From 67840d0fdb9041fe962da85b3f8bf93c3ee50a2f Mon Sep 17 00:00:00 2001 From: marycrawford Date: Tue, 12 Nov 2024 23:40:58 -0800 Subject: [PATCH 01/30] creating database module and resources for postgresql server and db --- ops/terraform/main.tf | 41 ++++++------------- ops/terraform/modules/database/.outputs.tf | 16 ++++++++ .../modules/database/.postgresql_fs_db.tf | 6 +++ ops/terraform/modules/database/data.tf | 3 ++ ops/terraform/modules/database/main.tf | 40 ++++++++++++++++++ ops/terraform/modules/database/variables.tf | 24 +++++++++++ 6 files changed, 101 insertions(+), 29 deletions(-) create mode 100644 ops/terraform/modules/database/.outputs.tf create mode 100644 ops/terraform/modules/database/.postgresql_fs_db.tf create mode 100644 ops/terraform/modules/database/data.tf create mode 100644 ops/terraform/modules/database/main.tf create mode 100644 ops/terraform/modules/database/variables.tf diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf index 8b192d17..9a4d2196 100644 --- a/ops/terraform/main.tf +++ b/ops/terraform/main.tf @@ -9,7 +9,7 @@ locals { } ########## -## 02-network +## network ########## module "networking" { source = "./modules/network" @@ -23,9 +23,9 @@ module "networking" { env = local.environment } -########## -## 02-security -########## +########### +## security +########### module "securitygroup" { source = "./modules/security" @@ -54,7 +54,7 @@ module "app_gateway" { } ########## -## 05-Persistent +## storage ########## module "storage" { @@ -69,7 +69,7 @@ module "storage" { } ########## -## 06-App +## app ########## module "ocr_api" { @@ -98,26 +98,9 @@ module "ocr_autoscale" { weekend_capacity_instances = 1 } -# module "compute" { -# source = "./modules/container_instances" -# location = data.azurerm_resource_group.rg.location -# resource_group = data.azurerm_resource_group.rg.name -# environment = local.environment -# app_subnet = module.networking.appsubnet_id -# # web_subnet_id = module.networking.websubnet_id -# # app_subnet_id = module.networking.appsubnet_id -# # web_host_name = local.app.web_host_name -# # web_username = local.app.web_username -# # web_os_password = local.app.web_os_password -# # app_host_name = local.app.app_host_name -# # app_username = local.app.app_username -# # app_os_password = local.app.app_os_password -# } - -########## -## 04-config -########## - -########## -## 07-Monitor -########## \ No newline at end of file +module "database" { + source = "./modules/database" + # name = var.name + resource_group_name = data.azurerm_resource_group.rg.name + # resource_group_location = data.resource_group_location.rg.location +} diff --git a/ops/terraform/modules/database/.outputs.tf b/ops/terraform/modules/database/.outputs.tf new file mode 100644 index 00000000..6445eb44 --- /dev/null +++ b/ops/terraform/modules/database/.outputs.tf @@ -0,0 +1,16 @@ +output "resource_group_name" { + value = azurerm_resource_group.default.name +} + +output "azurerm_postgresql_flexible_server" { + value = azurerm_postgresql_flexible_server.default.name +} + +output "postgresql_flexible_server_database_name" { + value = azurerm_postgresql_flexible_server_database.default.name +} + +output "postgresql_flexible_server_admin_password" { + sensitive = true + value = azurerm_postgresql_flexible_server.default.administrator_password +} diff --git a/ops/terraform/modules/database/.postgresql_fs_db.tf b/ops/terraform/modules/database/.postgresql_fs_db.tf new file mode 100644 index 00000000..703a098b --- /dev/null +++ b/ops/terraform/modules/database/.postgresql_fs_db.tf @@ -0,0 +1,6 @@ +resource "azurerm_postgresql_flexible_server_database" "default" { + name = "${random_pet.name_prefix.id}-db" + server_id = azurerm_postgresql_flexible_server.default.id + collation = "en_US.utf8" + charset = "UTF8" +} diff --git a/ops/terraform/modules/database/data.tf b/ops/terraform/modules/database/data.tf new file mode 100644 index 00000000..e7531e71 --- /dev/null +++ b/ops/terraform/modules/database/data.tf @@ -0,0 +1,3 @@ +data "azurerm_resource_group" "rg" { + name = var.resource_group_name +} diff --git a/ops/terraform/modules/database/main.tf b/ops/terraform/modules/database/main.tf new file mode 100644 index 00000000..5d0c7c83 --- /dev/null +++ b/ops/terraform/modules/database/main.tf @@ -0,0 +1,40 @@ +# PostgreSQL Server in the pre-existing resource group +resource "azurerm_postgresql_server" "postgres_server" { + name = "reportvisionpgserver" + location = data.azurerm_resource_group.rg.location + resource_group_name = data.azurerm_resource_group.rg.name + sku_name = var.sku_name + version = var.engine_version + administrator_login = var.db_username + administrator_login_password = random_string.setup_rds_password.result + storage_mb = 5120 # 5 GB storage + backup_retention_days = 7 + ssl_enforcement_enabled = true + +} + +# PostgreSQL Database in the pre-existing resource group +resource "azurerm_postgresql_database" "postgres_db" { + name = "postgresdb" + resource_group_name = data.azurerm_resource_group.rg.name + server_name = azurerm_postgresql_server.postgres_server.name + charset = "UTF8" + collation = "English_United Kingdom.1252" +} + +# Optional: Firewall rule for the PostgreSQL server (to allow Azure services in resource group) +resource "azurerm_postgresql_firewall_rule" "allow_azure" { + name = "AllowAllAzureIps" + server_name = azurerm_postgresql_server.postgres_server.name + resource_group_name = data.azurerm_resource_group.rg.name + start_ip_address = "0.0.0.0" + end_ip_address = "0.0.0.0" +} + +resource "random_string" "setup_rds_password" { + length = 13 + + # Character set that excludes problematic characters like quotes, backslashes, etc. + override_special = "_!@#-$%^&*()[]{}" +} + diff --git a/ops/terraform/modules/database/variables.tf b/ops/terraform/modules/database/variables.tf new file mode 100644 index 00000000..66e09bfd --- /dev/null +++ b/ops/terraform/modules/database/variables.tf @@ -0,0 +1,24 @@ +variable "resource_group_name" {} + +variable "db_username" { + type = string + description = "Username of RDS Instance." + default = "reportVisionDbUser" +} + +variable "engine_version" { + description = "Postgres DB engine version." + default = "11" +} + +variable "location" { + type = string + description = "Location of the resource." + default = "eastus" +} + +variable "sku_name" { + type = string + description = "value" + default = "B_Gen5_1" # Basic SKU, Gen5, 1 vCore +} From e51d31aeeeec07a561e3b7e4d24f45ef1c666023 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Tue, 12 Nov 2024 23:44:19 -0800 Subject: [PATCH 02/30] removed commented out code --- ops/terraform/main.tf | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf index 9a4d2196..d4467c9f 100644 --- a/ops/terraform/main.tf +++ b/ops/terraform/main.tf @@ -68,9 +68,9 @@ module "storage" { web_subnet_id = module.networking.websubnet_id } -########## +####### ## app -########## +####### module "ocr_api" { source = "./modules/app_service" @@ -99,8 +99,6 @@ module "ocr_autoscale" { } module "database" { - source = "./modules/database" - # name = var.name + source = "./modules/database" resource_group_name = data.azurerm_resource_group.rg.name - # resource_group_location = data.resource_group_location.rg.location } From 2f5a3457b17bc84610892c2e7a4dd173ef620303 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Tue, 12 Nov 2024 23:45:35 -0800 Subject: [PATCH 03/30] making module headers consistent --- ops/terraform/main.tf | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf index d4467c9f..1446b7e8 100644 --- a/ops/terraform/main.tf +++ b/ops/terraform/main.tf @@ -8,9 +8,6 @@ locals { } } -########## -## network -########## module "networking" { source = "./modules/network" name = var.name @@ -23,10 +20,6 @@ module "networking" { env = local.environment } -########### -## security -########### - module "securitygroup" { source = "./modules/security" name = var.name @@ -53,10 +46,6 @@ module "app_gateway" { depends_on = [module.networking, module.ocr_api] } -########## -## storage -########## - module "storage" { source = "./modules/storage" name = var.name @@ -68,10 +57,6 @@ module "storage" { web_subnet_id = module.networking.websubnet_id } -####### -## app -####### - module "ocr_api" { source = "./modules/app_service" name = var.name From 24ad5e3157e3f8865bcc947e0e1894a727e4a901 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Wed, 13 Nov 2024 00:29:48 -0800 Subject: [PATCH 04/30] remove azurerm_postgresql_flexible_server resources and using a single-server Postgres instance instead --- ops/terraform/modules/database/.outputs.tf | 16 ---------------- .../modules/database/.postgresql_fs_db.tf | 6 ------ 2 files changed, 22 deletions(-) delete mode 100644 ops/terraform/modules/database/.outputs.tf delete mode 100644 ops/terraform/modules/database/.postgresql_fs_db.tf diff --git a/ops/terraform/modules/database/.outputs.tf b/ops/terraform/modules/database/.outputs.tf deleted file mode 100644 index 6445eb44..00000000 --- a/ops/terraform/modules/database/.outputs.tf +++ /dev/null @@ -1,16 +0,0 @@ -output "resource_group_name" { - value = azurerm_resource_group.default.name -} - -output "azurerm_postgresql_flexible_server" { - value = azurerm_postgresql_flexible_server.default.name -} - -output "postgresql_flexible_server_database_name" { - value = azurerm_postgresql_flexible_server_database.default.name -} - -output "postgresql_flexible_server_admin_password" { - sensitive = true - value = azurerm_postgresql_flexible_server.default.administrator_password -} diff --git a/ops/terraform/modules/database/.postgresql_fs_db.tf b/ops/terraform/modules/database/.postgresql_fs_db.tf deleted file mode 100644 index 703a098b..00000000 --- a/ops/terraform/modules/database/.postgresql_fs_db.tf +++ /dev/null @@ -1,6 +0,0 @@ -resource "azurerm_postgresql_flexible_server_database" "default" { - name = "${random_pet.name_prefix.id}-db" - server_id = azurerm_postgresql_flexible_server.default.id - collation = "en_US.utf8" - charset = "UTF8" -} From 64d5ed9212b2774b61e2f76ca9daf0187cc76f9d Mon Sep 17 00:00:00 2001 From: marycrawford Date: Wed, 13 Nov 2024 00:34:35 -0800 Subject: [PATCH 05/30] update resource notes in modules/database/main.tf --- ops/terraform/modules/database/main.tf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ops/terraform/modules/database/main.tf b/ops/terraform/modules/database/main.tf index 5d0c7c83..6d0fce43 100644 --- a/ops/terraform/modules/database/main.tf +++ b/ops/terraform/modules/database/main.tf @@ -1,4 +1,4 @@ -# PostgreSQL Server in the pre-existing resource group +# PostgreSQL Server resource "azurerm_postgresql_server" "postgres_server" { name = "reportvisionpgserver" location = data.azurerm_resource_group.rg.location @@ -13,7 +13,7 @@ resource "azurerm_postgresql_server" "postgres_server" { } -# PostgreSQL Database in the pre-existing resource group +# PostgreSQL Database resource "azurerm_postgresql_database" "postgres_db" { name = "postgresdb" resource_group_name = data.azurerm_resource_group.rg.name @@ -22,7 +22,8 @@ resource "azurerm_postgresql_database" "postgres_db" { collation = "English_United Kingdom.1252" } -# Optional: Firewall rule for the PostgreSQL server (to allow Azure services in resource group) +# Firewall rule for the PostgreSQL server, allowing +# db access to Azure services in same resource group resource "azurerm_postgresql_firewall_rule" "allow_azure" { name = "AllowAllAzureIps" server_name = azurerm_postgresql_server.postgres_server.name From 2ebf0f7fb29e0dc5058082fb61604c0b276f7869 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Wed, 13 Nov 2024 19:25:53 -0800 Subject: [PATCH 06/30] save randomly created postgres db login password in azure key vault --- ops/terraform/main.tf | 6 +++++ ops/terraform/modules/vault.tf/data.tf | 3 +++ ops/terraform/modules/vault.tf/main.tf | 29 +++++++++++++++++++++ ops/terraform/modules/vault.tf/variables.tf | 25 ++++++++++++++++++ ops/terraform/variables.tf | 4 ++- 5 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 ops/terraform/modules/vault.tf/data.tf create mode 100644 ops/terraform/modules/vault.tf/main.tf create mode 100644 ops/terraform/modules/vault.tf/variables.tf diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf index 1446b7e8..2c934a27 100644 --- a/ops/terraform/main.tf +++ b/ops/terraform/main.tf @@ -87,3 +87,9 @@ module "database" { source = "./modules/database" resource_group_name = data.azurerm_resource_group.rg.name } + +module "vault" { + source = "./modules/vault.tf" + resource_group_name = data.azurerm_resource_group.rg.name + azure_tenant_id = var.azure_tenant_id +} diff --git a/ops/terraform/modules/vault.tf/data.tf b/ops/terraform/modules/vault.tf/data.tf new file mode 100644 index 00000000..e7531e71 --- /dev/null +++ b/ops/terraform/modules/vault.tf/data.tf @@ -0,0 +1,3 @@ +data "azurerm_resource_group" "rg" { + name = var.resource_group_name +} diff --git a/ops/terraform/modules/vault.tf/main.tf b/ops/terraform/modules/vault.tf/main.tf new file mode 100644 index 00000000..bd654337 --- /dev/null +++ b/ops/terraform/modules/vault.tf/main.tf @@ -0,0 +1,29 @@ +resource "azurerm_key_vault" "key_vault" { + name = "reportvision_keyvault" + location = "eastus" + resource_group_name = data.azurerm_resource_group.rg.name + sku_name = "standard" + tenant_id = var.azure_tenant_id + + access_policy { + + object_id = data.azurerm_client_config.example.object_id + + key_permissions = [ + "get", + "list" + ] + + secret_permissions = [ + "get", + "list" + ] + } +} + +# Saves the random password into Azure Key Vault +resource "azurerm_key_vault_secret" "postgres_password" { + name = "postgres-password" + value = azurerm_postgresql_server.postgres_db.administrator_login_password.result + key_vault_id = azurerm_key_vault.key_vault.id +} diff --git a/ops/terraform/modules/vault.tf/variables.tf b/ops/terraform/modules/vault.tf/variables.tf new file mode 100644 index 00000000..db827372 --- /dev/null +++ b/ops/terraform/modules/vault.tf/variables.tf @@ -0,0 +1,25 @@ +variable "resource_group_name" {} +variable "azure_tenant_id" {} + +variable "db_username" { + type = string + description = "Username of RDS Instance." + default = "reportVisionDbUser" +} + +variable "engine_version" { + description = "Postgres DB engine version." + default = "11" +} + +variable "location" { + type = string + description = "Location of the resource." + default = "eastus" +} + +variable "sku_name" { + type = string + description = "value" + default = "B_Gen5_1" # Basic SKU, Gen5, 1 vCore +} diff --git a/ops/terraform/variables.tf b/ops/terraform/variables.tf index a7006bc4..007bb634 100644 --- a/ops/terraform/variables.tf +++ b/ops/terraform/variables.tf @@ -4,4 +4,6 @@ variable "resource_group_name" { variable "name" {} -variable "sku_name" {} \ No newline at end of file +variable "sku_name" {} + +variable "azure_tenant_id" {} From 887509575ced0e8511e42f296f088697172f506c Mon Sep 17 00:00:00 2001 From: marycrawford Date: Wed, 13 Nov 2024 23:31:27 -0800 Subject: [PATCH 07/30] add client_id and object_id for vault --- .github/actions/tf-setup/action.yml | 4 ++++ ops/terraform/modules/vault.tf/main.tf | 20 +++++++++++++++----- ops/terraform/modules/vault.tf/variables.tf | 3 +++ ops/terraform/providers.tf | 6 +++++- 4 files changed, 27 insertions(+), 6 deletions(-) diff --git a/.github/actions/tf-setup/action.yml b/.github/actions/tf-setup/action.yml index 440809a1..71fe88f8 100644 --- a/.github/actions/tf-setup/action.yml +++ b/.github/actions/tf-setup/action.yml @@ -16,6 +16,9 @@ inputs: azure-subscription-id: description: The Azure subscription_id for this environment. required: true + azure-object-id: + description: The Azure object_id for this environment. + required: true app-name: description: The name of the application being deployed in Terraform. required: true @@ -50,6 +53,7 @@ runs: ARM_CLIENT_ID: ${{ inputs.azure-client-id }} ARM_TENANT_ID: ${{ inputs.azure-tenant-id }} ARM_SUBSCRIPTION_ID: ${{ inputs.azure-subscription-id }} + ARM_CLIENT_ID: ${{ inputs.azure-client-id }} shell: bash run: | terraform init -backend-config=config/${{ inputs.deploy-env }}.config diff --git a/ops/terraform/modules/vault.tf/main.tf b/ops/terraform/modules/vault.tf/main.tf index bd654337..7d1d2f2b 100644 --- a/ops/terraform/modules/vault.tf/main.tf +++ b/ops/terraform/modules/vault.tf/main.tf @@ -7,16 +7,14 @@ resource "azurerm_key_vault" "key_vault" { access_policy { - object_id = data.azurerm_client_config.example.object_id + object_id = var.object_id key_permissions = [ - "get", - "list" + "get" ] secret_permissions = [ - "get", - "list" + "get" ] } } @@ -27,3 +25,15 @@ resource "azurerm_key_vault_secret" "postgres_password" { value = azurerm_postgresql_server.postgres_db.administrator_login_password.result key_vault_id = azurerm_key_vault.key_vault.id } + +# Define the Service Principal for which we are granting access +resource "azurerm_azuread_application" "frontendapp" { + name = "frontend-application" + # TODO: Ask if the VITE_API_URL is the correct endpoint we are using + homepage = var.VITE_API_URL + identifier_uris = [VITE_API_URL] +} + +resource "azurerm_azuread_service_principal" "example" { + application_id = azurerm_azuread_application.frontendapp.application_id +} diff --git a/ops/terraform/modules/vault.tf/variables.tf b/ops/terraform/modules/vault.tf/variables.tf index db827372..7d191975 100644 --- a/ops/terraform/modules/vault.tf/variables.tf +++ b/ops/terraform/modules/vault.tf/variables.tf @@ -1,5 +1,8 @@ variable "resource_group_name" {} variable "azure_tenant_id" {} +variable "object_id" { + +} variable "db_username" { type = string diff --git a/ops/terraform/providers.tf b/ops/terraform/providers.tf index 3f578cdf..1f2d5780 100644 --- a/ops/terraform/providers.tf +++ b/ops/terraform/providers.tf @@ -15,5 +15,9 @@ terraform { } provider "azurerm" { - features {} + features { + key_vault { + purge_soft_delete_on_destroy = true + recover_soft_deleted_key_vaults = true + } } \ No newline at end of file From 79f013dce63a90b89bd0b9aceb6b9ffa893a3ed9 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Wed, 13 Nov 2024 23:39:07 -0800 Subject: [PATCH 08/30] fix errors --- .github/actions/tf-setup/action.yml | 2 +- ops/terraform/modules/vault.tf/main.tf | 6 +++--- ops/terraform/modules/vault.tf/variables.tf | 5 ++--- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/actions/tf-setup/action.yml b/.github/actions/tf-setup/action.yml index 71fe88f8..2f08432b 100644 --- a/.github/actions/tf-setup/action.yml +++ b/.github/actions/tf-setup/action.yml @@ -53,7 +53,7 @@ runs: ARM_CLIENT_ID: ${{ inputs.azure-client-id }} ARM_TENANT_ID: ${{ inputs.azure-tenant-id }} ARM_SUBSCRIPTION_ID: ${{ inputs.azure-subscription-id }} - ARM_CLIENT_ID: ${{ inputs.azure-client-id }} + ARM_OBJECT_ID: ${{ inputs.azure-object-id }} shell: bash run: | terraform init -backend-config=config/${{ inputs.deploy-env }}.config diff --git a/ops/terraform/modules/vault.tf/main.tf b/ops/terraform/modules/vault.tf/main.tf index 7d1d2f2b..42dbbf50 100644 --- a/ops/terraform/modules/vault.tf/main.tf +++ b/ops/terraform/modules/vault.tf/main.tf @@ -30,10 +30,10 @@ resource "azurerm_key_vault_secret" "postgres_password" { resource "azurerm_azuread_application" "frontendapp" { name = "frontend-application" # TODO: Ask if the VITE_API_URL is the correct endpoint we are using - homepage = var.VITE_API_URL - identifier_uris = [VITE_API_URL] + homepage = var.vite_api_url + identifier_uris = [var.vite_api_url] } -resource "azurerm_azuread_service_principal" "example" { +resource "azurerm_azuread_service_principal" "this" { application_id = azurerm_azuread_application.frontendapp.application_id } diff --git a/ops/terraform/modules/vault.tf/variables.tf b/ops/terraform/modules/vault.tf/variables.tf index 7d191975..264d6797 100644 --- a/ops/terraform/modules/vault.tf/variables.tf +++ b/ops/terraform/modules/vault.tf/variables.tf @@ -1,8 +1,7 @@ variable "resource_group_name" {} variable "azure_tenant_id" {} -variable "object_id" { - -} +variable "object_id" {} +variable "vite_api_url" {} variable "db_username" { type = string From 095f8d9f22214dc33d9d20666f4c7147bbaa616e Mon Sep 17 00:00:00 2001 From: marycrawford Date: Mon, 18 Nov 2024 09:39:08 -0800 Subject: [PATCH 09/30] update database with network subnet and vault with object_id and vite_api_url --- ops/terraform/locals.tf | 7 ++++++- ops/terraform/main.tf | 3 +++ ops/terraform/modules/database/main.tf | 3 +++ ops/terraform/modules/database/variables.tf | 6 ++++++ ops/terraform/modules/vault.tf/variables.tf | 5 +++++ 5 files changed, 23 insertions(+), 1 deletion(-) diff --git a/ops/terraform/locals.tf b/ops/terraform/locals.tf index 3ac01c81..55356f6b 100644 --- a/ops/terraform/locals.tf +++ b/ops/terraform/locals.tf @@ -1,5 +1,10 @@ locals { environment = terraform.workspace + + # Explicitly get object_id from the environment variable (e.g., in GitHub Actions) + azure_object_id = getenv("ARM_OBJECT_ID", var.object_id) + vite_api_url = getenv("VITE_API_URL", "") # Default to an empty string if not set + init = { environment = local.environment location = "eastus2" @@ -20,4 +25,4 @@ locals { lbsubnetcidr = "10.1.3.0/24" } } -} \ No newline at end of file +} diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf index 2c934a27..a44d76eb 100644 --- a/ops/terraform/main.tf +++ b/ops/terraform/main.tf @@ -86,10 +86,13 @@ module "ocr_autoscale" { module "database" { source = "./modules/database" resource_group_name = data.azurerm_resource_group.rg.name + subnet = module.network.azurerm_subnet.web-subnet.id } module "vault" { source = "./modules/vault.tf" resource_group_name = data.azurerm_resource_group.rg.name azure_tenant_id = var.azure_tenant_id + object_id = local.azure_object_id + vite_api_url = local.vite_api_url } diff --git a/ops/terraform/modules/database/main.tf b/ops/terraform/modules/database/main.tf index 6d0fce43..443dacad 100644 --- a/ops/terraform/modules/database/main.tf +++ b/ops/terraform/modules/database/main.tf @@ -11,6 +11,9 @@ resource "azurerm_postgresql_server" "postgres_server" { backup_retention_days = 7 ssl_enforcement_enabled = true + # Enable