secure database secrets and ensure middleware access (#423)

* updates to deploy-dev.yml to save all workflow artifacts including dockerbuild

* draft vault module changes

* rebased branch due to conflicts and push changes

* finally getting the random_password to save to key vault - yippeee

* revert changes to the app_service/main.tf file

* update workflows to include object_id

* add object_id to workflows

* update database outputs and dev-env.yaml file

* push dev-env.yaml changes

* update the backend with the database variable

* update variable values in backend application.yaml file

---------

Co-authored-by: marycrawford <[email protected]>

.github/actions/tf-setup/action.yml

@@ -16,6 +16,9 @@ inputs:
   azure-subscription-id:
     description: The Azure subscription_id for this environment.
     required: true
+  azure-object-id:
+    description: The Azure object_id for this environment.
+    required: true
   app-name:
     description: The name of the application being deployed in Terraform.
     required: true
@@ -50,6 +53,7 @@ runs:
         ARM_CLIENT_ID: ${{ inputs.azure-client-id }}
         ARM_TENANT_ID: ${{ inputs.azure-tenant-id }}
         ARM_SUBSCRIPTION_ID: ${{ inputs.azure-subscription-id }}
+        ARM_OBJECT_ID: ${{ inputs.azure-object-id }}
       shell: bash
       run: |
         terraform init -backend-config=config/${{ inputs.deploy-env }}.config

.github/workflows/build-deploy-frontend.yml

@@ -53,6 +53,7 @@ jobs:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          object-id: ${{ secrets.AZURE_OBJECT_ID }}
       - name: Upload to Azure blob storage
         shell: bash
         run: |

.github/workflows/build-deploy-ocr.yml

@@ -70,6 +70,7 @@ jobs:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          object-id: ${{ secrets.AZURE_OBJECT_ID }}
       - name: Deploy OCR-API
         uses: ./.github/actions/deploy-api
         with:

.github/workflows/deploy-dev.yml

@@ -123,6 +123,7 @@ jobs:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          object-id: ${{ secrets.AZURE_OBJECT_ID }}
       - uses: ./.github/actions/tf-setup
         name: Setup this environment with Terraform
         with:
@@ -131,6 +132,7 @@ jobs:
           azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
           azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          object-id: ${{ secrets.AZURE_OBJECT_ID }}
           app-name: reportvision
 
   deploy-middleware:
@@ -145,6 +147,7 @@ jobs:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          object-id: ${{ secrets.AZURE_OBJECT_ID }}
       - name: Deploy middleware-API
         uses: ./.github/actions/deploy-api
         with:
@@ -165,6 +168,7 @@ jobs:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          object-id: ${{ secrets.AZURE_OBJECT_ID }}
       - name: Deploy OCR-API
         uses: ./.github/actions/deploy-api
         with:
@@ -186,6 +190,7 @@ jobs:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          object-id: ${{ secrets.AZURE_OBJECT_ID }}
       - name: Deploy frontend
         uses: ./.github/actions/deploy-frontend
         with:

backend/src/main/resources/application.yaml

@@ -1,8 +1,9 @@
 spring:
   datasource:
-    url: jdbc:postgresql://${DB_HOST:localhost}:${DB_PORT:5432}/${DB_NAME:reportvision}
-    username: ${DB_USERNAME:postgres}
-    password: ${DB_PASSWORD:super_secret_password}
+    url: ${POSTGRES_HOST:postgres_fqdn}?sslmode=require
+    username: ${DB_USERNAME:postgres_user}
+    password:  ${POSTGRES_USER:postgres_password}
+    name: ${POSTGRES_DB:postgres_db_name}
   devtools:
     restart:
       enabled: true

dev-env.yaml

@@ -30,9 +30,11 @@ services:
     ports:
       - "5432:5432"
     environment:
-      POSTGRES_DB: reportvision
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: super_secret_password
+      POSTGRES_DB: ${postgres_db_name}
+      POSTGRES_HOST: ${postgres_fqdn}
+      POSTGRES_USER:  ${postgres_user}
+      POSTGRES_PASSWORD: ${postgres_password}
+      sslmode: require
   api:
     build: 
       context: ./backend

