dtos-devops-templates/infrastructure/modules/postgresql-flexible/main.tf at cf2c948c16f8358b90dbc5199d7c243cacc58be7 · NHSDigital/dtos-devops-templates · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
resource "azurerm_postgresql_flexible_server" "postgresql_flexible_server" {
  name                = var.name
  resource_group_name = var.resource_group_name
  location            = var.location

  public_network_access_enabled = var.public_network_access_enabled
  sku_name                      = var.sku_name
  storage_mb                    = var.storage_mb
  storage_tier                  = var.storage_tier
  version                       = var.server_version
  zone                          = var.zone

  backup_retention_days        = var.backup_retention_days
  geo_redundant_backup_enabled = var.geo_redundant_backup_enabled

  authentication {
    active_directory_auth_enabled = true
    password_auth_enabled         = var.password_auth_enabled
    tenant_id                     = var.tenant_id
  }

  administrator_login    = length(var.administrator_login) > 0 && var.password_auth_enabled ? var.administrator_login : null
  administrator_password = length(var.administrator_login) > 0 && var.password_auth_enabled ? random_password.admin_password[0].result : null

  # Postgres Flexible Server does not support User Assigned Identity
  # so do not enable for now. If required, create the identity in an
  # associated identity module and reference it here.
  #
  # identity {
  #   type         = "SystemAssigned"
  # }

  tags = var.tags
}

resource "random_password" "admin_password" {
  count = length(var.administrator_login) > 0 && var.password_auth_enabled ? 1 : 0

  length           = 30
  special          = true
  override_special = "!@#$%^&*()-_=+[]{}<>:?"
}

resource "azurerm_key_vault_secret" "db_admin_pwd" {
  count = length(var.administrator_login) > 0 && var.password_auth_enabled ? 1 : 0

  name         = var.key_vault_admin_pwd_secret_name
  value        = resource.random_password.admin_password[0].result
  key_vault_id = var.key_vault_id
}

# Create the Active Directory Administrator for the Postgres Flexible Server
resource "azurerm_postgresql_flexible_server_active_directory_administrator" "postgresql_admin" {
  server_name         = azurerm_postgresql_flexible_server.postgresql_flexible_server.name
  resource_group_name = var.resource_group_name
  tenant_id           = var.tenant_id
  object_id           = var.postgresql_admin_object_id
  principal_name      = var.postgresql_admin_principal_name
  principal_type      = var.postgresql_admin_principal_type
}

# Create the server configurations
resource "azurerm_postgresql_flexible_server_configuration" "postgresql_flexible_config" {
  for_each = var.postgresql_configurations

  server_id = azurerm_postgresql_flexible_server.postgresql_flexible_server.id

  name  = each.key
  value = each.value
}

/* --------------------------------------------------------------------------------------------------
  Private Endpoint Configuration for Postgres Flexible Server
-------------------------------------------------------------------------------------------------- */

module "private_endpoint_postgresql_flexible_server" {
  count = var.private_endpoint_properties != null ? 1 : 0

  source = "../private-endpoint"

  name                = "${var.name}-postgresql-private-endpoint"
  resource_group_name = var.private_endpoint_properties.private_endpoint_resource_group_name
  location            = var.location
  subnet_id           = var.private_endpoint_properties.private_endpoint_subnet_id

  private_dns_zone_group = {
    name                 = "${var.name}-postgresql-private-endpoint-zone-group"
    private_dns_zone_ids = var.private_endpoint_properties.private_dns_zone_ids_postgresql
  }

  private_service_connection = {
    name                           = "${var.name}-postgresql-private-endpoint-connection"
    private_connection_resource_id = azurerm_postgresql_flexible_server.postgresql_flexible_server.id
    subresource_names              = ["postgresqlServer"]
    is_manual_connection           = var.private_endpoint_properties.private_service_connection_is_manual
  }

  tags = var.tags
}

/* --------------------------------------------------------------------------------------------------
  PostgreSQL Server Diagnostic Settings
-------------------------------------------------------------------------------------------------- */
module "diagnostic_setting_postgresql_server" {

  source = "../diagnostic-settings"

  name                       = "${var.name}-postgresql-server-diagnotic-setting"
  target_resource_id         = azurerm_postgresql_flexible_server.postgresql_flexible_server.id
  log_analytics_workspace_id = var.log_analytics_workspace_id
  enabled_log                = var.monitor_diagnostic_setting_postgresql_server_enabled_logs
  metric                     = var.monitor_diagnostic_setting_postgresql_server_metrics
}