Virtual Network service endpoint + virtual_network_subnet_id = var.subnet + } # PostgreSQL Database diff --git a/ops/terraform/modules/database/variables.tf b/ops/terraform/modules/database/variables.tf index 66e09bfd..99711076 100644 --- a/ops/terraform/modules/database/variables.tf +++ b/ops/terraform/modules/database/variables.tf @@ -1,4 +1,5 @@ variable "resource_group_name" {} +variable "subnet" {} variable "db_username" { type = string @@ -22,3 +23,8 @@ variable "sku_name" { description = "value" default = "B_Gen5_1" # Basic SKU, Gen5, 1 vCore } + +variable "subnet" { + description = "The subnet ID to associate with the PostgreSQL server" + type = string +} diff --git a/ops/terraform/modules/vault.tf/variables.tf b/ops/terraform/modules/vault.tf/variables.tf index 264d6797..1dc0fd68 100644 --- a/ops/terraform/modules/vault.tf/variables.tf +++ b/ops/terraform/modules/vault.tf/variables.tf @@ -20,6 +20,11 @@ variable "location" { default = "eastus" } +variable "object_id" { + description = "The Azure Object ID" + type = string +} + variable "sku_name" { type = string description = "value" From a88439217d183ab03927311c152295ead6b79476 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Mon, 18 Nov 2024 09:55:53 -0800 Subject: [PATCH 10/30] update subnet used --- ops/terraform/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf index a44d76eb..d2c8917e 100644 --- a/ops/terraform/main.tf +++ b/ops/terraform/main.tf @@ -86,7 +86,7 @@ module "ocr_autoscale" { module "database" { source = "./modules/database" resource_group_name = data.azurerm_resource_group.rg.name - subnet = module.network.azurerm_subnet.web-subnet.id + subnet = module.network.azurerm_subnet.app-subnet.id } module "vault" { From 9f4f1c1ded7ede8aa5f5a679eb18d4b42de34be3 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Mon, 18 Nov 2024 12:54:15 -0800 Subject: [PATCH 11/30] update how we are consuming the vite_api_url and object_id variables --- ops/terraform/locals.tf | 4 ---- ops/terraform/main.tf | 4 ++-- ops/terraform/modules/database/variables.tf | 1 + ops/terraform/modules/vault.tf/variables.tf | 1 + ops/terraform/variables.tf | 12 +++++++++--- 5 files changed, 13 insertions(+), 9 deletions(-) diff --git a/ops/terraform/locals.tf b/ops/terraform/locals.tf index 55356f6b..aba18965 100644 --- a/ops/terraform/locals.tf +++ b/ops/terraform/locals.tf @@ -1,10 +1,6 @@ locals { environment = terraform.workspace - # Explicitly get object_id from the environment variable (e.g., in GitHub Actions) - azure_object_id = getenv("ARM_OBJECT_ID", var.object_id) - vite_api_url = getenv("VITE_API_URL", "") # Default to an empty string if not set - init = { environment = local.environment location = "eastus2" diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf index d2c8917e..42a78e7b 100644 --- a/ops/terraform/main.tf +++ b/ops/terraform/main.tf @@ -93,6 +93,6 @@ module "vault" { source = "./modules/vault.tf" resource_group_name = data.azurerm_resource_group.rg.name azure_tenant_id = var.azure_tenant_id - object_id = local.azure_object_id - vite_api_url = local.vite_api_url + object_id = var.object_id + vite_api_url = var.vite_api_url } diff --git a/ops/terraform/modules/database/variables.tf b/ops/terraform/modules/database/variables.tf index 99711076..a4a810c3 100644 --- a/ops/terraform/modules/database/variables.tf +++ b/ops/terraform/modules/database/variables.tf @@ -1,3 +1,4 @@ +# Variables from GitHub Actions variable "resource_group_name" {} variable "subnet" {} diff --git a/ops/terraform/modules/vault.tf/variables.tf b/ops/terraform/modules/vault.tf/variables.tf index 1dc0fd68..30b19975 100644 --- a/ops/terraform/modules/vault.tf/variables.tf +++ b/ops/terraform/modules/vault.tf/variables.tf @@ -1,3 +1,4 @@ +# Variables from GitHub Actions variable "resource_group_name" {} variable "azure_tenant_id" {} variable "object_id" {} diff --git a/ops/terraform/variables.tf b/ops/terraform/variables.tf index 007bb634..19a46709 100644 --- a/ops/terraform/variables.tf +++ b/ops/terraform/variables.tf @@ -1,9 +1,15 @@ +# Variables from GitHub Actions +variable "azure_tenant_id" {} + +variable "name" {} +variable "object_id" {} +variable "sku_name" {} +variable "vite_api_url" {} + variable "resource_group_name" { description = "value of the Azure resource group to deploy to" } -variable "name" {} -variable "sku_name" {} -variable "azure_tenant_id" {} + From cb224cea5e809afc4e7bb7ee809fec0caef30899 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Mon, 18 Nov 2024 13:08:30 -0800 Subject: [PATCH 12/30] remove the data.tf files from the database and vault modules, use main data.tf file under terraform --- ops/terraform/modules/database/data.tf | 3 --- ops/terraform/modules/vault.tf/data.tf | 3 --- 2 files changed, 6 deletions(-) delete mode 100644 ops/terraform/modules/database/data.tf delete mode 100644 ops/terraform/modules/vault.tf/data.tf diff --git a/ops/terraform/modules/database/data.tf b/ops/terraform/modules/database/data.tf deleted file mode 100644 index e7531e71..00000000 --- a/ops/terraform/modules/database/data.tf +++ /dev/null @@ -1,3 +0,0 @@ -data "azurerm_resource_group" "rg" { - name = var.resource_group_name -} diff --git a/ops/terraform/modules/vault.tf/data.tf b/ops/terraform/modules/vault.tf/data.tf deleted file mode 100644 index e7531e71..00000000 --- a/ops/terraform/modules/vault.tf/data.tf +++ /dev/null @@ -1,3 +0,0 @@ -data "azurerm_resource_group" "rg" { - name = var.resource_group_name -} From 537ee13cadd8cea24f9a53c41a6cdc3fecd68e6d Mon Sep 17 00:00:00 2001 From: marycrawford Date: Mon, 18 Nov 2024 13:20:33 -0800 Subject: [PATCH 13/30] remove duplicate variables and add descriptions --- ops/terraform/modules/database/variables.tf | 11 ++++++----- ops/terraform/modules/vault.tf/variables.tf | 20 ++++++++++++++------ 2 files changed, 20 insertions(+), 11 deletions(-) diff --git a/ops/terraform/modules/database/variables.tf b/ops/terraform/modules/database/variables.tf index a4a810c3..c52e4244 100644 --- a/ops/terraform/modules/database/variables.tf +++ b/ops/terraform/modules/database/variables.tf @@ -1,7 +1,3 @@ -# Variables from GitHub Actions -variable "resource_group_name" {} -variable "subnet" {} - variable "db_username" { type = string description = "Username of RDS Instance." @@ -19,6 +15,11 @@ variable "location" { default = "eastus" } +variable "resource_group_name" { + type = string + description = "The Azure Resource Group Name" +} + variable "sku_name" { type = string description = "value" @@ -26,6 +27,6 @@ variable "sku_name" { } variable "subnet" { - description = "The subnet ID to associate with the PostgreSQL server" type = string + description = "The subnet ID to associate with the PostgreSQL server" } diff --git a/ops/terraform/modules/vault.tf/variables.tf b/ops/terraform/modules/vault.tf/variables.tf index 30b19975..847e96da 100644 --- a/ops/terraform/modules/vault.tf/variables.tf +++ b/ops/terraform/modules/vault.tf/variables.tf @@ -1,8 +1,6 @@ -# Variables from GitHub Actions -variable "resource_group_name" {} -variable "azure_tenant_id" {} -variable "object_id" {} -variable "vite_api_url" {} +variable "azure_tenant_id" { + description = "Unique Identifier for the Azure Active Directory tenant" +} variable "db_username" { type = string @@ -22,12 +20,22 @@ variable "location" { } variable "object_id" { + type = string description = "The Azure Object ID" +} + +variable "resource_group_name" { type = string + description = "The Azure Resource Group Name" } variable "sku_name" { type = string - description = "value" + description = "The Azure Stock Keep Unit (SKU) version" default = "B_Gen5_1" # Basic SKU, Gen5, 1 vCore } + +variable "vite_api_url" { + type = string + description = "The application API Url" +} From 1878571d67f40faa26d16ee9b9b828681936fb0e Mon Sep 17 00:00:00 2001 From: marycrawford Date: Mon, 18 Nov 2024 13:30:17 -0800 Subject: [PATCH 14/30] fix syntax error and put variable descriptions --- ops/terraform/modules/database/variables.tf | 2 +- ops/terraform/modules/vault.tf/variables.tf | 4 ++-- ops/terraform/providers.tf | 3 ++- ops/terraform/variables.tf | 23 ++++++++++++++++----- 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/ops/terraform/modules/database/variables.tf b/ops/terraform/modules/database/variables.tf index c52e4244..cadaba07 100644 --- a/ops/terraform/modules/database/variables.tf +++ b/ops/terraform/modules/database/variables.tf @@ -17,7 +17,7 @@ variable "location" { variable "resource_group_name" { type = string - description = "The Azure Resource Group Name" + description = "The Azure Resource Group to deploy to" } variable "sku_name" { diff --git a/ops/terraform/modules/vault.tf/variables.tf b/ops/terraform/modules/vault.tf/variables.tf index 847e96da..b7dc7b35 100644 --- a/ops/terraform/modules/vault.tf/variables.tf +++ b/ops/terraform/modules/vault.tf/variables.tf @@ -1,5 +1,5 @@ variable "azure_tenant_id" { - description = "Unique Identifier for the Azure Active Directory tenant" + description = "Unique Identifier for the Azure AD tenant for the app" } variable "db_username" { @@ -26,7 +26,7 @@ variable "object_id" { variable "resource_group_name" { type = string - description = "The Azure Resource Group Name" + description = "The Azure Resource Group to deploy to" } variable "sku_name" { diff --git a/ops/terraform/providers.tf b/ops/terraform/providers.tf index 1f2d5780..36f4b886 100644 --- a/ops/terraform/providers.tf +++ b/ops/terraform/providers.tf @@ -19,5 +19,6 @@ provider "azurerm" { key_vault { purge_soft_delete_on_destroy = true recover_soft_deleted_key_vaults = true + } } -} \ No newline at end of file +} diff --git a/ops/terraform/variables.tf b/ops/terraform/variables.tf index 19a46709..0842ed66 100644 --- a/ops/terraform/variables.tf +++ b/ops/terraform/variables.tf @@ -1,10 +1,23 @@ -# Variables from GitHub Actions -variable "azure_tenant_id" {} +variable "azure_tenant_id" { + description = "Unique Identifier for the Azure AD tenant for the app" +} variable "name" {} -variable "object_id" {} -variable "sku_name" {} -variable "vite_api_url" {} + +variable "object_id" { + type = string + description = "The Azure Object ID" +} + +variable "sku_name" { + type = string + description = "The Azure Stock Keep Unit (SKU) version" +} + +variable "vite_api_url" { + type = string + description = "The application API Url" +} variable "resource_group_name" { description = "value of the Azure resource group to deploy to" From 0916362112759b0f8fdbda049eccc9c7768f13c9 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Tue, 19 Nov 2024 12:07:28 -0800 Subject: [PATCH 15/30] create subnet for db and update tf code --- ops/terraform/locals.tf | 33 +++++++++++---------- ops/terraform/main.tf | 19 ++++++------ ops/terraform/modules/network/main.tf | 31 ++++++++++++------- ops/terraform/modules/network/variables.tf | 9 ++++-- ops/terraform/modules/security/variables.tf | 4 +-- 5 files changed, 56 insertions(+), 40 deletions(-) diff --git a/ops/terraform/locals.tf b/ops/terraform/locals.tf index aba18965..ec373395 100644 --- a/ops/terraform/locals.tf +++ b/ops/terraform/locals.tf @@ -1,24 +1,27 @@ locals { environment = terraform.workspace - init = { - environment = local.environment - location = "eastus2" - } - dev = { + environments = { dev = { - vnetcidr = "10.0.0.0/16" - appsubnetcidr = "10.0.1.0/24" - websubnetcidr = "10.0.2.0/24" - lbsubnetcidr = "10.0.3.0/24" + dev = { + vnetcidr = "10.0.0.0/16" + appsubnetcidr = "10.0.1.0/24" + websubnetcidr = "10.0.2.0/24" + lbsubnetcidr = "10.0.3.0/24" + dbsubnetcidr = "10.0.4.0/24" + } } - } - demo = { demo = { - vnetcidr = "10.1.0.0/16" - appsubnetcidr = "10.1.1.0/24" - websubnetcidr = "10.1.2.0/24" - lbsubnetcidr = "10.1.3.0/24" + demo = { + vnetcidr = "10.1.0.0/16" + appsubnetcidr = "10.1.1.0/24" + websubnetcidr = "10.1.2.0/24" + lbsubnetcidr = "10.1.3.0/24" + dbsubnetcidr = "10.0.4.0/24" + } } } + + # Get the values for the current environment + env_config = local.environments[local.environment] } diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf index 42a78e7b..a5ccbec1 100644 --- a/ops/terraform/main.tf +++ b/ops/terraform/main.tf @@ -1,5 +1,5 @@ locals { - workspaces = merge(local.dev, local.demo) + workspaces = merge(local.environments) workspace = local.workspaces[terraform.workspace] management_tags = { @@ -13,10 +13,11 @@ module "networking" { name = var.name location = data.azurerm_resource_group.rg.location resource_group = data.azurerm_resource_group.rg.name - vnetcidr = local.workspace["vnetcidr"] - websubnetcidr = local.workspace["websubnetcidr"] - lbsubnetcidr = local.workspace["lbsubnetcidr"] - appsubnetcidr = local.workspace["appsubnetcidr"] + vnetcidr = local.env_config.vnetcidr + websubnetcidr = local.env_config.websubnetcidr + lbsubnetcidr = local.env_config.lbsubnetcidr + appsubnetcidr = local.env_config.appsubnetcidr + dbsubnetcidr = local.env_config.dbsubnetcidr env = local.environment } @@ -26,9 +27,9 @@ module "securitygroup" { location = data.azurerm_resource_group.rg.location resource_group = data.azurerm_resource_group.rg.name web_subnet_id = module.networking.websubnet_id - # db_subnet_id = module.networking.dbsubnet_id - lb_subnet_id = module.networking.lbsubnet_id - env = local.environment + db_subnet_id = module.networking.dbsubnet_id + lb_subnet_id = module.networking.lbsubnet_id + env = local.environment } module "app_gateway" { @@ -86,7 +87,7 @@ module "ocr_autoscale" { module "database" { source = "./modules/database" resource_group_name = data.azurerm_resource_group.rg.name - subnet = module.network.azurerm_subnet.app-subnet.id + subnet = module.network.azurerm_subnet.db-subnet.id } module "vault" { diff --git a/ops/terraform/modules/network/main.tf b/ops/terraform/modules/network/main.tf index 7b2dc6a3..383b6a41 100644 --- a/ops/terraform/modules/network/main.tf +++ b/ops/terraform/modules/network/main.tf @@ -9,19 +9,19 @@ resource "azurerm_subnet" "web-subnet" { name = "${var.name}-web-subnet-${var.env}" virtual_network_name = azurerm_virtual_network.vnet.name resource_group_name = var.resource_group - address_prefixes = [var.websubnetcidr] - service_endpoints = [ + address_prefixes = [local.env_config.websubnetcidr] + service_endpoints = [ "Microsoft.Storage", "Microsoft.Web" ] - depends_on = [azurerm_virtual_network.vnet] + depends_on = [azurerm_virtual_network.vnet] } resource "azurerm_subnet" "app-subnet" { name = "${var.name}-app-subnet-${var.env}" virtual_network_name = azurerm_virtual_network.vnet.name resource_group_name = var.resource_group - address_prefixes = [var.appsubnetcidr] + address_prefixes = [local.env_config.appsubnetcidr] delegation { name = "delegation" @@ -37,7 +37,7 @@ resource "azurerm_subnet" "lb-subnet" { name = "${var.name}-lb-subnet-${var.env}" virtual_network_name = azurerm_virtual_network.vnet.name resource_group_name = var.resource_group - address_prefixes = [var.lbsubnetcidr] + address_prefixes = [local.env_config.lbsubnetcidr] service_endpoints = [ "Microsoft.Storage", "Microsoft.Web" @@ -45,9 +45,18 @@ resource "azurerm_subnet" "lb-subnet" { depends_on = [azurerm_virtual_network.vnet] } -# resource "azurerm_subnet" "db-subnet" { -# name = "${var.name}-db-subnet-${var.env}" -# virtual_network_name = azurerm_virtual_network.vnet.name -# resource_group_name = var.resource_group -# address_prefixes = [var.dbsubnetcidr] -# } \ No newline at end of file +resource "azurerm_subnet" "db-subnet" { + name = "${var.name}-db-subnet-${var.env}" + virtual_network_name = azurerm_virtual_network.vnet.name + resource_group_name = var.resource_group + address_prefixes = [local.env_config.dbsubnetcidr] + + # Ensure the subnet is private by setting service endpoints and delegating the subnet for PostgreSQL + delegation { + name = "postgresql-delegation" + service_delegation { + name = "Microsoft.DBforPostgreSQL/servers" + actions = ["Microsoft.Network/virtualNetworks/subnets/action"] + } + } +} diff --git a/ops/terraform/modules/network/variables.tf b/ops/terraform/modules/network/variables.tf index affded85..2a506fc9 100644 --- a/ops/terraform/modules/network/variables.tf +++ b/ops/terraform/modules/network/variables.tf @@ -1,9 +1,12 @@ variable "resource_group" {} variable "name" {} -variable "location" {} variable "vnetcidr" {} variable "websubnetcidr" {} variable "lbsubnetcidr" {} -# variable "dbsubnetcidr" {} +variable "dbsubnetcidr" {} variable "appsubnetcidr" {} -variable "env" {} \ No newline at end of file +variable "env" {} + +variable "location" { + default = "eastus2" +} diff --git a/ops/terraform/modules/security/variables.tf b/ops/terraform/modules/security/variables.tf index 9c62eaba..0a1186e7 100644 --- a/ops/terraform/modules/security/variables.tf +++ b/ops/terraform/modules/security/variables.tf @@ -3,5 +3,5 @@ variable "name" {} variable "env" {} variable "resource_group" {} variable "web_subnet_id" {} -# variable "db_subnet_id" {} -variable "lb_subnet_id" {} \ No newline at end of file +variable "db_subnet_id" {} +variable "lb_subnet_id" {} From b7b24e0c597a5766f0558b09e420c56511cbf8c7 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Wed, 20 Nov 2024 01:48:33 -0800 Subject: [PATCH 16/30] modify and clean up code --- ops/terraform/locals.tf | 40 ++++++++++--------- ops/terraform/main.tf | 16 ++++---- ops/terraform/modules/database/main.tf | 11 ++--- ops/terraform/modules/database/outputs.tf | 3 ++ ops/terraform/modules/network/main.tf | 21 +++++----- ops/terraform/modules/network/outputs.tf | 10 ++--- ops/terraform/modules/vault.tf/main.tf | 39 ------------------ ops/terraform/modules/vault/main.tf | 39 ++++++++++++++++++ .../modules/{vault.tf => vault}/variables.tf | 5 +++ ops/terraform/providers.tf | 11 +++++ ops/terraform/variables.tf | 7 ++++ 11 files changed, 115 insertions(+), 87 deletions(-) create mode 100644 ops/terraform/modules/database/outputs.tf delete mode 100644 ops/terraform/modules/vault.tf/main.tf create mode 100644 ops/terraform/modules/vault/main.tf rename ops/terraform/modules/{vault.tf => vault}/variables.tf (90%) diff --git a/ops/terraform/locals.tf b/ops/terraform/locals.tf index ec373395..ec0ce7ee 100644 --- a/ops/terraform/locals.tf +++ b/ops/terraform/locals.tf @@ -1,27 +1,29 @@ locals { environment = terraform.workspace - - environments = { + init = { + environment = local.environment + location = "eastus2" + } + dev = { dev = { - dev = { - vnetcidr = "10.0.0.0/16" - appsubnetcidr = "10.0.1.0/24" - websubnetcidr = "10.0.2.0/24" - lbsubnetcidr = "10.0.3.0/24" - dbsubnetcidr = "10.0.4.0/24" - } + vnetcidr = "10.0.0.0/16" + appsubnetcidr = "10.0.1.0/24" + websubnetcidr = "10.0.2.0/24" + lbsubnetcidr = "10.0.3.0/24" + dbsubnetcidr = "10.0.4.0/24" } + } + demo = { demo = { - demo = { - vnetcidr = "10.1.0.0/16" - appsubnetcidr = "10.1.1.0/24" - websubnetcidr = "10.1.2.0/24" - lbsubnetcidr = "10.1.3.0/24" - dbsubnetcidr = "10.0.4.0/24" - } + vnetcidr = "10.1.0.0/16" + appsubnetcidr = "10.1.1.0/24" + websubnetcidr = "10.1.2.0/24" + lbsubnetcidr = "10.1.3.0/24" + dbsubnetcidr = "10.0.4.0/24" } } - - # Get the values for the current environment - env_config = local.environments[local.environment] } + +# Get the values for the current environment +# env_config = local.environments[local.environment] +# } diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf index a5ccbec1..5a7ba40b 100644 --- a/ops/terraform/main.tf +++ b/ops/terraform/main.tf @@ -1,5 +1,5 @@ locals { - workspaces = merge(local.environments) + workspaces = merge(local.dev, local.demo) workspace = local.workspaces[terraform.workspace] management_tags = { @@ -13,11 +13,11 @@ module "networking" { name = var.name location = data.azurerm_resource_group.rg.location resource_group = data.azurerm_resource_group.rg.name - vnetcidr = local.env_config.vnetcidr - websubnetcidr = local.env_config.websubnetcidr - lbsubnetcidr = local.env_config.lbsubnetcidr - appsubnetcidr = local.env_config.appsubnetcidr - dbsubnetcidr = local.env_config.dbsubnetcidr + vnetcidr = local.workspace["vnetcidr"] + websubnetcidr = local.workspace["websubnetcidr"] + lbsubnetcidr = local.workspace["lbsubnetcidr"] + appsubnetcidr = local.workspace["appsubnetcidr"] + dbsubnetcidr = local.workspace["dbsubnetcidr"] env = local.environment } @@ -87,7 +87,8 @@ module "ocr_autoscale" { module "database" { source = "./modules/database" resource_group_name = data.azurerm_resource_group.rg.name - subnet = module.network.azurerm_subnet.db-subnet.id + subnet = module.networking.dbsubnet_id + # azurerm_subnet.dbsubnetcidr.id } module "vault" { @@ -96,4 +97,5 @@ module "vault" { azure_tenant_id = var.azure_tenant_id object_id = var.object_id vite_api_url = var.vite_api_url + postgres_password = module.database.postgres_db_admin_password } diff --git a/ops/terraform/modules/database/main.tf b/ops/terraform/modules/database/main.tf index 443dacad..ec4abed2 100644 --- a/ops/terraform/modules/database/main.tf +++ b/ops/terraform/modules/database/main.tf @@ -1,8 +1,8 @@ # PostgreSQL Server resource "azurerm_postgresql_server" "postgres_server" { name = "reportvisionpgserver" - location = data.azurerm_resource_group.rg.location - resource_group_name = data.azurerm_resource_group.rg.name + location = var.location + resource_group_name = var.resource_group_name sku_name = var.sku_name version = var.engine_version administrator_login = var.db_username @@ -12,14 +12,15 @@ resource "azurerm_postgresql_server" "postgres_server" { ssl_enforcement_enabled = true # Enable Virtual Network service endpoint - virtual_network_subnet_id = var.subnet + # virtual_network_subnet_id = var.subnet + # Virtual Network Rule (optional) } # PostgreSQL Database resource "azurerm_postgresql_database" "postgres_db" { name = "postgresdb" - resource_group_name = data.azurerm_resource_group.rg.name + resource_group_name = var.resource_group_name server_name = azurerm_postgresql_server.postgres_server.name charset = "UTF8" collation = "English_United Kingdom.1252" @@ -30,7 +31,7 @@ resource "azurerm_postgresql_database" "postgres_db" { resource "azurerm_postgresql_firewall_rule" "allow_azure" { name = "AllowAllAzureIps" server_name = azurerm_postgresql_server.postgres_server.name - resource_group_name = data.azurerm_resource_group.rg.name + resource_group_name = var.resource_group_name start_ip_address = "0.0.0.0" end_ip_address = "0.0.0.0" } diff --git a/ops/terraform/modules/database/outputs.tf b/ops/terraform/modules/database/outputs.tf new file mode 100644 index 00000000..274df01c --- /dev/null +++ b/ops/terraform/modules/database/outputs.tf @@ -0,0 +1,3 @@ +output "postgres_db_admin_password" { + value = azurerm_postgresql_server.postgres_server.administrator_login_password +} diff --git a/ops/terraform/modules/network/main.tf b/ops/terraform/modules/network/main.tf index 383b6a41..dcbfa102 100644 --- a/ops/terraform/modules/network/main.tf +++ b/ops/terraform/modules/network/main.tf @@ -9,7 +9,7 @@ resource "azurerm_subnet" "web-subnet" { name = "${var.name}-web-subnet-${var.env}" virtual_network_name = azurerm_virtual_network.vnet.name resource_group_name = var.resource_group - address_prefixes = [local.env_config.websubnetcidr] + address_prefixes = [var.websubnetcidr] service_endpoints = [ "Microsoft.Storage", "Microsoft.Web" @@ -21,7 +21,7 @@ resource "azurerm_subnet" "app-subnet" { name = "${var.name}-app-subnet-${var.env}" virtual_network_name = azurerm_virtual_network.vnet.name resource_group_name = var.resource_group - address_prefixes = [local.env_config.appsubnetcidr] + address_prefixes = [var.appsubnetcidr] delegation { name = "delegation" @@ -37,7 +37,7 @@ resource "azurerm_subnet" "lb-subnet" { name = "${var.name}-lb-subnet-${var.env}" virtual_network_name = azurerm_virtual_network.vnet.name resource_group_name = var.resource_group - address_prefixes = [local.env_config.lbsubnetcidr] + address_prefixes = [var.lbsubnetcidr] service_endpoints = [ "Microsoft.Storage", "Microsoft.Web" @@ -49,14 +49,11 @@ resource "azurerm_subnet" "db-subnet" { name = "${var.name}-db-subnet-${var.env}" virtual_network_name = azurerm_virtual_network.vnet.name resource_group_name = var.resource_group - address_prefixes = [local.env_config.dbsubnetcidr] + address_prefixes = [var.dbsubnetcidr] + + # Enable service endpoint for Azure PostgreSQL + service_endpoints = [ + "Microsoft.DBforPostgreSQL" + ] - # Ensure the subnet is private by setting service endpoints and delegating the subnet for PostgreSQL - delegation { - name = "postgresql-delegation" - service_delegation { - name = "Microsoft.DBforPostgreSQL/servers" - actions = ["Microsoft.Network/virtualNetworks/subnets/action"] - } - } } diff --git a/ops/terraform/modules/network/outputs.tf b/ops/terraform/modules/network/outputs.tf index ec9709b6..1441e554 100644 --- a/ops/terraform/modules/network/outputs.tf +++ b/ops/terraform/modules/network/outputs.tf @@ -8,10 +8,10 @@ output "websubnet_id" { description = "Id of websubnet in the network" } -# output "dbsubnet_id" { -# value = azurerm_subnet.db-subnet.id -# description = "Id of dbsubnet in the network" -# } +output "dbsubnet_id" { + value = azurerm_subnet.db-subnet.id + description = "Id of dbsubnet in the network" +} output "lbsubnet_id" { value = azurerm_subnet.lb-subnet.id @@ -21,4 +21,4 @@ output "lbsubnet_id" { output "appsubnet_id" { value = azurerm_subnet.app-subnet.id description = "Id of lbsubnet in the network" -} \ No newline at end of file +} diff --git a/ops/terraform/modules/vault.tf/main.tf b/ops/terraform/modules/vault.tf/main.tf deleted file mode 100644 index 42dbbf50..00000000 --- a/ops/terraform/modules/vault.tf/main.tf +++ /dev/null @@ -1,39 +0,0 @@ -resource "azurerm_key_vault" "key_vault" { - name = "reportvision_keyvault" - location = "eastus" - resource_group_name = data.azurerm_resource_group.rg.name - sku_name = "standard" - tenant_id = var.azure_tenant_id - - access_policy { - - object_id = var.object_id - - key_permissions = [ - "get" - ] - - secret_permissions = [ - "get" - ] - } -} - -# Saves the random password into Azure Key Vault -resource "azurerm_key_vault_secret" "postgres_password" { - name = "postgres-password" - value = azurerm_postgresql_server.postgres_db.administrator_login_password.result - key_vault_id = azurerm_key_vault.key_vault.id -} - -# Define the Service Principal for which we are granting access -resource "azurerm_azuread_application" "frontendapp" { - name = "frontend-application" - # TODO: Ask if the VITE_API_URL is the correct endpoint we are using - homepage = var.vite_api_url - identifier_uris = [var.vite_api_url] -} - -resource "azurerm_azuread_service_principal" "this" { - application_id = azurerm_azuread_application.frontendapp.application_id -} diff --git a/ops/terraform/modules/vault/main.tf b/ops/terraform/modules/vault/main.tf new file mode 100644 index 00000000..877d1554 --- /dev/null +++ b/ops/terraform/modules/vault/main.tf @@ -0,0 +1,39 @@ +resource "azurerm_key_vault" "key_vault" { + name = "reportvisionkeyvault" + location = "eastus" + resource_group_name = var.resource_group_name + sku_name = "standard" + tenant_id = var.azure_tenant_id + + access_policy { + object_id = var.object_id + tenant_id = var.azure_tenant_id + + key_permissions = [ + "Get" + ] + + secret_permissions = [ + "Get" + ] + } +} + +# Saves the random password into Azure Key Vault +# resource "azurerm_key_vault_secret" "postgres_password" { +# name = "postgres-password" +# value = azurerm_postgresql_server.postgres_server.administrator_login_password +# key_vault_id = azurerm_key_vault.key_vault.id +# } + +# Define the Service Principal for which we are granting access +# resource "azurerm_azuread_application" "frontendapp" { +# name = "frontend-application" +# # TODO: Ask if the VITE_API_URL is the correct endpoint we are using +# homepage = var.vite_api_url +# identifier_uris = [var.vite_api_url] +# } + +# resource "azurerm_azuread_service_principal" "this" { +# application_id = azurerm_azuread_application.frontendapp.application_id +# } diff --git a/ops/terraform/modules/vault.tf/variables.tf b/ops/terraform/modules/vault/variables.tf similarity index 90% rename from ops/terraform/modules/vault.tf/variables.tf rename to ops/terraform/modules/vault/variables.tf index b7dc7b35..bb640fd9 100644 --- a/ops/terraform/modules/vault.tf/variables.tf +++ b/ops/terraform/modules/vault/variables.tf @@ -24,6 +24,11 @@ variable "object_id" { description = "The Azure Object ID" } +variable "postgres_password" { + description = "The PostgreSQL password" + type = string +} + variable "resource_group_name" { type = string description = "The Azure Resource Group to deploy to" diff --git a/ops/terraform/providers.tf b/ops/terraform/providers.tf index 36f4b886..9203771f 100644 --- a/ops/terraform/providers.tf +++ b/ops/terraform/providers.tf @@ -11,6 +11,9 @@ terraform { source = "hashicorp/random" version = "~>3.0" } + azuread = { + source = "hashicorp/azuread" + } } } @@ -22,3 +25,11 @@ provider "azurerm" { } } } + +# Provider for Azure Active Directory resources (e.g., service principals) +provider "azuread" { + + client_id = var.client_id + tenant_id = var.tenant_id + +} diff --git a/ops/terraform/variables.tf b/ops/terraform/variables.tf index 0842ed66..8fbeb083 100644 --- a/ops/terraform/variables.tf +++ b/ops/terraform/variables.tf @@ -2,6 +2,13 @@ variable "azure_tenant_id" { description = "Unique Identifier for the Azure AD tenant for the app" } +variable "client_id" {} +variable "client_secret" { + +} +variable "tenant_id" { + +} variable "name" {} variable "object_id" { From 34025babc2941049164c03ec46a6bbb3fbd49aef Mon Sep 17 00:00:00 2001 From: marycrawford Date: Wed, 20 Nov 2024 02:28:02 -0800 Subject: [PATCH 17/30] refactor code to fix error --- ops/terraform/main.tf | 5 ++--- ops/terraform/modules/database/main.tf | 5 ----- ops/terraform/modules/database/outputs.tf | 2 +- ops/terraform/modules/network/main.tf | 5 ----- ops/terraform/modules/vault/main.tf | 27 +++++++---------------- 5 files changed, 11 insertions(+), 33 deletions(-) diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf index 5a7ba40b..59622511 100644 --- a/ops/terraform/main.tf +++ b/ops/terraform/main.tf @@ -88,14 +88,13 @@ module "database" { source = "./modules/database" resource_group_name = data.azurerm_resource_group.rg.name subnet = module.networking.dbsubnet_id - # azurerm_subnet.dbsubnetcidr.id } module "vault" { - source = "./modules/vault.tf" + source = "./modules/vault" resource_group_name = data.azurerm_resource_group.rg.name azure_tenant_id = var.azure_tenant_id object_id = var.object_id vite_api_url = var.vite_api_url - postgres_password = module.database.postgres_db_admin_password + postgres_password = module.database.postgres_db_password } diff --git a/ops/terraform/modules/database/main.tf b/ops/terraform/modules/database/main.tf index ec4abed2..17ecac8c 100644 --- a/ops/terraform/modules/database/main.tf +++ b/ops/terraform/modules/database/main.tf @@ -10,11 +10,6 @@ resource "azurerm_postgresql_server" "postgres_server" { storage_mb = 5120 # 5 GB storage backup_retention_days = 7 ssl_enforcement_enabled = true - - # Enable Virtual Network service endpoint - # virtual_network_subnet_id = var.subnet - # Virtual Network Rule (optional) - } # PostgreSQL Database diff --git a/ops/terraform/modules/database/outputs.tf b/ops/terraform/modules/database/outputs.tf index 274df01c..e34a3f3f 100644 --- a/ops/terraform/modules/database/outputs.tf +++ b/ops/terraform/modules/database/outputs.tf @@ -1,3 +1,3 @@ -output "postgres_db_admin_password" { +output "postgres_db_password" { value = azurerm_postgresql_server.postgres_server.administrator_login_password } diff --git a/ops/terraform/modules/network/main.tf b/ops/terraform/modules/network/main.tf index dcbfa102..3e6bc75d 100644 --- a/ops/terraform/modules/network/main.tf +++ b/ops/terraform/modules/network/main.tf @@ -51,9 +51,4 @@ resource "azurerm_subnet" "db-subnet" { resource_group_name = var.resource_group address_prefixes = [var.dbsubnetcidr] - # Enable service endpoint for Azure PostgreSQL - service_endpoints = [ - "Microsoft.DBforPostgreSQL" - ] - } diff --git a/ops/terraform/modules/vault/main.tf b/ops/terraform/modules/vault/main.tf index 877d1554..a49bd322 100644 --- a/ops/terraform/modules/vault/main.tf +++ b/ops/terraform/modules/vault/main.tf @@ -10,7 +10,8 @@ resource "azurerm_key_vault" "key_vault" { tenant_id = var.azure_tenant_id key_permissions = [ - "Get" + "Get", # Ensure the service principal can get secrets + "Update" # Allow updating secrets ] secret_permissions = [ @@ -19,21 +20,9 @@ resource "azurerm_key_vault" "key_vault" { } } -# Saves the random password into Azure Key Vault -# resource "azurerm_key_vault_secret" "postgres_password" { -# name = "postgres-password" -# value = azurerm_postgresql_server.postgres_server.administrator_login_password -# key_vault_id = azurerm_key_vault.key_vault.id -# } - -# Define the Service Principal for which we are granting access -# resource "azurerm_azuread_application" "frontendapp" { -# name = "frontend-application" -# # TODO: Ask if the VITE_API_URL is the correct endpoint we are using -# homepage = var.vite_api_url -# identifier_uris = [var.vite_api_url] -# } - -# resource "azurerm_azuread_service_principal" "this" { -# application_id = azurerm_azuread_application.frontendapp.application_id -# } +# Stores and saves the PostgreSQL random password in Key Vault +resource "azurerm_key_vault_secret" "postgres_password" { + name = "postgres-password" + value = var.postgres_password + key_vault_id = azurerm_key_vault.key_vault.id +} From 9da59a2c2ea34e2840da2686cfce52f025d3876c Mon Sep 17 00:00:00 2001 From: marycrawford Date: Wed, 20 Nov 2024 13:39:55 -0800 Subject: [PATCH 18/30] update db with postgresql_flexible_server since single server will be retired in March 2025 --- ops/terraform/main.tf | 16 +++--- ops/terraform/modules/database/main.tf | 55 ++++++++------------- ops/terraform/modules/database/outputs.tf | 2 +- ops/terraform/modules/database/variables.tf | 4 +- ops/terraform/modules/vault/main.tf | 28 ----------- ops/terraform/modules/vault/variables.tf | 46 ----------------- 6 files changed, 32 insertions(+), 119 deletions(-) delete mode 100644 ops/terraform/modules/vault/main.tf delete mode 100644 ops/terraform/modules/vault/variables.tf diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf index 59622511..9221771d 100644 --- a/ops/terraform/main.tf +++ b/ops/terraform/main.tf @@ -90,11 +90,11 @@ module "database" { subnet = module.networking.dbsubnet_id } -module "vault" { - source = "./modules/vault" - resource_group_name = data.azurerm_resource_group.rg.name - azure_tenant_id = var.azure_tenant_id - object_id = var.object_id - vite_api_url = var.vite_api_url - postgres_password = module.database.postgres_db_password -} +# module "vault" { +# source = "./modules/vault" +# resource_group_name = data.azurerm_resource_group.rg.name +# azure_tenant_id = var.azure_tenant_id +# object_id = var.object_id +# vite_api_url = var.vite_api_url +# postgres_password = module.database.postgres_db_password +# } diff --git a/ops/terraform/modules/database/main.tf b/ops/terraform/modules/database/main.tf index 17ecac8c..8ce2b1a5 100644 --- a/ops/terraform/modules/database/main.tf +++ b/ops/terraform/modules/database/main.tf @@ -1,40 +1,25 @@ -# PostgreSQL Server -resource "azurerm_postgresql_server" "postgres_server" { - name = "reportvisionpgserver" - location = var.location - resource_group_name = var.resource_group_name - sku_name = var.sku_name - version = var.engine_version - administrator_login = var.db_username - administrator_login_password = random_string.setup_rds_password.result - storage_mb = 5120 # 5 GB storage - backup_retention_days = 7 - ssl_enforcement_enabled = true -} +# Note: Postgres Single Service (azurerm_postgresql_server) is retiring March 2025. +# As a result we are using Azure Database for PostgreSQL Flexible Server +# with granular control, flexibility and better cost optimization. +resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" { + name = "reportvisionpostgresql-flex-server" + location = var.location + resource_group_name = var.resource_group_name + sku_name = var.sku_name + version = var.engine_version + storage_mb = 32768 # 32 GB, the lowest of the valid options + backup_retention_days = 7 -# PostgreSQL Database -resource "azurerm_postgresql_database" "postgres_db" { - name = "postgresdb" - resource_group_name = var.resource_group_name - server_name = azurerm_postgresql_server.postgres_server.name - charset = "UTF8" - collation = "English_United Kingdom.1252" -} + high_availability { + mode = "ZoneRedundant" + } -# Firewall rule for the PostgreSQL server, allowing -# db access to Azure services in same resource group -resource "azurerm_postgresql_firewall_rule" "allow_azure" { - name = "AllowAllAzureIps" - server_name = azurerm_postgresql_server.postgres_server.name - resource_group_name = var.resource_group_name - start_ip_address = "0.0.0.0" - end_ip_address = "0.0.0.0" + administrator_login = var.db_username + administrator_password = random_string.setup_rds_password.result + delegated_subnet_id = var.subnet } -resource "random_string" "setup_rds_password" { - length = 13 - - # Character set that excludes problematic characters like quotes, backslashes, etc. - override_special = "_!@#-$%^&*()[]{}" +resource "azurerm_postgresql_flexible_server_database" "postgres_db" { + name = azurerm_postgresql_flexible_server.postgres_flexible_server.name + server_id = azurerm_postgresql_flexible_server.postgres_flexible_server.id } - diff --git a/ops/terraform/modules/database/outputs.tf b/ops/terraform/modules/database/outputs.tf index e34a3f3f..1afbb7db 100644 --- a/ops/terraform/modules/database/outputs.tf +++ b/ops/terraform/modules/database/outputs.tf @@ -1,3 +1,3 @@ output "postgres_db_password" { - value = azurerm_postgresql_server.postgres_server.administrator_login_password + value = azurerm_postgresql_flexible_server.postgres_flexible_server.administrator_login } diff --git a/ops/terraform/modules/database/variables.tf b/ops/terraform/modules/database/variables.tf index cadaba07..41d94823 100644 --- a/ops/terraform/modules/database/variables.tf +++ b/ops/terraform/modules/database/variables.tf @@ -20,10 +20,12 @@ variable "resource_group_name" { description = "The Azure Resource Group to deploy to" } +# Designed for medium to high-performance workloads and is scalable. +# May downsize to Standard_B1ms for development environments and small workloads. variable "sku_name" { type = string description = "value" - default = "B_Gen5_1" # Basic SKU, Gen5, 1 vCore + default = "GP_Standard_D2ds_v4" # General Purpose tier } variable "subnet" { diff --git a/ops/terraform/modules/vault/main.tf b/ops/terraform/modules/vault/main.tf deleted file mode 100644 index a49bd322..00000000 --- a/ops/terraform/modules/vault/main.tf +++ /dev/null @@ -1,28 +0,0 @@ -resource "azurerm_key_vault" "key_vault" { - name = "reportvisionkeyvault" - location = "eastus" - resource_group_name = var.resource_group_name - sku_name = "standard" - tenant_id = var.azure_tenant_id - - access_policy { - object_id = var.object_id - tenant_id = var.azure_tenant_id - - key_permissions = [ - "Get", # Ensure the service principal can get secrets - "Update" # Allow updating secrets - ] - - secret_permissions = [ - "Get" - ] - } -} - -# Stores and saves the PostgreSQL random password in Key Vault -resource "azurerm_key_vault_secret" "postgres_password" { - name = "postgres-password" - value = var.postgres_password - key_vault_id = azurerm_key_vault.key_vault.id -} diff --git a/ops/terraform/modules/vault/variables.tf b/ops/terraform/modules/vault/variables.tf deleted file mode 100644 index bb640fd9..00000000 --- a/ops/terraform/modules/vault/variables.tf +++ /dev/null @@ -1,46 +0,0 @@ -variable "azure_tenant_id" { - description = "Unique Identifier for the Azure AD tenant for the app" -} - -variable "db_username" { - type = string - description = "Username of RDS Instance." - default = "reportVisionDbUser" -} - -variable "engine_version" { - description = "Postgres DB engine version." - default = "11" -} - -variable "location" { - type = string - description = "Location of the resource." - default = "eastus" -} - -variable "object_id" { - type = string - description = "The Azure Object ID" -} - -variable "postgres_password" { - description = "The PostgreSQL password" - type = string -} - -variable "resource_group_name" { - type = string - description = "The Azure Resource Group to deploy to" -} - -variable "sku_name" { - type = string - description = "The Azure Stock Keep Unit (SKU) version" - default = "B_Gen5_1" # Basic SKU, Gen5, 1 vCore -} - -variable "vite_api_url" { - type = string - description = "The application API Url" -} From d082319f3948c10c0b28f7365ec8ff905cf940a2 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Wed, 20 Nov 2024 13:42:08 -0800 Subject: [PATCH 19/30] update note regarding retiring azurerm_postgresql_server in March 2025 --- ops/terraform/modules/database/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ops/terraform/modules/database/main.tf b/ops/terraform/modules/database/main.tf index 8ce2b1a5..4c9e2d1e 100644 --- a/ops/terraform/modules/database/main.tf +++ b/ops/terraform/modules/database/main.tf @@ -1,4 +1,4 @@ -# Note: Postgres Single Service (azurerm_postgresql_server) is retiring March 2025. +# Azure Postgres Single Service (azurerm_postgresql_server) retires in March 2025. # As a result we are using Azure Database for PostgreSQL Flexible Server # with granular control, flexibility and better cost optimization. resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" { From 11a797a09df3c22a761077d9b283a13d2f31d56c Mon Sep 17 00:00:00 2001 From: marycrawford Date: Wed, 20 Nov 2024 14:08:08 -0800 Subject: [PATCH 20/30] reverse postgres_flex_server changes and comment them out --- ops/terraform/modules/database/main.tf | 67 +++++++++++++++------ ops/terraform/modules/database/outputs.tf | 3 +- ops/terraform/modules/database/variables.tf | 3 +- 3 files changed, 53 insertions(+), 20 deletions(-) diff --git a/ops/terraform/modules/database/main.tf b/ops/terraform/modules/database/main.tf index 4c9e2d1e..b2bae6c5 100644 --- a/ops/terraform/modules/database/main.tf +++ b/ops/terraform/modules/database/main.tf @@ -1,25 +1,56 @@ +# PostgreSQL Server +resource "azurerm_postgresql_server" "postgres_server" { + name = "reportvisionpgserver" + location = var.location + resource_group_name = var.resource_group_name + sku_name = var.sku_name + version = var.engine_version + administrator_login = var.db_username + administrator_login_password = random_string.setup_rds_password.result + storage_mb = 5120 # 5 GB storage + backup_retention_days = 7 + ssl_enforcement_enabled = true +} + +# PostgreSQL Database +resource "azurerm_postgresql_database" "postgres_db" { + name = "postgresdb" + resource_group_name = var.resource_group_name + server_name = azurerm_postgresql_server.postgres_server.name + charset = "UTF8" + collation = "English_United Kingdom.1252" +} + # Azure Postgres Single Service (azurerm_postgresql_server) retires in March 2025. # As a result we are using Azure Database for PostgreSQL Flexible Server # with granular control, flexibility and better cost optimization. -resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" { - name = "reportvisionpostgresql-flex-server" - location = var.location - resource_group_name = var.resource_group_name - sku_name = var.sku_name - version = var.engine_version - storage_mb = 32768 # 32 GB, the lowest of the valid options - backup_retention_days = 7 +# resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" { +# name = "reportvisionpostgresql-flex-server" +# location = var.location +# resource_group_name = var.resource_group_name +# sku_name = var.sku_name +# version = var.engine_version +# storage_mb = 32768 # 32 GB, the lowest of the valid options +# backup_retention_days = 7 - high_availability { - mode = "ZoneRedundant" - } +# high_availability { +# mode = "ZoneRedundant" +# } - administrator_login = var.db_username - administrator_password = random_string.setup_rds_password.result - delegated_subnet_id = var.subnet -} +# administrator_login = var.db_username +# administrator_password = random_string.setup_rds_password.result +# delegated_subnet_id = var.subnet +# } + +# resource "azurerm_postgresql_flexible_server_database" "postgres_db" { +# name = azurerm_postgresql_flexible_server.postgres_flexible_server.name +# server_id = azurerm_postgresql_flexible_server.postgres_flexible_server.id +# } + +# Random string resource for the postgres password +resource "random_string" "setup_rds_password" { + length = 16 # Length of the password -resource "azurerm_postgresql_flexible_server_database" "postgres_db" { - name = azurerm_postgresql_flexible_server.postgres_flexible_server.name - server_id = azurerm_postgresql_flexible_server.postgres_flexible_server.id + # Character set that excludes problematic characters like quotes, backslashes, etc. + override_special = "_!