feat: DTOSS-5834 Create new PostgreSQL module (#54)

rfk-nc · mrlockstar · patrickmoore-nc · web-flow · commit 4a53d191fcf6 · 2024-11-27T00:15:38.000Z
* PostgreSql Module initial commit

* updating postgresdb module

* wip

* wip

* Default APIM Entra ID auth to MSAL-2

---------

Co-authored-by: Alastair Lock &lt;alastair.lock@gmail.com&gt;
Co-authored-by: patrickmoore-nc &lt;94625903+patrickmoore-nc@users.noreply.github.com&gt;
diff --git a/infrastructure/modules/api-management/variables.tf b/infrastructure/modules/api-management/variables.tf
@@ -240,7 +240,7 @@ variable "client_id" {
 variable "client_library" {
   description = "The client library for the API Management AAD Identity Provider."
   type        = string
-  default     = "MSAL"
+  default     = "MSAL-2"
 }
 
 variable "client_secret" {
diff --git a/infrastructure/modules/postgresql-flexible/database.tf b/infrastructure/modules/postgresql-flexible/database.tf
@@ -0,0 +1,9 @@
+
+resource "azurerm_postgresql_flexible_server_database" "postgresql_flexible_db" {
+  for_each = var.databases
+
+  name      = each.value.name
+  server_id = azurerm_postgresql_flexible_server.postgresql_flexible_server.id
+  charset   = each.value.charset
+  collation = each.value.collation
+}
diff --git a/infrastructure/modules/postgresql-flexible/main.tf b/infrastructure/modules/postgresql-flexible/main.tf
@@ -0,0 +1,81 @@
+resource "azurerm_postgresql_flexible_server" "postgresql_flexible_server" {
+  name                = var.name
+  resource_group_name = var.resource_group_name
+  location            = var.location
+
+
+  public_network_access_enabled = var.public_network_access_enabled
+  sku_name                      = var.sku_name
+  storage_mb                    = var.storage_mb
+  storage_tier                  = var.storage_tier
+  version                       = var.server_version
+  zone                          = var.zone
+
+  backup_retention_days        = var.backup_retention_days
+  geo_redundant_backup_enabled = var.geo_redundant_backup_enabled
+
+  authentication {
+    active_directory_auth_enabled = true
+    password_auth_enabled         = false
+    tenant_id                     = var.tenant_id
+  }
+
+  # Postgres Flexible Server does not support User Assigned Identity
+  # so do not enable for now. If required, create the identity in an
+  # associated identity module and reference it here.
+  #
+  # identity {
+  #   type         = "SystemAssigned"
+  # }
+
+  tags = var.tags
+}
+
+# Create the Active Directory Administrator for the Postgres Flexible Server
+resource "azurerm_postgresql_flexible_server_active_directory_administrator" "postgresql_admin" {
+  server_name         = azurerm_postgresql_flexible_server.postgresql_flexible_server.name
+  resource_group_name = var.resource_group_name
+  tenant_id           = var.tenant_id
+  object_id           = var.postgresql_admin_object_id
+  principal_name      = var.postgresql_admin_principal_name
+  principal_type      = var.postgresql_admin_principal_type
+}
+
+# Create the server configurations
+resource "azurerm_postgresql_flexible_server_configuration" "postgresql_flexible_config" {
+  for_each  = var.postgresql_configurations
+
+  server_id = azurerm_postgresql_flexible_server.postgresql_flexible_server.id
+
+  name      = each.key
+  value     = each.value
+}
+
+/* --------------------------------------------------------------------------------------------------
+  Private Endpoint Configuration for Postgres Flexible Server
+-------------------------------------------------------------------------------------------------- */
+
+module "private_endpoint_postgresql_flexible_server" {
+  count = var.private_endpoint_properties.private_endpoint_enabled ? 1 : 0
+
+  source = "../private-endpoint"
+
+  name                = "${var.name}-postgresql-private-endpoint"
+  resource_group_name = var.private_endpoint_properties.private_endpoint_resource_group_name
+  location            = var.location
+  subnet_id           = var.private_endpoint_properties.private_endpoint_subnet_id
+
+  private_dns_zone_group = {
+    name                 = "${var.name}-postgresql-private-endpoint-zone-group"
+    private_dns_zone_ids = var.private_endpoint_properties.private_dns_zone_ids_postgresql
+  }
+
+  private_service_connection = {
+    name                           = "${var.name}-postgresql-private-endpoint-connection"
+    private_connection_resource_id = azurerm_postgresql_flexible_server.postgresql_flexible_server.id
+    subresource_names              = ["postgresqlServer"]
+    is_manual_connection           = var.private_endpoint_properties.private_service_connection_is_manual
+  }
+
+  tags = var.tags
+}
diff --git a/infrastructure/modules/postgresql-flexible/variables.tf b/infrastructure/modules/postgresql-flexible/variables.tf
@@ -0,0 +1,146 @@
+variable "name" {
+  description = "The name of the PostgreSQL Flexible Server."
+  type        = string
+}
+
+variable "resource_group_name" {
+  description = "The name of the resource group in which to create the PostgreSQL Flexible Server."
+  type        = string
+}
+
+variable "location" {
+  description = "The location/region where the PostgreSQL Flexible Server is created."
+  type        = string
+}
+
+variable "backup_retention_days" {
+  description = "The number of days to retain backups for the PostgreSQL Flexible Server."
+  type        = number
+}
+
+variable "geo_redundant_backup_enabled" {
+  description = "Whether geo-redundant backup is enabled for the PostgreSQL Flexible Server."
+  type        = bool
+}
+
+variable "postgresql_admin_object_id" {
+  description = "The object ID of the PostgreSQL Active Directory administrator."
