Create postgresql server and db with relevant resources

.github/actions/tf-setup/action.yml

@@ -16,6 +16,9 @@ inputs:
   azure-subscription-id:
     description: The Azure subscription_id for this environment.
     required: true
+  azure-object-id:
+    description: The Azure object_id for this environment.
+    required: true
   app-name:
     description: The name of the application being deployed in Terraform.
     required: true
@@ -50,6 +53,7 @@ runs:
         ARM_CLIENT_ID: ${{ inputs.azure-client-id }}
         ARM_TENANT_ID: ${{ inputs.azure-tenant-id }}
         ARM_SUBSCRIPTION_ID: ${{ inputs.azure-subscription-id }}
+        ARM_OBJECT_ID: ${{ inputs.azure-object-id }}
       shell: bash
       run: |
         terraform init -backend-config=config/${{ inputs.deploy-env }}.config

ops/terraform/locals.tf

@@ -10,6 +10,7 @@ locals {
       appsubnetcidr = "10.0.1.0/24"
       websubnetcidr = "10.0.2.0/24"
       lbsubnetcidr  = "10.0.3.0/24"
+      dbsubnetcidr  = "10.0.4.0/24"
     }
   }
   demo = {
@@ -18,6 +19,7 @@ locals {
       appsubnetcidr = "10.1.1.0/24"
       websubnetcidr = "10.1.2.0/24"
       lbsubnetcidr  = "10.1.3.0/24"
+      dbsubnetcidr  = "10.0.4.0/24"
     }
   }
-}
+}

ops/terraform/main.tf

@@ -8,9 +8,6 @@ locals {
   }
 }
 
-##########
-## 02-network
-##########
 module "networking" {
   source         = "./modules/network"
   name           = var.name
@@ -20,22 +17,19 @@ module "networking" {
   websubnetcidr  = local.workspace["websubnetcidr"]
   lbsubnetcidr   = local.workspace["lbsubnetcidr"]
   appsubnetcidr  = local.workspace["appsubnetcidr"]
+  dbsubnetcidr   = local.workspace["dbsubnetcidr"]
   env            = local.environment
 }
 
-##########
-## 02-security
-##########
-
 module "securitygroup" {
   source         = "./modules/security"
   name           = var.name
   location       = data.azurerm_resource_group.rg.location
   resource_group = data.azurerm_resource_group.rg.name
   web_subnet_id  = module.networking.websubnet_id
-  # db_subnet_id   = module.networking.dbsubnet_id
-  lb_subnet_id = module.networking.lbsubnet_id
-  env          = local.environment
+  db_subnet_id   = module.networking.dbsubnet_id
+  lb_subnet_id   = module.networking.lbsubnet_id
+  env            = local.environment
 }
 
 module "app_gateway" {
@@ -53,10 +47,6 @@ module "app_gateway" {
   depends_on = [module.networking, module.ocr_api]
 }
 
-##########
-## 05-Persistent
-##########
-
 module "storage" {
   source          = "./modules/storage"
   name            = var.name
@@ -68,10 +58,6 @@ module "storage" {
   web_subnet_id   = module.networking.websubnet_id
 }
 
-##########
-## 06-App
-##########
-
 module "ocr_api" {
   source         = "./modules/app_service"
   name           = var.name
@@ -98,26 +84,9 @@ module "ocr_autoscale" {
   weekend_capacity_instances = 1
 }
 
-# module "compute" {
-#   source         = "./modules/container_instances"
-#   location       = data.azurerm_resource_group.rg.location
-#   resource_group = data.azurerm_resource_group.rg.name
-#   environment    = local.environment
-#   app_subnet     = module.networking.appsubnet_id
-#   # web_subnet_id   = module.networking.websubnet_id
-#   # app_subnet_id   = module.networking.appsubnet_id
-#   # web_host_name   = local.app.web_host_name
-#   # web_username    = local.app.web_username
-#   # web_os_password = local.app.web_os_password
-#   # app_host_name   = local.app.app_host_name
-#   # app_username    = local.app.app_username
-#   # app_os_password = local.app.app_os_password
-# }
-
-##########
-## 04-config
-##########
-
-##########
-## 07-Monitor
-##########
+module "database" {
+  source              = "./modules/database"
+  resource_group_name = data.azurerm_resource_group.rg.name
+  subnet              = module.networking.dbsubnet_id
+  private_dns_zone_id = module.networking.private_dns_zone_id
+}

