Skip to content

Commit

Permalink
feat: Automate Postgreql password auth (#82)
Browse files Browse the repository at this point in the history
  • Loading branch information
patrickmoore-nc authored Dec 11, 2024
1 parent 2a4eb0b commit d00eaa9
Show file tree
Hide file tree
Showing 4 changed files with 45 additions and 3 deletions.
1 change: 0 additions & 1 deletion infrastructure/modules/postgresql-flexible/database.tf
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@

resource "azurerm_postgresql_flexible_server_database" "postgresql_flexible_db" {
for_each = var.databases

Expand Down
22 changes: 20 additions & 2 deletions infrastructure/modules/postgresql-flexible/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ resource "azurerm_postgresql_flexible_server" "postgresql_flexible_server" {
resource_group_name = var.resource_group_name
location = var.location


public_network_access_enabled = var.public_network_access_enabled
sku_name = var.sku_name
storage_mb = var.storage_mb
Expand All @@ -16,10 +15,13 @@ resource "azurerm_postgresql_flexible_server" "postgresql_flexible_server" {

authentication {
active_directory_auth_enabled = true
password_auth_enabled = true
password_auth_enabled = var.password_auth_enabled
tenant_id = var.tenant_id
}

administrator_login = length(var.administrator_login) > 0 && var.password_auth_enabled ? var.administrator_login : null
administrator_password = length(var.administrator_login) > 0 && var.password_auth_enabled ? random_password.admin_password[0].result : null

# Postgres Flexible Server does not support User Assigned Identity
# so do not enable for now. If required, create the identity in an
# associated identity module and reference it here.
Expand All @@ -31,6 +33,22 @@ resource "azurerm_postgresql_flexible_server" "postgresql_flexible_server" {
tags = var.tags
}

resource "random_password" "admin_password" {
count = length(var.administrator_login) > 0 && var.password_auth_enabled ? 1 : 0

length = 30
special = true
override_special = "!@#$%^&*()-_=+[]{}<>:?"
}

resource "azurerm_key_vault_secret" "db_admin_pwd" {
count = length(var.administrator_login) > 0 && var.password_auth_enabled ? 1 : 0

name = var.key_vault_admin_pwd_secret_name
value = resource.random_password.admin_password[0].result
key_vault_id = var.key_vault_id
}

# Create the Active Directory Administrator for the Postgres Flexible Server
resource "azurerm_postgresql_flexible_server_active_directory_administrator" "postgresql_admin" {
server_name = azurerm_postgresql_flexible_server.postgresql_flexible_server.name
Expand Down
3 changes: 3 additions & 0 deletions infrastructure/modules/postgresql-flexible/output.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
output "db_admin_pwd_keyvault_secret" {
value = resource.azurerm_key_vault_secret.db_admin_pwd[0].versionless_id
}
22 changes: 22 additions & 0 deletions infrastructure/modules/postgresql-flexible/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@ variable "location" {
type = string
}

variable "administrator_login" {
type = string
default = null
}

variable "backup_retention_days" {
description = "The number of days to retain backups for the PostgreSQL Flexible Server."
type = number
Expand All @@ -23,6 +28,23 @@ variable "geo_redundant_backup_enabled" {
type = bool
}

variable "key_vault_id" {
description = "ID of the Key Vault in which to store the Admin password, if one is created."
type = string
default = null
}

variable "key_vault_admin_pwd_secret_name" {
description = "Key Vault secret name in which to store the Admin password, if one is created."
type = string
default = null
}

variable "password_auth_enabled" {
type = bool
default = false
}

variable "postgresql_admin_object_id" {
description = "The object ID of the PostgreSQL Active Directory administrator."
type = string
Expand Down

0 comments on commit d00eaa9

Please sign in to comment.