ops/terraform/main.tf

@@ -72,7 +72,7 @@ module "middleware_api" {
   vnet         = module.networking.network_name
   sku_name     = var.sku_name
   https_only   = true
-  depends_on = [module.networking.middlewaresubnet_id, module.networking.lbsubnet_id]
+  depends_on   = [module.networking.middlewaresubnet_id, module.networking.lbsubnet_id]
 }
 
 module "ocr_api" {
@@ -87,7 +87,7 @@ module "ocr_api" {
   vnet           = module.networking.network_name
   sku_name       = var.sku_name
   https_only     = true
-  depends_on = [module.networking.ocrsubnet_id, module.networking.middlewaresubnet_id]
+  depends_on     = [module.networking.ocrsubnet_id, module.networking.middlewaresubnet_id]
 }
 
 module "ocr_autoscale" {
@@ -109,4 +109,17 @@ module "database" {
   resource_group_name = data.azurerm_resource_group.rg.name
   subnet              = module.networking.dbsubnet_id
   private_dns_zone_id = module.networking.private_dns_zone_id
+  postgres_password   = module.vault.postgres_password # Password from Vault to DB
+}
+
+module "vault" {
+  source              = "./modules/vault"
+  location            = data.azurerm_resource_group.rg.location
+  resource_group_name = data.azurerm_resource_group.rg.name
+  tenant_id           = var.tenant_id
+  client_id           = var.client_id
+  object_id           = module.middleware_api.webapp_id
+  subscription_id     = var.subscription_id
+  postgres_server_id  = module.database.postgres_server_id
+  service_plan_id     = module.middleware_api.service_plan_id
 }

ops/terraform/modules/app_service/main.tf

@@ -38,4 +38,4 @@ resource "azurerm_linux_web_app" "linux_webapp" {
       action                    = "Allow"
     }
   }
-}
+}

ops/terraform/modules/app_service/outputs.tf

@@ -8,4 +8,8 @@ output "service_plan_id" {
 
 output "webapp_name" {
   value = azurerm_linux_web_app.linux_webapp.name
-}
+}
+
+output "webapp_id" {
+  value = azurerm_linux_web_app.linux_webapp.identity[0].principal_id
+}

ops/terraform/modules/database/main.tf

@@ -7,11 +7,11 @@ resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" {
   resource_group_name   = var.resource_group_name
   sku_name              = var.postgres_sku_name
   version               = var.engine_version
-  storage_mb            = 32768 # 32 GB, the lowest of the valid options
+  storage_mb            = 32768 # 32 GiB storage for B_Standard_B1ms
   backup_retention_days = 7
 
   administrator_login    = var.db_username
-  administrator_password = random_string.setup_rds_password.result
+  administrator_password = var.postgres_password
   delegated_subnet_id    = var.subnet
   private_dns_zone_id    = var.private_dns_zone_id
 
@@ -20,18 +20,11 @@ resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" {
 
   lifecycle {
     prevent_destroy = true
+    ignore_changes  = [zone]
   }
 }
 
 resource "azurerm_postgresql_flexible_server_database" "postgres_db" {
   name      = "${azurerm_postgresql_flexible_server.postgres_flexible_server.name}-db"
   server_id = azurerm_postgresql_flexible_server.postgres_flexible_server.id
 }
-
-# Random string resource for the postgres password
-resource "random_string" "setup_rds_password" {
-  length = 16 # Length of the password
-
-  # Character set that excludes problematic characters like quotes, backslashes, etc.
-  override_special = "_!@#-$%^&*()[]{}"
-}

