Create module for Azure PG flex server + add resources in AKS and Man…

…aged Identities modules

Signed-off-by: Ferdinand de Baecque <[email protected]>

terraform/main.tf

@@ -94,7 +94,8 @@ module "azure_aks_pr" {
 
   workload_identity_applications = [
     module.azuread_applications.identity_1,
-    module.azuread_applications.identity_2
+    module.azuread_applications.identity_2,
+    module.azuread_applications.postgres_identity
   ]
 
   tags = local.tags
@@ -116,7 +117,8 @@ module "azure_aks_nightly" {
 
   workload_identity_applications = [
     module.azuread_applications.identity_1,
-    module.azuread_applications.identity_2
+    module.azuread_applications.identity_2,
+    module.azuread_applications.postgres_identity
   ]
 
   tags = local.tags
@@ -265,6 +267,23 @@ module "azure_rabbitmq_app_registration" {
   ]
 }
 
+module "azurerm_postgres_flexible_server" {
+  source              = "./postgres-flex-server"
+  resource_group_name = var.azure_resource_group_name
+  unique_project_name = var.unique_project_name
+
+  postgres_runtime_version = "14"
+  postgres_sku_name        = "GP_Standard_D2s_v3"
+  postgres_storage_mb      = 32768
+
+  postgres_database_name = "test_db"
+
+  user_managed_identity_pg_ad_admin = module.azuread_applications.postgres_identity
+  application_tenant_id             = data.azurerm_client_config.current.tenant_id
+
+  tags = local.tags
+}
+
 // ====== GITHUB SECRETS ======
 
 module "github_secrets" {
@@ -349,6 +368,10 @@ module "github_secrets" {
       name  = "TF_AZURE_IDENTITY_2_APP_ID"
       value = module.azuread_applications.identity_2.client_id
     },
+    {
+      name  = "TF_AZURE_POSTGRES_IDENTITY_APP_ID"
+      value = module.azuread_applications.postgres_identity.client_id
+    },
     {
       name  = "TF_AZURE_KEYVAULT_URI"
       value = module.azure_key_vault.vault_uri

terraform/modules/azure/managed_identities/main.tf

@@ -17,4 +17,10 @@ resource "azurerm_user_assigned_identity" "keda_identity_2" {
   name                = "${var.unique_project_name}-e2e-test-identity-2"
   location            = data.azurerm_resource_group.rg.location
   resource_group_name = data.azurerm_resource_group.rg.name
+}
+
+resource "azurerm_user_assigned_identity" "postgres_identity" {
+  name                = "${var.unique_project_name}-e2e-test-postgres"
+  location            = data.azurerm_resource_group.rg.location
+  resource_group_name = data.azurerm_resource_group.rg.name
 }

terraform/modules/azure/managed_identities/outputs.tf

@@ -4,4 +4,8 @@ output "identity_1" {
 
 output "identity_2" {
   value = azurerm_user_assigned_identity.keda_identity_2
+}
+
+output "postgres_identity" {
+  value = azurerm_user_assigned_identity.postgres_identity
 }

terraform/modules/azure/postgres-flex-server/main.tf

@@ -0,0 +1,52 @@
+provider "azurerm" {
+  features {}
+  skip_provider_registration = true
+}
+
+locals {
+  postgres_server_name = "${var.unique_project_name}-e2e-postgres"
+}
+
+data "azurerm_resource_group" "rg" {
+  name = var.resource_group_name
+}
+
+resource "azurerm_postgresql_flexible_server" "postgres_flex_server" {
+  name                = local.postgres_server_name
+  resource_group_name = data.azurerm_resource_group.rg.name
+  location            = data.azurerm_resource_group.rg.location
+
+  authentication {
+    active_directory_auth_enabled = true
+    password_auth_enabled         = false
+    tenant_id                     = var.application_tenant_id
+  }
+
+  version    = "14"
+  sku_name   = var.postgres_sku_name
+  storage_mb = var.postgres_storage_mb
+  zone       = "1"
+
+  tags       = var.tags
+}
+
+resource "azurerm_postgresql_flexible_server_active_directory_administrator" "postgres_flex_server_ad_admin_uami" {
+  server_name         = azurerm_postgresql_flexible_server.postgres_flex_server.name
+  resource_group_name = data.azurerm_resource_group.rg.name
+  object_id           = var.user_managed_identity_pg_ad_admin.principal_id
+  principal_name      = var.user_managed_identity_pg_ad_admin.name
+  tenant_id           = var.application_tenant_id
+  principal_type      = "ServicePrincipal"
+}
+
+resource "azurerm_postgresql_flexible_server_firewall_rule" "postgres_flex_server_fwr_allow_azure" {
+  name             = "AllowAllAzure"
+  server_id        = azurerm_postgresql_flexible_server.postgres_flex_server.id
+  start_ip_address = "0.0.0.0"
+  end_ip_address   = "0.0.0.0"
+}
+
+resource "azurerm_postgresql_flexible_server_database" "postgres_flex_server_db" {
+  name      = var.postgres_database_name
+  server_id = azurerm_postgresql_flexible_server.postgres_flex_server.id
+}

terraform/modules/azure/postgres-flex-server/outputs.tf

@@ -0,0 +1,3 @@
+output "postgres_flex_server_fqdn" {
+  value = azurerm_postgresql_flexible_server.postgres_flex_server.fqdn
+}

terraform/modules/azure/postgres-flex-server/vars.tf

@@ -0,0 +1,48 @@
+variable "resource_group_name" {
+  type        = string
+  description = "Resource group name where event hub will be placed"
+}
+
+variable "unique_project_name" {
+  type        = string
+  description = "Value to make unique every resource name generated"
+}
+
+variable "tags" {
+  type        = map(any)
+  description = "Tags to apply on resources accepting it"
+}
+
+variable "postgres_runtime_version" {
+  type        = string
+  description = "Postgres version to use"
+  default     = "14"
+}
+
+variable "postgres_sku_name" {
+  type        = string
+  description = "The SKU Name for the PostgreSQL Flexible Server"
+  default     = "GP_Standard_D2s_v3"
+}
+
+variable "postgres_storage_mb" {
+  type        = number
+  description = "The max storage allowed for the PostgreSQL Flexible Server"
+  default     = 32768
+}
+
+variable "postgres_database_name" {
+  type        = string
+  description = "Database name to create inside the server"
+  default     = "test_db"
+}
+
+variable "user_managed_identity_pg_ad_admin" {
+  type        = any
+  description = "User managed identitiy that will be granted admin access on the PostgreSQL Flexible Server"
+}
+
+variable "application_tenant_id" {
+  type        = string
+  description = "TenantId of the application"
+}