CDCgov · marycrawford · Dec 12, 2024 · Dec 10, 2024 · Dec 11, 2024 · Dec 11, 2024
diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf
@@ -20,6 +20,10 @@ module "networking" {
   middlewaresubnetcidr = local.workspace["middlewaresubnetcidr"]
   dbsubnetcidr         = local.workspace["dbsubnetcidr"]
   env                  = local.environment
+
+  # The DNS zone and DNS link are managed inside the networking module.
+  postgres_server_id = module.database.postgres_server_id
+
 }
 
 module "securitygroup" {
@@ -69,11 +73,15 @@ module "middleware_api" {
   app_subnet_id  = module.networking.middlewaresubnet_id
 
   app_settings = {
-    WEBSITES_PORT = "8081"
+    WEBSITES_PORT     = "8081"
+    POSTGRES_HOST     = module.database.postgres_fqdn
+    POSTGRES_DB       = module.database.postgres_db_name
+    POSTGRES_USER     = module.database.postgres_user
+    POSTGRES_PASSWORD = module.vault.postgres_password
   }
 
   lb_subnet_id = module.networking.lbsubnet_id
-  health_path = "/actuator/health"
+  health_path  = "/actuator/health"
   env          = local.environment
   vnet         = module.networking.network_name
   sku_name     = var.sku_name
@@ -93,12 +101,12 @@ module "ocr_api" {
     WEBSITES_PORT = "8000"
   }
 
-  lb_subnet_id   = module.networking.middlewaresubnet_id
-  env            = local.environment
-  vnet           = module.networking.network_name
-  sku_name       = var.sku_name
-  https_only     = true
-  depends_on     = [module.networking.ocrsubnet_id, module.networking.middlewaresubnet_id]
+  lb_subnet_id = module.networking.middlewaresubnet_id
+  env          = local.environment
+  vnet         = module.networking.network_name
+  sku_name     = var.sku_name
+  https_only   = true
+  depends_on   = [module.networking.ocrsubnet_id, module.networking.middlewaresubnet_id]
 }
 
 module "ocr_autoscale" {
@@ -117,14 +125,17 @@ module "ocr_autoscale" {
 module "database" {
   source              = "./modules/database"
   env                 = local.environment
+  name                = var.name
   resource_group_name = data.azurerm_resource_group.rg.name
-  subnet              = module.networking.dbsubnet_id
+  db_subnet           = module.networking.dbsubnet_id
   private_dns_zone_id = module.networking.private_dns_zone_id
   postgres_password   = module.vault.postgres_password # Password from Vault to DB
 }
 
 module "vault" {
   source              = "./modules/vault"
+  env                 = local.environment
+  name                = var.name
   location            = data.azurerm_resource_group.rg.location
   resource_group_name = data.azurerm_resource_group.rg.name
   tenant_id           = var.tenant_id

diff --git a/ops/terraform/modules/app_service/variables.tf b/ops/terraform/modules/app_service/variables.tf
@@ -9,7 +9,6 @@ variable "sku_name" {
 }
 variable "service" {}
 
-
 variable "https_only" {
   type    = bool
   default = false
@@ -22,4 +21,4 @@ variable "app_settings" {
 }
 variable "health_path" {
   default = "/"
-}
+}
diff --git a/ops/terraform/modules/database/main.tf b/ops/terraform/modules/database/main.tf
@@ -2,7 +2,7 @@
 # As a result we are using Azure Database for PostgreSQL Flexible Server
 # with granular control, flexibility and better cost optimization. 
 resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" {
-  name                  = "reportvisionpostgresql-flexible-server-${var.env}"
+  name                  = "${var.name}postgresql-fs-${var.env}"
   location              = var.location
   resource_group_name   = var.resource_group_name
   sku_name              = var.postgres_sku_name
@@ -12,14 +12,14 @@ resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" {
 
   administrator_login    = var.db_username
   administrator_password = var.postgres_password
-  delegated_subnet_id    = var.subnet
+  delegated_subnet_id    = var.db_subnet
   private_dns_zone_id    = var.private_dns_zone_id
 
   # Disable Public Network Access 
   public_network_access_enabled = false
 
   lifecycle {
-    prevent_destroy = true
+    prevent_destroy = false
     ignore_changes  = [zone]
   }
 }

diff --git a/ops/terraform/modules/database/outputs.tf b/ops/terraform/modules/database/outputs.tf
@@ -1,9 +1,9 @@
 output "postgres_server_id" {
-  value = azurerm_postgresql_flexible_server.postgres_flexible_server
+  value = azurerm_postgresql_flexible_server.postgres_flexible_server.id
 }
 
 output "postgres_fqdn" {
-  value       = azurerm_postgresql_flexible_server.postgres_flexible_server
+  value       = azurerm_postgresql_flexible_server.postgres_flexible_server.fqdn
   description = "The fully qualified domain name (FQDN) of the PostgreSQL flexible server"
 }
 
@@ -12,6 +12,7 @@ output "postgres_user" {
   description = "User name for the Application's PostgreSQL flexible server database"
 }
 
+
 output "postgres_db_name" {
-  value = var.db_username
+  value = azurerm_postgresql_flexible_server.postgres_flexible_server.name
 }
diff --git a/ops/terraform/modules/database/variables.tf b/ops/terraform/modules/database/variables.tf
@@ -15,6 +15,11 @@ variable "location" {
   default     = "eastus2"
 }
 