ops/terraform/modules/database/main.tf

@@ -0,0 +1,37 @@
+# Azure Postgres Single Service (azurerm_postgresql_server) retires in March 2025.  
+# As a result we are using Azure Database for PostgreSQL Flexible Server
+# with granular control, flexibility and better cost optimization. 
+resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" {
+  name                  = "reportvisionpostgresql-flexible-server"
+  location              = var.location
+  resource_group_name   = var.resource_group_name
+  sku_name              = var.sku_name
+  version               = var.engine_version
+  storage_mb            = 32768 # 32 GB, the lowest of the valid options
+  backup_retention_days = 7
+
+  administrator_login    = var.db_username
+  administrator_password = random_string.setup_rds_password.result
+  delegated_subnet_id    = var.subnet
+  private_dns_zone_id    = var.private_dns_zone_id
+
+  # Disable Public Network Access 
+  public_network_access_enabled = false
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "azurerm_postgresql_flexible_server_database" "postgres_db" {
+  name      = azurerm_postgresql_flexible_server.postgres_flexible_server.name
+  server_id = azurerm_postgresql_flexible_server.postgres_flexible_server.id
+}
+
+# Random string resource for the postgres password
+resource "random_string" "setup_rds_password" {
+  length = 16 # Length of the password
+
+  # Character set that excludes problematic characters like quotes, backslashes, etc.
+  override_special = "_!@#-$%^&*()[]{}"
+}

ops/terraform/modules/database/outputs.tf

@@ -0,0 +1,3 @@
+output "postgres_db_password" {
+  value = azurerm_postgresql_flexible_server.postgres_flexible_server.administrator_login
+}

ops/terraform/modules/database/variables.tf

@@ -0,0 +1,39 @@
+variable "db_username" {
+  type        = string
+  description = "Username of RDS Instance."
+  default     = "reportVisionDbUser"
+}
+
+variable "engine_version" {
+  description = "Postgres DB engine version."
+  default     = "11"
+}
+
+variable "location" {
+  type        = string
+  description = "Location of the resource."
+  default     = "eastus2"
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "The Azure Resource Group to deploy to"
+}
+
+# Designed for medium to high-performance workloads and is scalable.
+# May downsize to Standard_B1ms for development environments and small workloads.
+variable "sku_name" {
+  type        = string
+  description = "value"
+  default     = "GP_Standard_D2ds_v4" # General Purpose tier
+}
+
+variable "subnet" {
+  type        = string
+  description = "The subnet ID to associate with the PostgreSQL Flexible Server"
+}
+
+variable "private_dns_zone_id" {
+  type        = string
+  description = "Private DNS Zone for PostgreSQL Flexible Server"
+}

ops/terraform/modules/network/main.tf

@@ -10,11 +10,11 @@ resource "azurerm_subnet" "web-subnet" {
   virtual_network_name = azurerm_virtual_network.vnet.name
   resource_group_name  = var.resource_group
   address_prefixes     = [var.websubnetcidr]
-  service_endpoints    = [
+  service_endpoints = [
     "Microsoft.Storage",
     "Microsoft.Web"
   ]
-  depends_on           = [azurerm_virtual_network.vnet]
+  depends_on = [azurerm_virtual_network.vnet]
 }
 
 resource "azurerm_subnet" "app-subnet" {
@@ -45,9 +45,30 @@ resource "azurerm_subnet" "lb-subnet" {
   depends_on = [azurerm_virtual_network.vnet]
 }
 
