From d00eaa9a7ce04b78ff5ebf488f6d265d929a58b3 Mon Sep 17 00:00:00 2001
From: patrickmoore-nc <94625903+patrickmoore-nc@users.noreply.github.com>
Date: Wed, 11 Dec 2024 13:55:49 +0000
Subject: [PATCH] feat: Automate Postgreql password auth (#82)

---
 .../modules/postgresql-flexible/database.tf   |  1 -
 .../modules/postgresql-flexible/main.tf       | 22 +++++++++++++++++--
 .../modules/postgresql-flexible/output.tf     |  3 +++
 .../modules/postgresql-flexible/variables.tf  | 22 +++++++++++++++++++
 4 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 infrastructure/modules/postgresql-flexible/output.tf

diff --git a/infrastructure/modules/postgresql-flexible/database.tf b/infrastructure/modules/postgresql-flexible/database.tf
index a6e4872..2e9f7e5 100644
--- a/infrastructure/modules/postgresql-flexible/database.tf
+++ b/infrastructure/modules/postgresql-flexible/database.tf
@@ -1,4 +1,3 @@
-
 resource "azurerm_postgresql_flexible_server_database" "postgresql_flexible_db" {
   for_each = var.databases
 
diff --git a/infrastructure/modules/postgresql-flexible/main.tf b/infrastructure/modules/postgresql-flexible/main.tf
index feebf9f..516b0cb 100644
--- a/infrastructure/modules/postgresql-flexible/main.tf
+++ b/infrastructure/modules/postgresql-flexible/main.tf
@@ -3,7 +3,6 @@ resource "azurerm_postgresql_flexible_server" "postgresql_flexible_server" {
   resource_group_name = var.resource_group_name
   location            = var.location
 
-
   public_network_access_enabled = var.public_network_access_enabled
   sku_name                      = var.sku_name
   storage_mb                    = var.storage_mb
@@ -16,10 +15,13 @@ resource "azurerm_postgresql_flexible_server" "postgresql_flexible_server" {
 
   authentication {
     active_directory_auth_enabled = true
-    password_auth_enabled         = true
+    password_auth_enabled         = var.password_auth_enabled
     tenant_id                     = var.tenant_id
   }
 
+  administrator_login    = length(var.administrator_login) > 0 && var.password_auth_enabled ? var.administrator_login : null
+  administrator_password = length(var.administrator_login) > 0 && var.password_auth_enabled ? random_password.admin_password[0].result : null
+
   # Postgres Flexible Server does not support User Assigned Identity
   # so do not enable for now. If required, create the identity in an
   # associated identity module and reference it here.
@@ -31,6 +33,22 @@ resource "azurerm_postgresql_flexible_server" "postgresql_flexible_server" {
   tags = var.tags
 }
 
+resource "random_password" "admin_password" {
+  count = length(var.administrator_login) > 0 && var.password_auth_enabled ? 1 : 0
+
+  length           = 30
+  special          = true
+  override_special = "!@#$%^&*()-_=+[]{}<>:?"
+}
+
+resource "azurerm_key_vault_secret" "db_admin_pwd" {
+  count = length(var.administrator_login) > 0 && var.password_auth_enabled ? 1 : 0
+
+  name         = var.key_vault_admin_pwd_secret_name
+  value        = resource.random_password.admin_password[0].result
+  key_vault_id = var.key_vault_id
+}
+
 # Create the Active Directory Administrator for the Postgres Flexible Server
 resource "azurerm_postgresql_flexible_server_active_directory_administrator" "postgresql_admin" {
   server_name         = azurerm_postgresql_flexible_server.postgresql_flexible_server.name
diff --git a/infrastructure/modules/postgresql-flexible/output.tf b/infrastructure/modules/postgresql-flexible/output.tf
new file mode 100644
index 0000000..d4837fb
--- /dev/null
+++ b/infrastructure/modules/postgresql-flexible/output.tf
@@ -0,0 +1,3 @@
+output "db_admin_pwd_keyvault_secret" {
+  value = resource.azurerm_key_vault_secret.db_admin_pwd[0].versionless_id
+}
diff --git a/infrastructure/modules/postgresql-flexible/variables.tf b/infrastructure/modules/postgresql-flexible/variables.tf
index 65380d3..3df3ac9 100644
--- a/infrastructure/modules/postgresql-flexible/variables.tf
+++ b/infrastructure/modules/postgresql-flexible/variables.tf
@@ -13,6 +13,11 @@ variable "location" {
   type        = string
 }
 
+variable "administrator_login" {
+  type    = string
+  default = null
+}
+
 variable "backup_retention_days" {
   description = "The number of days to retain backups for the PostgreSQL Flexible Server."
   type        = number
@@ -23,6 +28,23 @@ variable "geo_redundant_backup_enabled" {
   type        = bool
 }
 
+variable "key_vault_id" {
+  description = "ID of the Key Vault in which to store the Admin password, if one is created."
+  type        = string
+  default     = null
+}
+
+variable "key_vault_admin_pwd_secret_name" {
+  description = "Key Vault secret name in which to store the Admin password, if one is created."
+  type        = string
+  default     = null
+}
+
+variable "password_auth_enabled" {
+  type    = bool
+  default = false
+}
+
 variable "postgresql_admin_object_id" {
   description = "The object ID of the PostgreSQL Active Directory administrator."
   type        = string