+  type        = string
+}
+
+variable "postgresql_admin_principal_name" {
+  description = "The principal name of the PostgreSQL Active Directory administrator."
+  type        = string
+}
+
+variable "postgresql_admin_principal_type" {
+  description = "The principal type of the PostgreSQL Active Directory administrator."
+  type        = string
+}
+
+variable "public_network_access_enabled" {
+  description = "Whether public network access is enabled for the PostgreSQL Flexible Server."
+  type        = bool
+  default     = false
+}
+
+variable "sku_name" {
+  # See: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_flexible_server#sku_name-2
+  description = "The SKU name for the PostgreSQL Flexible Server."
+  type        = string
+}
+
+variable "storage_mb" {
+  # See: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_flexible_server#storage_mb-2
+  description = "The storage size in MB for the PostgreSQL Flexible Server."
+  type        = number
+  default     = 32768
+
+  validation {
+    condition     = contains([32768, 65536, 131072, 262144, 524288, 1048576, 2097152, 4193280, 4194304, 8388608, 16777216, 33553408], var.storage_mb)
+    error_message = "The storage size must be one of the following: 32768, 65536, 131072, 262144, 524288, 1048576, 2097152, 4193280, 4194304, 8388608, 16777216, 33553408."
+  }
+}
+
+variable "storage_tier" {
+  # See defaults: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_flexible_server#storage_tier-defaults-based-on-storage_mb
+  description = "The storage tier for the PostgreSQL Flexible Server."
+  type        = string
+  default     = "P4"
+
+  validation {
+    condition     = contains(["P4", "P6", "P10", "P15", "P20", "P30", "P40", "P50", "P60", "P70", "P80"], var.storage_tier)
+    error_message = "The storage tier must be one of the following: P4, P6, P10, P15, P20, P30, P40, P50, P60, P70, P80."
+  }
+}
+
+variable "server_version" {
+  description = "The version of the PostgreSQL server."
+  type        = string
+  default     = "16"
+
+  validation {
+    condition     = contains(["11", "12", "13", "14", "15", "16"], var.server_version)
+    error_message = "The server version must be one of the following: 11, 12, 13, 14, 15, 16."
+  }
+}
+
+variable "tenant_id" {
+  description = "The tenant ID for the Azure Active Directory."
+  type        = string
+}
+
+variable "zone" {
+  # See: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_flexible_server#zone-2
+  description = "The availability zone for the PostgreSQL Flexible Server. Azure will automatically assign an Availability Zone if one is not specified."
+  type        = string
+  default     = null
+}
+
+variable "tags" {
+  description = "A map of tags to assign to the PostgreSQL Flexible Server."
+  type        = map(string)
+}
+
+# Databases
+variable "databases" {
+  description = "A map of databases to create on the PostgreSQL Flexible Server."
+  type = map(object({
+    collation   = string
+    charset     = string
+    max_size_gb = number
+    name        = string
+  }))
+}
+
+# Server configurations
+variable "postgresql_configurations" {
+  description = "A map of PostgreSQL configurations to apply to the PostgreSQL Flexible Server."
+  type        = map(string)
+  default     = {}
+}
+
+# Private Endpoint Properties
+variable "private_endpoint_properties" {
+  description = "Consolidated properties for the PostgreSql Private Endpoint."
+  type = object({
+    private_dns_zone_ids_postgresql      = optional(list(string), [])
+    private_endpoint_enabled             = optional(bool, false)
+    private_endpoint_subnet_id           = optional(string, "")
+    private_endpoint_resource_group_name = optional(string, "")
+    private_service_connection_is_manual = optional(bool, false)
+  })
+}
+
+# /* --------------------------------------------------------------------------------------------------
+#   Auditing and Diagnostics Variables
+# -------------------------------------------------------------------------------------------------- */
+# variable "monitor_diagnostic_setting_database_enabled_logs" {
+#   type        = list(string)
+#   description = "Controls what logs will be enabled for the database"
+# }
+
+# variable "monitor_diagnostic_setting_database_metrics" {
+#   type        = list(string)
+#   description = "Controls what metrics will be enabled for the database"
+# }
diff --git a/infrastructure/modules/shared-config/output.tf b/infrastructure/modules/shared-config/output.tf
@@ -78,6 +78,7 @@ locals {
     managed-devops-pool         = lower("private-pool-${var.env}-${var.location_map[var.location]}")
     network-interface           = upper("${var.env}-${var.location_map[var.location]}-${var.application}")
     network-security-group      = upper("NSG-${var.env}-${var.location_map[var.location]}-${var.application}")
+    postgres-sql-server         = lower("postgres-${var.application}-${var.env}-${var.location_map[var.location]}")
     private-ssh-key             = lower("ssh-pri-${var.env}${var.location_map[var.location]}${var.application}")
     public-ip-address           = lower("PIP-${var.env}-${var.location_map[var.location]}-${var.application}")
     public-ip-dns               = lower("${var.env}${var.location_map[var.location]}${var.application}")

Original file line number	Diff line number	Diff line change
`@@ -240,7 +240,7 @@ variable "client_id" {`
`240`	`240`	`variable "client_library" {`
`241`	`241`	`description = "The client library for the API Management AAD Identity Provider."`
`242`	`242`	`type = string`
`243`		`- default = "MSAL"`
	`243`	`+ default = "MSAL-2"`
`244`	`244`	`}`
`245`	`245`
`246`	`246`	`variable "client_secret" {`