-# resource "azurerm_subnet" "db-subnet" {
-#   name                 = "${var.name}-db-subnet-${var.env}"
-#   virtual_network_name = azurerm_virtual_network.vnet.name
-#   resource_group_name  = var.resource_group
-#   address_prefixes     = [var.dbsubnetcidr]
-# }
+
+resource "azurerm_subnet" "db-subnet" {
+  name                 = "${var.name}-db-subnet-${var.env}"
+  virtual_network_name = azurerm_virtual_network.vnet.name
+  resource_group_name  = var.resource_group
+  address_prefixes     = [var.dbsubnetcidr]
+
+  delegation {
+    name = "postgresql-delegation"
+    service_delegation {
+      name = "Microsoft.DBforPostgreSQL/flexibleServers"
+    }
+  }
+}
+
+resource "azurerm_private_dns_zone" "postgresql_dns_zone" {
+  name                = "privatelink.postgres.database.azure.com"
+  resource_group_name = var.resource_group
+}
+
+# Link Private DNS Zone to Virtual Network
+resource "azurerm_private_dns_zone_virtual_network_link" "dns_link" {
+  name                  = "postgresql-vnet-link"
+  resource_group_name   = var.resource_group
+  private_dns_zone_name = azurerm_private_dns_zone.postgresql_dns_zone.name
+  virtual_network_id    = azurerm_virtual_network.vnet.id
+}

ops/terraform/modules/network/outputs.tf

@@ -8,10 +8,10 @@ output "websubnet_id" {
   description = "Id of websubnet in the network"
 }
 
-# output "dbsubnet_id" {
-#   value       = azurerm_subnet.db-subnet.id
-#   description = "Id of dbsubnet in the network"
-# }
+output "dbsubnet_id" {
+  value       = azurerm_subnet.db-subnet.id
+  description = "Id of dbsubnet in the network"
+}
 
 output "lbsubnet_id" {
   value       = azurerm_subnet.lb-subnet.id
@@ -21,4 +21,9 @@ output "lbsubnet_id" {
 output "appsubnet_id" {
   value       = azurerm_subnet.app-subnet.id
   description = "Id of lbsubnet in the network"
-}
+}
+
+output "private_dns_zone_id" {
+  value       = azurerm_private_dns_zone.postgresql_dns_zone.id
+  description = "Private DNS Zone for PostgreSQL Flexible Server"
+}

ops/terraform/modules/network/variables.tf

@@ -1,9 +1,12 @@
 variable "resource_group" {}
 variable "name" {}
-variable "location" {}
 variable "vnetcidr" {}
 variable "websubnetcidr" {}
 variable "lbsubnetcidr" {}
-# variable "dbsubnetcidr" {}
+variable "dbsubnetcidr" {}
 variable "appsubnetcidr" {}
-variable "env" {}
+variable "env" {}
+
+variable "location" {
+  default = "eastus2"
+}

ops/terraform/modules/security/variables.tf

@@ -3,5 +3,5 @@ variable "name" {}
 variable "env" {}
 variable "resource_group" {}
 variable "web_subnet_id" {}
-# variable "db_subnet_id" {}
-variable "lb_subnet_id" {}
+variable "db_subnet_id" {}
+variable "lb_subnet_id" {}

ops/terraform/providers.tf

@@ -11,9 +11,25 @@ terraform {
       source  = "hashicorp/random"
       version = "~>3.0"
     }
+    azuread = {
+      source = "hashicorp/azuread"
+    }
   }
 }
 
 provider "azurerm" {
-  features {}
-}
+  features {
+    key_vault {
+      purge_soft_delete_on_destroy    = true
+      recover_soft_deleted_key_vaults = true
+    }
+  }
+}
+
+# Provider for Azure Active Directory resources (e.g., service principals)
+provider "azuread" {
+
+  client_id = var.client_id
+  tenant_id = var.tenant_id
+
+}

ops/terraform/variables.tf

@@ -1,7 +1,12 @@
+variable "client_id" {}
+variable "name" {}
+variable "tenant_id" {}
+
+variable "sku_name" {
+  type        = string
+  description = "The Azure Stock Keep Unit (SKU) version"
+}
+
 variable "resource_group_name" {
   description = "value of the Azure resource group to deploy to"
 }
-
-variable "name" {}
-
-variable "sku_name" {}