@#-$%^&*()[]{}" } diff --git a/ops/terraform/modules/database/outputs.tf b/ops/terraform/modules/database/outputs.tf index 1afbb7db..8e45bb2c 100644 --- a/ops/terraform/modules/database/outputs.tf +++ b/ops/terraform/modules/database/outputs.tf @@ -1,3 +1,4 @@ output "postgres_db_password" { - value = azurerm_postgresql_flexible_server.postgres_flexible_server.administrator_login + # value = azurerm_postgresql_flexible_server.postgres_flexible_server.administrator_login + value = azurerm_postgresql_server.postgres_server.administrator_login_password } diff --git a/ops/terraform/modules/database/variables.tf b/ops/terraform/modules/database/variables.tf index 41d94823..424aca7a 100644 --- a/ops/terraform/modules/database/variables.tf +++ b/ops/terraform/modules/database/variables.tf @@ -25,7 +25,8 @@ variable "resource_group_name" { variable "sku_name" { type = string description = "value" - default = "GP_Standard_D2ds_v4" # General Purpose tier + # default = "GP_Standard_D2ds_v4" # General Purpose tier + default = "B_Gen5_1" # Basic SKU, Gen5, 1 vCore } variable "subnet" { From 196eca70dab6389e6f3ffd16c6c1d7b97b40000d Mon Sep 17 00:00:00 2001 From: marycrawford Date: Wed, 20 Nov 2024 22:08:09 -0800 Subject: [PATCH 21/30] update db to postgresql flexible server and add postgresql dns zone networking --- ops/terraform/main.tf | 2 + ops/terraform/modules/database/main.tf | 88 +++++++++++---------- ops/terraform/modules/database/outputs.tf | 3 +- ops/terraform/modules/database/variables.tf | 13 ++- ops/terraform/modules/network/main.tf | 20 +++++ ops/terraform/modules/network/outputs.tf | 5 ++ 6 files changed, 83 insertions(+), 48 deletions(-) diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf index 9221771d..17f56672 100644 --- a/ops/terraform/main.tf +++ b/ops/terraform/main.tf @@ -88,8 +88,10 @@ module "database" { source = "./modules/database" resource_group_name = data.azurerm_resource_group.rg.name subnet = module.networking.dbsubnet_id + private_dns_zone_id = module.networking.private_dns_zone_id } +## TODO: Complete in separate ticket # module "vault" { # source = "./modules/vault" # resource_group_name = data.azurerm_resource_group.rg.name diff --git a/ops/terraform/modules/database/main.tf b/ops/terraform/modules/database/main.tf index b2bae6c5..2f3ff947 100644 --- a/ops/terraform/modules/database/main.tf +++ b/ops/terraform/modules/database/main.tf @@ -1,51 +1,55 @@ -# PostgreSQL Server -resource "azurerm_postgresql_server" "postgres_server" { - name = "reportvisionpgserver" - location = var.location - resource_group_name = var.resource_group_name - sku_name = var.sku_name - version = var.engine_version - administrator_login = var.db_username - administrator_login_password = random_string.setup_rds_password.result - storage_mb = 5120 # 5 GB storage - backup_retention_days = 7 - ssl_enforcement_enabled = true -} +# # PostgreSQL Server +# resource "azurerm_postgresql_server" "postgres_server" { +# name = "reportvisionpgserver" +# location = var.location +# resource_group_name = var.resource_group_name +# sku_name = var.sku_name +# version = var.engine_version +# administrator_login = var.db_username +# administrator_login_password = random_string.setup_rds_password.result +# storage_mb = 5120 # 5 GB storage +# backup_retention_days = 7 +# ssl_enforcement_enabled = true +# } -# PostgreSQL Database -resource "azurerm_postgresql_database" "postgres_db" { - name = "postgresdb" - resource_group_name = var.resource_group_name - server_name = azurerm_postgresql_server.postgres_server.name - charset = "UTF8" - collation = "English_United Kingdom.1252" -} +# # PostgreSQL Database +# resource "azurerm_postgresql_database" "postgres_db" { +# name = "postgresdb" +# resource_group_name = var.resource_group_name +# server_name = azurerm_postgresql_server.postgres_server.name +# charset = "UTF8" +# collation = "English_United Kingdom.1252" +# } # Azure Postgres Single Service (azurerm_postgresql_server) retires in March 2025. # As a result we are using Azure Database for PostgreSQL Flexible Server # with granular control, flexibility and better cost optimization. -# resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" { -# name = "reportvisionpostgresql-flex-server" -# location = var.location -# resource_group_name = var.resource_group_name -# sku_name = var.sku_name -# version = var.engine_version -# storage_mb = 32768 # 32 GB, the lowest of the valid options -# backup_retention_days = 7 - -# high_availability { -# mode = "ZoneRedundant" -# } - -# administrator_login = var.db_username -# administrator_password = random_string.setup_rds_password.result -# delegated_subnet_id = var.subnet -# } +resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" { + name = "reportvisionpostgresql-flexible-server" + location = var.location + resource_group_name = var.resource_group_name + sku_name = var.sku_name + version = var.engine_version + storage_mb = 32768 # 32 GB, the lowest of the valid options + backup_retention_days = 7 -# resource "azurerm_postgresql_flexible_server_database" "postgres_db" { -# name = azurerm_postgresql_flexible_server.postgres_flexible_server.name -# server_id = azurerm_postgresql_flexible_server.postgres_flexible_server.id -# } + administrator_login = var.db_username + administrator_password = random_string.setup_rds_password.result + delegated_subnet_id = var.subnet + private_dns_zone_id = var.private_dns_zone_id + + // Disable Public Network Access + public_network_access_enabled = false + + lifecycle { + prevent_destroy = true + } +} + +resource "azurerm_postgresql_flexible_server_database" "postgres_db" { + name = azurerm_postgresql_flexible_server.postgres_flexible_server.name + server_id = azurerm_postgresql_flexible_server.postgres_flexible_server.id +} # Random string resource for the postgres password resource "random_string" "setup_rds_password" { diff --git a/ops/terraform/modules/database/outputs.tf b/ops/terraform/modules/database/outputs.tf index 8e45bb2c..1afbb7db 100644 --- a/ops/terraform/modules/database/outputs.tf +++ b/ops/terraform/modules/database/outputs.tf @@ -1,4 +1,3 @@ output "postgres_db_password" { - # value = azurerm_postgresql_flexible_server.postgres_flexible_server.administrator_login - value = azurerm_postgresql_server.postgres_server.administrator_login_password + value = azurerm_postgresql_flexible_server.postgres_flexible_server.administrator_login } diff --git a/ops/terraform/modules/database/variables.tf b/ops/terraform/modules/database/variables.tf index 424aca7a..3e5fb574 100644 --- a/ops/terraform/modules/database/variables.tf +++ b/ops/terraform/modules/database/variables.tf @@ -12,7 +12,7 @@ variable "engine_version" { variable "location" { type = string description = "Location of the resource." - default = "eastus" + default = "eastus2" } variable "resource_group_name" { @@ -25,11 +25,16 @@ variable "resource_group_name" { variable "sku_name" { type = string description = "value" - # default = "GP_Standard_D2ds_v4" # General Purpose tier - default = "B_Gen5_1" # Basic SKU, Gen5, 1 vCore + default = "GP_Standard_D2ds_v4" # General Purpose tier + # default = "B_Gen5_1" # Basic SKU, Gen5, 1 vCore } variable "subnet" { type = string - description = "The subnet ID to associate with the PostgreSQL server" + description = "The subnet ID to associate with the PostgreSQL Flexible Server" +} + +variable "private_dns_zone_id" { + type = string + description = "Private DNS Zone for PostgreSQL Flexible Server" } diff --git a/ops/terraform/modules/network/main.tf b/ops/terraform/modules/network/main.tf index 3e6bc75d..15419ab0 100644 --- a/ops/terraform/modules/network/main.tf +++ b/ops/terraform/modules/network/main.tf @@ -45,10 +45,30 @@ resource "azurerm_subnet" "lb-subnet" { depends_on = [azurerm_virtual_network.vnet] } + resource "azurerm_subnet" "db-subnet" { name = "${var.name}-db-subnet-${var.env}" virtual_network_name = azurerm_virtual_network.vnet.name resource_group_name = var.resource_group address_prefixes = [var.dbsubnetcidr] + delegation { + name = "postgresql-delegation" + service_delegation { + name = "Microsoft.DBforPostgreSQL/flexibleServers" + } + } +} + +resource "azurerm_private_dns_zone" "postgresql_dns_zone" { + name = "privatelink.postgres.database.azure.com" + resource_group_name = var.resource_group +} + +# Link Private DNS Zone to Virtual Network +resource "azurerm_private_dns_zone_virtual_network_link" "dns_link" { + name = "postgresql-vnet-link" + resource_group_name = var.resource_group + private_dns_zone_name = azurerm_private_dns_zone.postgresql_dns_zone.name + virtual_network_id = azurerm_virtual_network.vnet.id } diff --git a/ops/terraform/modules/network/outputs.tf b/ops/terraform/modules/network/outputs.tf index 1441e554..db0980eb 100644 --- a/ops/terraform/modules/network/outputs.tf +++ b/ops/terraform/modules/network/outputs.tf @@ -22,3 +22,8 @@ output "appsubnet_id" { value = azurerm_subnet.app-subnet.id description = "Id of lbsubnet in the network" } + +output "private_dns_zone_id" { + value = azurerm_private_dns_zone.postgresql_dns_zone.id + description = "Private DNS Zone for PostgreSQL Flexible Server" +} From 78e199c52801d819711d1b07e53d661011950c87 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Wed, 20 Nov 2024 22:15:51 -0800 Subject: [PATCH 22/30] remove azurerm_postgresql_server code --- ops/terraform/modules/database/main.tf | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/ops/terraform/modules/database/main.tf b/ops/terraform/modules/database/main.tf index 2f3ff947..412ea073 100644 --- a/ops/terraform/modules/database/main.tf +++ b/ops/terraform/modules/database/main.tf @@ -1,26 +1,3 @@ -# # PostgreSQL Server -# resource "azurerm_postgresql_server" "postgres_server" { -# name = "reportvisionpgserver" -# location = var.location -# resource_group_name = var.resource_group_name -# sku_name = var.sku_name -# version = var.engine_version -# administrator_login = var.db_username -# administrator_login_password = random_string.setup_rds_password.result -# storage_mb = 5120 # 5 GB storage -# backup_retention_days = 7 -# ssl_enforcement_enabled = true -# } - -# # PostgreSQL Database -# resource "azurerm_postgresql_database" "postgres_db" { -# name = "postgresdb" -# resource_group_name = var.resource_group_name -# server_name = azurerm_postgresql_server.postgres_server.name -# charset = "UTF8" -# collation = "English_United Kingdom.1252" -# } - # Azure Postgres Single Service (azurerm_postgresql_server) retires in March 2025. # As a result we are using Azure Database for PostgreSQL Flexible Server # with granular control, flexibility and better cost optimization. From d201fa5addac34b1e0da87781759e2938c26e827 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Wed, 20 Nov 2024 22:19:02 -0800 Subject: [PATCH 23/30] clean up code by removing unused and commented out code --- ops/terraform/locals.tf | 4 ---- ops/terraform/modules/database/main.tf | 2 +- ops/terraform/modules/database/variables.tf | 1 - 3 files changed, 1 insertion(+), 6 deletions(-) diff --git a/ops/terraform/locals.tf b/ops/terraform/locals.tf index ec0ce7ee..0c258d51 100644 --- a/ops/terraform/locals.tf +++ b/ops/terraform/locals.tf @@ -23,7 +23,3 @@ locals { } } } - -# Get the values for the current environment -# env_config = local.environments[local.environment] -# } diff --git a/ops/terraform/modules/database/main.tf b/ops/terraform/modules/database/main.tf index 412ea073..f6cb9ee9 100644 --- a/ops/terraform/modules/database/main.tf +++ b/ops/terraform/modules/database/main.tf @@ -15,7 +15,7 @@ resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" { delegated_subnet_id = var.subnet private_dns_zone_id = var.private_dns_zone_id - // Disable Public Network Access + # Disable Public Network Access public_network_access_enabled = false lifecycle { diff --git a/ops/terraform/modules/database/variables.tf b/ops/terraform/modules/database/variables.tf index 3e5fb574..e7fc1dd7 100644 --- a/ops/terraform/modules/database/variables.tf +++ b/ops/terraform/modules/database/variables.tf @@ -26,7 +26,6 @@ variable "sku_name" { type = string description = "value" default = "GP_Standard_D2ds_v4" # General Purpose tier - # default = "B_Gen5_1" # Basic SKU, Gen5, 1 vCore } variable "subnet" { From 8f4f9127f847b803cfa3dfe34f1a6cb1cbed09bd Mon Sep 17 00:00:00 2001 From: marycrawford Date: Wed, 20 Nov 2024 22:23:29 -0800 Subject: [PATCH 24/30] remove more commented out code --- ops/terraform/main.tf | 10 ---------- ops/terraform/variables.tf | 4 ---- 2 files changed, 14 deletions(-) diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf index 17f56672..89f159e5 100644 --- a/ops/terraform/main.tf +++ b/ops/terraform/main.tf @@ -90,13 +90,3 @@ module "database" { subnet = module.networking.dbsubnet_id private_dns_zone_id = module.networking.private_dns_zone_id } - -## TODO: Complete in separate ticket -# module "vault" { -# source = "./modules/vault" -# resource_group_name = data.azurerm_resource_group.rg.name -# azure_tenant_id = var.azure_tenant_id -# object_id = var.object_id -# vite_api_url = var.vite_api_url -# postgres_password = module.database.postgres_db_password -# } diff --git a/ops/terraform/variables.tf b/ops/terraform/variables.tf index 8fbeb083..8b5e5ccc 100644 --- a/ops/terraform/variables.tf +++ b/ops/terraform/variables.tf @@ -29,7 +29,3 @@ variable "vite_api_url" { variable "resource_group_name" { description = "value of the Azure resource group to deploy to" } - - - - From 6b81cc22929aaae61e3292c0ece605d451ce4079 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Wed, 20 Nov 2024 22:52:00 -0800 Subject: [PATCH 25/30] remove variables used when working on vault module --- ops/terraform/variables.tf | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/ops/terraform/variables.tf b/ops/terraform/variables.tf index 8b5e5ccc..ed8f0976 100644 --- a/ops/terraform/variables.tf +++ b/ops/terraform/variables.tf @@ -1,31 +1,10 @@ -variable "azure_tenant_id" { - description = "Unique Identifier for the Azure AD tenant for the app" -} - -variable "client_id" {} -variable "client_secret" { - -} -variable "tenant_id" { - -} variable "name" {} -variable "object_id" { - type = string - description = "The Azure Object ID" -} - variable "sku_name" { type = string description = "The Azure Stock Keep Unit (SKU) version" } -variable "vite_api_url" { - type = string - description = "The application API Url" -} - variable "resource_group_name" { description = "value of the Azure resource group to deploy to" } From 2d52961f0261dbfc2f66f2966d4c4de098665e6e Mon Sep 17 00:00:00 2001 From: marycrawford Date: Wed, 20 Nov 2024 22:54:43 -0800 Subject: [PATCH 26/30] add back client_id and tenant_id variables to support the azuread provider --- ops/terraform/variables.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ops/terraform/variables.tf b/ops/terraform/variables.tf index ed8f0976..dc7dca66 100644 --- a/ops/terraform/variables.tf +++ b/ops/terraform/variables.tf @@ -1,4 +1,6 @@ +variable "client_id" {} variable "name" {} +variable "tenant_id" {} variable "sku_name" { type = string From 2423ed1d62d0ca723ef23d32ae21366db12c066a Mon Sep 17 00:00:00 2001 From: marycrawford Date: Thu, 21 Nov 2024 08:14:34 -0800 Subject: [PATCH 27/30] update database name --- ops/terraform/modules/database/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ops/terraform/modules/database/main.tf b/ops/terraform/modules/database/main.tf index f6cb9ee9..c57d705b 100644 --- a/ops/terraform/modules/database/main.tf +++ b/ops/terraform/modules/database/main.tf @@ -24,7 +24,7 @@ resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" { } resource "azurerm_postgresql_flexible_server_database" "postgres_db" { - name = azurerm_postgresql_flexible_server.postgres_flexible_server.name + name = "${azurerm_postgresql_flexible_server.postgres_flexible_server.name}-db" server_id = azurerm_postgresql_flexible_server.postgres_flexible_server.id } From 47014cd711e5acf66be0c5df644b6b6110a374f4 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Thu, 21 Nov 2024 08:19:29 -0800 Subject: [PATCH 28/30] reduce the sku_name to Standard_B1ms --- ops/terraform/modules/database/variables.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ops/terraform/modules/database/variables.tf b/ops/terraform/modules/database/variables.tf index e7fc1dd7..6d72de6a 100644 --- a/ops/terraform/modules/database/variables.tf +++ b/ops/terraform/modules/database/variables.tf @@ -20,12 +20,12 @@ variable "resource_group_name" { description = "The Azure Resource Group to deploy to" } -# Designed for medium to high-performance workloads and is scalable. -# May downsize to Standard_B1ms for development environments and small workloads. +# Production may be able to scale to GP_Standard_D2ds_v4 (General Purpose Tier) +# which is designed for medium to high-performance workloads and is scalable. variable "sku_name" { type = string description = "value" - default = "GP_Standard_D2ds_v4" # General Purpose tier + default = "Standard_B1ms" # General Purpose tier for low cost virtual machines } variable "subnet" { From e51c5b59330f9dc138cc5229d601b7e4cb325883 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Sun, 24 Nov 2024 14:41:06 -0800 Subject: [PATCH 29/30] remove unused variables --- .github/actions/tf-setup/action.yml | 4 ---- ops/terraform/modules/database/main.tf | 2 +- ops/terraform/modules/database/variables.tf | 6 ++---- ops/terraform/providers.tf | 24 +++++++++------------ ops/terraform/variables.tf | 2 -- 5 files changed, 13 insertions(+), 25 deletions(-) diff --git a/.github/actions/tf-setup/action.yml b/.github/actions/tf-setup/action.yml index 2f08432b..440809a1 100644 --- a/.github/actions/tf-setup/action.yml +++ b/.github/actions/tf-setup/action.yml @@ -16,9 +16,6 @@ inputs: azure-subscription-id: description: The Azure subscription_id for this environment. required: true - azure-object-id: - description: The Azure object_id for this environment. - required: true app-name: description: The name of the application being deployed in Terraform. required: true @@ -53,7 +50,6 @@ runs: ARM_CLIENT_ID: ${{ inputs.azure-client-id }} ARM_TENANT_ID: ${{ inputs.azure-tenant-id }} ARM_SUBSCRIPTION_ID: ${{ inputs.azure-subscription-id }} - ARM_OBJECT_ID: ${{ inputs.azure-object-id }} shell: bash run: | terraform init -backend-config=config/${{ inputs.deploy-env }}.config diff --git a/ops/terraform/modules/database/main.tf b/ops/terraform/modules/database/main.tf index c57d705b..4bb30a53 100644 --- a/ops/terraform/modules/database/main.tf +++ b/ops/terraform/modules/database/main.tf @@ -5,7 +5,7 @@ resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" { name = "reportvisionpostgresql-flexible-server" location = var.location resource_group_name = var.resource_group_name - sku_name = var.sku_name + sku_name = var.postgres_sku_name version = var.engine_version storage_mb = 32768 # 32 GB, the lowest of the valid options backup_retention_days = 7 diff --git a/ops/terraform/modules/database/variables.tf b/ops/terraform/modules/database/variables.tf index 6d72de6a..ef91bef5 100644 --- a/ops/terraform/modules/database/variables.tf +++ b/ops/terraform/modules/database/variables.tf @@ -20,12 +20,10 @@ variable "resource_group_name" { description = "The Azure Resource Group to deploy to" } -# Production may be able to scale to GP_Standard_D2ds_v4 (General Purpose Tier) -# which is designed for medium to high-performance workloads and is scalable. -variable "sku_name" { +variable "postgres_sku_name" { type = string description = "value" - default = "Standard_B1ms" # General Purpose tier for low cost virtual machines + default = "Standard_B1ms" } variable "subnet" { diff --git a/ops/terraform/providers.tf b/ops/terraform/providers.tf index 9203771f..345c788e 100644 --- a/ops/terraform/providers.tf +++ b/ops/terraform/providers.tf @@ -6,30 +6,26 @@ terraform { azurerm = { source = "hashicorp/azurerm" version = "~>3.0" + } random = { source = "hashicorp/random" version = "~>3.0" } - azuread = { - source = "hashicorp/azuread" - } + # azuread = { + # source = "hashicorp/azuread" + # } } } provider "azurerm" { - features { - key_vault { - purge_soft_delete_on_destroy = true - recover_soft_deleted_key_vaults = true - } - } + features {} } -# Provider for Azure Active Directory resources (e.g., service principals) -provider "azuread" { +# # Provider for Azure Active Directory resources (e.g., service principals) +# provider "azuread" { - client_id = var.client_id - tenant_id = var.tenant_id +# client_id = var.client_id +# tenant_id = var.tenant_id -} +# } diff --git a/ops/terraform/variables.tf b/ops/terraform/variables.tf index dc7dca66..ed8f0976 100644 --- a/ops/terraform/variables.tf +++ b/ops/terraform/variables.tf @@ -1,6 +1,4 @@ -variable "client_id" {} variable "name" {} -variable "tenant_id" {} variable "sku_name" { type = string From 927d60b1518c0354f59ca68e09b6e8397a764ab8 Mon Sep 17 00:00:00 2001 From: marycrawford Date: Mon, 25 Nov 2024 08:19:36 -0800 Subject: [PATCH 30/30] update database cidr block --- ops/terraform/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ops/terraform/locals.tf b/ops/terraform/locals.tf index 0c258d51..b25d9249 100644 --- a/ops/terraform/locals.tf +++ b/ops/terraform/locals.tf @@ -19,7 +19,7 @@ locals { appsubnetcidr = "10.1.1.0/24" websubnetcidr = "10.1.2.0/24" lbsubnetcidr = "10.1.3.0/24" - dbsubnetcidr = "10.0.4.0/24" + dbsubnetcidr = "10.1.4.0/24" } } }