ops/terraform/modules/database/outputs.tf

@@ -1,3 +1,17 @@
-output "postgres_db_password" {
-  value = azurerm_postgresql_flexible_server.postgres_flexible_server.administrator_login
+output "postgres_server_id" {
+  value = azurerm_postgresql_flexible_server.postgres_flexible_server
+}
+
+output "postgres_fqdn" {
+  value       = azurerm_postgresql_flexible_server.postgres_flexible_server
+  description = "The fully qualified domain name (FQDN) of the PostgreSQL flexible server"
+}
+
+output "postgres_user" {
+  value       = var.db_username
+  description = "User name for the Application's PostgreSQL flexible server database"
+}
+
+output "postgres_db_name" {
+  value = var.db_username
 }

ops/terraform/modules/database/variables.tf

@@ -20,6 +20,12 @@ variable "resource_group_name" {
   description = "The Azure Resource Group to deploy to"
 }
 
+variable "postgres_password" {
+  description = "The password for the PostgreSQL database"
+  type        = string
+  sensitive   = true # This ensures Terraform treats the password as sensitive
+}
+
 variable "postgres_sku_name" {
   type        = string
   description = "value"

ops/terraform/modules/vault/data.tf

@@ -0,0 +1 @@
+data "azurerm_client_config" "current" {}

ops/terraform/modules/vault/main.tf

@@ -0,0 +1,40 @@
+resource "azurerm_key_vault" "this" {
+  name                     = "reportvisionvault"
+  location                 = var.location
+  resource_group_name      = var.resource_group_name
+  sku_name                 = "standard"
+  tenant_id                = data.azurerm_client_config.current.tenant_id
+  purge_protection_enabled = true
+
+  access_policy {
+    tenant_id = data.azurerm_client_config.current.tenant_id
+    object_id = data.azurerm_client_config.current.object_id
+
+    key_permissions = [
+      "Create",
+      "Get",
+      "List",
+    ]
+
+    secret_permissions = [
+      "Set",
+      "Get",
+      "Recover",
+      "List",
+    ]
+  }
+}
+
+# Random string resource for the postgres password
+resource "random_string" "postgres_password" {
+  length           = 16
+  override_special = "_!@#-$%^&*()[]{}" # excluded characters
+}
+
+resource "azurerm_key_vault_secret" "postgres_db_secret" {
+  name         = "reportvision-postgres-db-password"
+  value        = random_string.postgres_password.result
+  key_vault_id = azurerm_key_vault.this.id
+
+  depends_on = [azurerm_key_vault.this]
+}

ops/terraform/modules/vault/outputs.tf

@@ -0,0 +1,4 @@
+output "postgres_password" {
+  value     = random_string.postgres_password.result
+  sensitive = true
+}

ops/terraform/modules/vault/variables.tf

@@ -0,0 +1,12 @@
+variable "client_id" {}
+variable "location" {}
+variable "object_id" {
+  type = string
+}
+variable "postgres_server_id" {
+  type = string
+}
+variable "resource_group_name" {}
+variable "subscription_id" {}
+variable "service_plan_id" {}
+variable "tenant_id" {}

ops/terraform/providers.tf

@@ -19,13 +19,11 @@ terraform {
 }
 
 provider "azurerm" {
-  features {}
+  features {
+    key_vault {
+      purge_soft_delete_on_destroy    = true
+      recover_soft_deleted_key_vaults = true
+    }
+  }
 }
 
-# # Provider for Azure Active Directory resources (e.g., service principals)
-# provider "azuread" {
-
-#   client_id = var.client_id
-#   tenant_id = var.tenant_id
-
-# }

ops/terraform/variables.tf

@@ -1,10 +1,12 @@
+variable "client_id" {}
 variable "name" {}
-
+variable "object_id" {}
+variable "tenant_id" {}
 variable "sku_name" {
   type        = string
   description = "The Azure Stock Keep Unit (SKU) version"
 }
-
+variable "subscription_id" {}
 variable "resource_group_name" {
   description = "value of the Azure resource group to deploy to"
 }