+variable "name" {
+  type        = string
+  description = "The name of the Project"
+}
+
 variable "resource_group_name" {
   type        = string
   description = "The Azure Resource Group to deploy to"
@@ -32,7 +37,7 @@ variable "postgres_sku_name" {
   default     = "B_Standard_B1ms"
 }
 
-variable "subnet" {
+variable "db_subnet" {
   type        = string
   description = "The subnet ID to associate with the PostgreSQL Flexible Server"
 }

diff --git a/ops/terraform/modules/network/main.tf b/ops/terraform/modules/network/main.tf
@@ -61,17 +61,19 @@ resource "azurerm_subnet" "middleware-subnet" {
   }
 }
 
-
 resource "azurerm_subnet" "db-subnet" {
   name                 = "${var.name}-db-subnet-${var.env}"
   virtual_network_name = azurerm_virtual_network.vnet.name
   resource_group_name  = var.resource_group
   address_prefixes     = [var.dbsubnetcidr]
 
   delegation {
-    name = "postgresql-delegation"
+    name = "postgresql-fs-delegation"
     service_delegation {
       name = "Microsoft.DBforPostgreSQL/flexibleServers"
+      actions = [
+        "Microsoft.Network/virtualNetworks/subnets/join/action",
+      ]
     }
   }
 }
@@ -87,4 +89,13 @@ resource "azurerm_private_dns_zone_virtual_network_link" "dns_link" {
   resource_group_name   = var.resource_group
   private_dns_zone_name = azurerm_private_dns_zone.postgresql_dns_zone.name
   virtual_network_id    = azurerm_virtual_network.vnet.id
+  depends_on            = [var.postgres_server_id]
+}
+
+resource "azurerm_postgresql_flexible_server_firewall_rule" "app_service_firewall_rule" {
+  name             = "allow-app-service"
+  server_id        = var.postgres_server_id
+  start_ip_address = cidrhost(var.middlewaresubnetcidr, 0)   # CIDR block start
+  end_ip_address   = cidrhost(var.middlewaresubnetcidr, 255) # CIDR block end 
 }
+
diff --git a/ops/terraform/modules/network/variables.tf b/ops/terraform/modules/network/variables.tf
@@ -11,3 +11,6 @@ variable "dbsubnetcidr" {}
 variable "location" {
   default = "eastus2"
 }
+
+variable "postgres_server_id" {
+}
diff --git a/ops/terraform/modules/vault/main.tf b/ops/terraform/modules/vault/main.tf
@@ -1,10 +1,11 @@
 resource "azurerm_key_vault" "this" {
-  name                     = "reportvisionvault"
-  location                 = var.location
-  resource_group_name      = var.resource_group_name
-  sku_name                 = "standard"
-  tenant_id                = data.azurerm_client_config.current.tenant_id
-  purge_protection_enabled = true
+  name                       = "${var.name}vault${var.env}"
+  location                   = var.location
+  resource_group_name        = var.resource_group_name
+  sku_name                   = "standard"
+  tenant_id                  = data.azurerm_client_config.current.tenant_id
+  purge_protection_enabled   = false
+  soft_delete_retention_days = 7
 
   access_policy {
     tenant_id = data.azurerm_client_config.current.tenant_id
@@ -31,8 +32,8 @@ resource "random_string" "postgres_password" {
   override_special = "_!@#-$%^&*()[]{}" # excluded characters
 }
 
-resource "azurerm_key_vault_secret" "postgres_db_secret" {
-  name         = "reportvision-postgres-db-password"
+resource "azurerm_key_vault_secret" "postgres_db_password" {
+  name         = "${var.name}postgresdb-pwd-${var.env}"
   value        = random_string.postgres_password.result
   key_vault_id = azurerm_key_vault.this.id
 

diff --git a/ops/terraform/modules/vault/outputs.tf b/ops/terraform/modules/vault/outputs.tf
@@ -1,4 +1,5 @@
 output "postgres_password" {
-  value     = random_string.postgres_password.result
-  sensitive = true
+  value       = random_string.postgres_password.result
+  sensitive   = true
+  description = "The randomly generated password for the PostgreSQL database"
 }
diff --git a/ops/terraform/modules/vault/variables.tf b/ops/terraform/modules/vault/variables.tf
@@ -1,5 +1,7 @@
 variable "client_id" {}
+variable "env" {}
 variable "location" {}
+variable "name" {}
 variable "object_id" {
   type = string
 }

diff --git a/ops/terraform/providers.tf b/ops/terraform/providers.tf
@@ -19,11 +19,6 @@ terraform {
 }
 
 provider "azurerm" {
-  features {
-    key_vault {
-      purge_soft_delete_on_destroy    = true
-      recover_soft_deleted_key_vaults = true
-    }
-  }
+  features {}
 }
 
diff --git a/ops/terraform/variables.tf b/ops/terraform/variables.tf
@@ -2,11 +2,14 @@ variable "client_id" {}
 variable "name" {}
 variable "object_id" {}
 variable "tenant_id" {}
+
 variable "sku_name" {
   type        = string
   description = "The Azure Stock Keep Unit (SKU) version"
 }
+
 variable "subscription_id" {}
+
 variable "resource_group_name" {
   description = "value of the Azure resource group to deploy to"
 }