORD = "@Microsoft.KeyVault(SecretUri=${data.azurerm_key_vault_secret.database_password[region].versionless_id})" + DATABASE_USER = "commgt_db_user" + DATABASE_PASSWORD = "@Microsoft.KeyVault(SecretUri=${module.postgresql_flexible_db[region].db_admin_pwd_keyvault_secret})" + # DATABASE_USER = var.postgresql.postgres_sql_admin_group } : {} ) @@ -125,7 +126,7 @@ locals { # Key Vault var.key_vault != {} ? [ - for role in local.rbac_roles_key_vault : { + for role in local.rbac_roles_key_vault_user : { role_definition_name = role scope = module.key_vault[region].key_vault_id } diff --git a/infrastructure/tf-core/key_vault.tf b/infrastructure/tf-core/key_vault.tf index d06815aa..50dff8e7 100644 --- a/infrastructure/tf-core/key_vault.tf +++ b/infrastructure/tf-core/key_vault.tf @@ -13,7 +13,7 @@ module "key_vault" { sku_name = var.key_vault.sku_name enable_rbac_authorization = true - rbac_roles = local.rbac_roles_key_vault + rbac_roles = local.rbac_roles_key_vault_officer log_analytics_workspace_id = data.terraform_remote_state.audit.outputs.log_analytics_workspace_id[local.primary_region] monitor_diagnostic_setting_keyvault_enabled_logs = local.monitor_diagnostic_setting_keyvault_enabled_logs diff --git a/infrastructure/tf-core/postgresql.tf b/infrastructure/tf-core/postgresql.tf index 6481fbe2..96c1af34 100644 --- a/infrastructure/tf-core/postgresql.tf +++ b/infrastructure/tf-core/postgresql.tf @@ -15,6 +15,12 @@ module "postgresql_flexible_db" { postgresql_admin_principal_type = "Group" public_network_access_enabled = var.postgresql.public_network_access_enabled + # To be amended to use Managed Identity in Entra ID group after pilot + password_auth_enabled = true + administrator_login = "commgt_db_user" + key_vault_id = module.key_vault[each.key].key_vault_id + key_vault_admin_pwd_secret_name = "DATABASE-PASSWORD" + sku_name = var.postgresql.dbs.commgt.sku_name storage_mb = var.postgresql.dbs.commgt.storage_mb storage_tier = var.postgresql.dbs.commgt.storage_tier diff --git a/infrastructure/tf-core/rbac.tf b/infrastructure/tf-core/rbac.tf index 84b1d181..595c6b0c 100644 --- a/infrastructure/tf-core/rbac.tf +++ b/infrastructure/tf-core/rbac.tf @@ -1,10 +1,16 @@ locals { - rbac_roles_key_vault = [ + rbac_roles_key_vault_user = [ "Key Vault Certificate User", "Key Vault Crypto User", "Key Vault Secrets User" ] + rbac_roles_key_vault_officer = [ + "Key Vault Certificates Officer", + "Key Vault Crypto Officer", + "Key Vault Secrets Officer" + ] + rbac_roles_storage = [ "Storage Account Contributor", "Storage Blob Data Owner",