From 45a4fbac55dacda9a917fb695d4e5921f914ee31 Mon Sep 17 00:00:00 2001 From: Ferdinand de Baecque <45566171+Ferdinanddb@users.noreply.github.com> Date: Wed, 29 May 2024 23:55:42 +0200 Subject: [PATCH 1/7] Create module for Azure PG flex server + add resources in AKS and Managed Identities modules Signed-off-by: Ferdinand de Baecque <45566171+Ferdinanddb@users.noreply.github.com> --- terraform/main.tf | 27 +++++++++- .../modules/azure/managed_identities/main.tf | 6 +++ .../azure/managed_identities/outputs.tf | 4 ++ .../azure/postgres-flex-server/main.tf | 52 +++++++++++++++++++ .../azure/postgres-flex-server/outputs.tf | 3 ++ .../azure/postgres-flex-server/vars.tf | 48 +++++++++++++++++ 6 files changed, 138 insertions(+), 2 deletions(-) create mode 100644 terraform/modules/azure/postgres-flex-server/main.tf create mode 100644 terraform/modules/azure/postgres-flex-server/outputs.tf create mode 100644 terraform/modules/azure/postgres-flex-server/vars.tf diff --git a/terraform/main.tf b/terraform/main.tf index 400192f..49e2843 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -94,7 +94,8 @@ module "azure_aks_pr" { workload_identity_applications = [ module.azuread_applications.identity_1, - module.azuread_applications.identity_2 + module.azuread_applications.identity_2, + module.azuread_applications.postgres_identity ] tags = local.tags @@ -116,7 +117,8 @@ module "azure_aks_nightly" { workload_identity_applications = [ module.azuread_applications.identity_1, - module.azuread_applications.identity_2 + module.azuread_applications.identity_2, + module.azuread_applications.postgres_identity ] tags = local.tags @@ -265,6 +267,23 @@ module "azure_rabbitmq_app_registration" { ] } +module "azurerm_postgres_flexible_server" { + source = "./postgres-flex-server" + resource_group_name = var.azure_resource_group_name + unique_project_name = var.unique_project_name + + postgres_runtime_version = "14" + postgres_sku_name = "GP_Standard_D2s_v3" + postgres_storage_mb = 32768 + + postgres_database_name = "test_db" + + user_managed_identity_pg_ad_admin = module.azuread_applications.postgres_identity + application_tenant_id = data.azurerm_client_config.current.tenant_id + + tags = local.tags +} + // ====== GITHUB SECRETS ====== module "github_secrets" { @@ -349,6 +368,10 @@ module "github_secrets" { name = "TF_AZURE_IDENTITY_2_APP_ID" value = module.azuread_applications.identity_2.client_id }, + { + name = "TF_AZURE_POSTGRES_IDENTITY_APP_ID" + value = module.azuread_applications.postgres_identity.client_id + }, { name = "TF_AZURE_KEYVAULT_URI" value = module.azure_key_vault.vault_uri diff --git a/terraform/modules/azure/managed_identities/main.tf b/terraform/modules/azure/managed_identities/main.tf index aaa4d53..73a946b 100644 --- a/terraform/modules/azure/managed_identities/main.tf +++ b/terraform/modules/azure/managed_identities/main.tf @@ -17,4 +17,10 @@ resource "azurerm_user_assigned_identity" "keda_identity_2" { name = "${var.unique_project_name}-e2e-test-identity-2" location = data.azurerm_resource_group.rg.location resource_group_name = data.azurerm_resource_group.rg.name +} + +resource "azurerm_user_assigned_identity" "postgres_identity" { + name = "${var.unique_project_name}-e2e-test-postgres" + location = data.azurerm_resource_group.rg.location + resource_group_name = data.azurerm_resource_group.rg.name } \ No newline at end of file diff --git a/terraform/modules/azure/managed_identities/outputs.tf b/terraform/modules/azure/managed_identities/outputs.tf index 71bb9ce..919cebf 100644 --- a/terraform/modules/azure/managed_identities/outputs.tf +++ b/terraform/modules/azure/managed_identities/outputs.tf @@ -4,4 +4,8 @@ output "identity_1" { output "identity_2" { value = azurerm_user_assigned_identity.keda_identity_2 +} + +output "postgres_identity" { + value = azurerm_user_assigned_identity.postgres_identity } \ No newline at end of file diff --git a/terraform/modules/azure/postgres-flex-server/main.tf b/terraform/modules/azure/postgres-flex-server/main.tf new file mode 100644 index 0000000..8dd7842 --- /dev/null +++ b/terraform/modules/azure/postgres-flex-server/main.tf @@ -0,0 +1,52 @@ +provider "azurerm" { + features {} + skip_provider_registration = true +} + +locals { + postgres_server_name = "${var.unique_project_name}-e2e-postgres" +} + +data "azurerm_resource_group" "rg" { + name = var.resource_group_name +} + +resource "azurerm_postgresql_flexible_server" "postgres_flex_server" { + name = local.postgres_server_name + resource_group_name = data.azurerm_resource_group.rg.name + location = data.azurerm_resource_group.rg.location + + authentication { + active_directory_auth_enabled = true + password_auth_enabled = false + tenant_id = var.application_tenant_id + } + + version = "14" + sku_name = var.postgres_sku_name + storage_mb = var.postgres_storage_mb + zone = "1" + + tags = var.tags +} + +resource "azurerm_postgresql_flexible_server_active_directory_administrator" "postgres_flex_server_ad_admin_uami" { + server_name = azurerm_postgresql_flexible_server.postgres_flex_server.name + resource_group_name = data.azurerm_resource_group.rg.name + object_id = var.user_managed_identity_pg_ad_admin.principal_id + principal_name = var.user_managed_identity_pg_ad_admin.name + tenant_id = var.application_tenant_id + principal_type = "ServicePrincipal" +} + +resource "azurerm_postgresql_flexible_server_firewall_rule" "postgres_flex_server_fwr_allow_azure" { + name = "AllowAllAzure" + server_id = azurerm_postgresql_flexible_server.postgres_flex_server.id + start_ip_address = "0.0.0.0" + end_ip_address = "0.0.0.0" +} + +resource "azurerm_postgresql_flexible_server_database" "postgres_flex_server_db" { + name = var.postgres_database_name + server_id = azurerm_postgresql_flexible_server.postgres_flex_server.id +} \ No newline at end of file diff --git a/terraform/modules/azure/postgres-flex-server/outputs.tf b/terraform/modules/azure/postgres-flex-server/outputs.tf new file mode 100644 index 0000000..4401da3 --- /dev/null +++ b/terraform/modules/azure/postgres-flex-server/outputs.tf @@ -0,0 +1,3 @@ +output "postgres_flex_server_fqdn" { + value = azurerm_postgresql_flexible_server.postgres_flex_server.fqdn +} diff --git a/terraform/modules/azure/postgres-flex-server/vars.tf b/terraform/modules/azure/postgres-flex-server/vars.tf new file mode 100644 index 0000000..dac99ba --- /dev/null +++ b/terraform/modules/azure/postgres-flex-server/vars.tf @@ -0,0 +1,48 @@ +variable "resource_group_name" { + type = string + description = "Resource group name where event hub will be placed" +} + +variable "unique_project_name" { + type = string + description = "Value to make unique every resource name generated" +} + +variable "tags" { + type = map(any) + description = "Tags to apply on resources accepting it" +} + +variable "postgres_runtime_version" { + type = string + description = "Postgres version to use" + default = "14" +} + +variable "postgres_sku_name" { + type = string + description = "The SKU Name for the PostgreSQL Flexible Server" + default = "GP_Standard_D2s_v3" +} + +variable "postgres_storage_mb" { + type = number + description = "The max storage allowed for the PostgreSQL Flexible Server" + default = 32768 +} + +variable "postgres_database_name" { + type = string + description = "Database name to create inside the server" + default = "test_db" +} + +variable "user_managed_identity_pg_ad_admin" { + type = any + description = "User managed identitiy that will be granted admin access on the PostgreSQL Flexible Server" +} + +variable "application_tenant_id" { + type = string + description = "TenantId of the application" +} \ No newline at end of file From 4a5575ab9c6d71758d27261f975cfa784e893ec3 Mon Sep 17 00:00:00 2001 From: Ferdinand de Baecque <45566171+Ferdinanddb@users.noreply.github.com> Date: Thu, 30 May 2024 00:04:53 +0200 Subject: [PATCH 2/7] fix typo Signed-off-by: Ferdinand de Baecque <45566171+Ferdinanddb@users.noreply.github.com> --- terraform/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/main.tf b/terraform/main.tf index 49e2843..ece230f 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -268,7 +268,7 @@ module "azure_rabbitmq_app_registration" { } module "azurerm_postgres_flexible_server" { - source = "./postgres-flex-server" + source = "./modules/azure/postgres-flex-server" resource_group_name = var.azure_resource_group_name unique_project_name = var.unique_project_name From a95a3e148bc7723203c0210d0c73ddd8eae04442 Mon Sep 17 00:00:00 2001 From: Ferdinand de Baecque <45566171+Ferdinanddb@users.noreply.github.com> Date: Thu, 30 May 2024 00:10:42 +0200 Subject: [PATCH 3/7] terraform fmt Signed-off-by: Ferdinand de Baecque <45566171+Ferdinanddb@users.noreply.github.com> --- terraform/modules/azure/postgres-flex-server/main.tf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/terraform/modules/azure/postgres-flex-server/main.tf b/terraform/modules/azure/postgres-flex-server/main.tf index 8dd7842..753f209 100644 --- a/terraform/modules/azure/postgres-flex-server/main.tf +++ b/terraform/modules/azure/postgres-flex-server/main.tf @@ -15,19 +15,17 @@ resource "azurerm_postgresql_flexible_server" "postgres_flex_server" { name = local.postgres_server_name resource_group_name = data.azurerm_resource_group.rg.name location = data.azurerm_resource_group.rg.location - authentication { active_directory_auth_enabled = true password_auth_enabled = false tenant_id = var.application_tenant_id } - version = "14" sku_name = var.postgres_sku_name storage_mb = var.postgres_storage_mb zone = "1" - tags = var.tags + tags = var.tags } resource "azurerm_postgresql_flexible_server_active_directory_administrator" "postgres_flex_server_ad_admin_uami" { From d95ff6401392daef263a76ed9a1267550507acf5 Mon Sep 17 00:00:00 2001 From: Ferdinand de Baecque <45566171+Ferdinanddb@users.noreply.github.com> Date: Fri, 31 May 2024 22:03:03 +0200 Subject: [PATCH 4/7] add support for admin username and password to connect to be able to connect to it and create tables for the e2e test Signed-off-by: Ferdinand de Baecque <45566171+Ferdinanddb@users.noreply.github.com> --- terraform/main.tf | 16 ++++++++++++ .../azure/postgres-flex-server/main.tf | 26 ++++++++++++++++--- .../azure/postgres-flex-server/outputs.tf | 12 +++++++++ 3 files changed, 50 insertions(+), 4 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index ece230f..01bdd58 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -372,6 +372,22 @@ module "github_secrets" { name = "TF_AZURE_POSTGRES_IDENTITY_APP_ID" value = module.azuread_applications.postgres_identity.client_id }, + { + name = "TF_AZURE_POSTGRES_FQDN" + value = module.azurerm_postgres_flexible_server.postgres_flex_server_fqdn + }, + { + name = "TF_AZURE_POSTGRES_ADMIN_USERNAME" + value = module.azurerm_postgres_flexible_server.admin_username + }, + { + name = "TF_AZURE_POSTGRES_ADMIN_PASSWORD" + value = module.azurerm_postgres_flexible_server.admin_password + }, + { + name = "TF_AZURE_POSTGRES_DB_NAME" + value = module.azurerm_postgres_flexible_server.postgres_database_name + }, { name = "TF_AZURE_KEYVAULT_URI" value = module.azure_key_vault.vault_uri diff --git a/terraform/modules/azure/postgres-flex-server/main.tf b/terraform/modules/azure/postgres-flex-server/main.tf index 753f209..6e621de 100644 --- a/terraform/modules/azure/postgres-flex-server/main.tf +++ b/terraform/modules/azure/postgres-flex-server/main.tf @@ -11,13 +11,31 @@ data "azurerm_resource_group" "rg" { name = var.resource_group_name } +resource "random_password" "admin_password" { + length = 32 + special = false + min_lower = 1 + min_numeric = 1 + min_upper = 1 +} + +resource "random_string" "admin_username" { + length = 8 + special = false + min_lower = 1 + min_numeric = 1 + min_upper = 1 +} + resource "azurerm_postgresql_flexible_server" "postgres_flex_server" { - name = local.postgres_server_name - resource_group_name = data.azurerm_resource_group.rg.name - location = data.azurerm_resource_group.rg.location + name = local.postgres_server_name + resource_group_name = data.azurerm_resource_group.rg.name + location = data.azurerm_resource_group.rg.location + administrator_login = random_string.admin_username.result + administrator_password = random_password.admin_password.result authentication { active_directory_auth_enabled = true - password_auth_enabled = false + password_auth_enabled = true tenant_id = var.application_tenant_id } version = "14" diff --git a/terraform/modules/azure/postgres-flex-server/outputs.tf b/terraform/modules/azure/postgres-flex-server/outputs.tf index 4401da3..96ecf97 100644 --- a/terraform/modules/azure/postgres-flex-server/outputs.tf +++ b/terraform/modules/azure/postgres-flex-server/outputs.tf @@ -1,3 +1,15 @@ output "postgres_flex_server_fqdn" { value = azurerm_postgresql_flexible_server.postgres_flex_server.fqdn } + +output "admin_username" { + value = random_string.admin_username.result +} + +output "admin_password" { + value = random_password.admin_password.result +} + +output "postgres_database_name" { + value = azurerm_postgresql_flexible_server_database.postgres_flex_server_db.name +} From c04738015f2d9656ed6d8f8d01ff1dfd1c781256 Mon Sep 17 00:00:00 2001 From: Ferdinand de Baecque <45566171+Ferdinanddb@users.noreply.github.com> Date: Sat, 1 Jun 2024 01:07:33 +0200 Subject: [PATCH 5/7] Add secret for UAMI name Signed-off-by: Ferdinand de Baecque <45566171+Ferdinanddb@users.noreply.github.com> --- terraform/main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/main.tf b/terraform/main.tf index 01bdd58..a75fe42 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -372,6 +372,10 @@ module "github_secrets" { name = "TF_AZURE_POSTGRES_IDENTITY_APP_ID" value = module.azuread_applications.postgres_identity.client_id }, + { + name = "TF_AZURE_POSTGRES_IDENTITY_NAME" + value = module.azuread_applications.postgres_identity.name + }, { name = "TF_AZURE_POSTGRES_FQDN" value = module.azurerm_postgres_flexible_server.postgres_flex_server_fqdn From 2757e6678768d3eb947476c0334ae709750a7b14 Mon Sep 17 00:00:00 2001 From: Ferdinand de Baecque <45566171+Ferdinanddb@users.noreply.github.com> Date: Tue, 4 Jun 2024 11:04:53 +0200 Subject: [PATCH 6/7] remove postgres identity Signed-off-by: Ferdinand de Baecque <45566171+Ferdinanddb@users.noreply.github.com> --- terraform/main.tf | 20 +++++++------------ .../modules/azure/managed_identities/main.tf | 6 ------ .../azure/managed_identities/outputs.tf | 4 ---- .../azure/postgres-flex-server/outputs.tf | 7 ++++--- 4 files changed, 11 insertions(+), 26 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index a75fe42..5ffb3fe 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -94,8 +94,7 @@ module "azure_aks_pr" { workload_identity_applications = [ module.azuread_applications.identity_1, - module.azuread_applications.identity_2, - module.azuread_applications.postgres_identity + module.azuread_applications.identity_2 ] tags = local.tags @@ -117,8 +116,7 @@ module "azure_aks_nightly" { workload_identity_applications = [ module.azuread_applications.identity_1, - module.azuread_applications.identity_2, - module.azuread_applications.postgres_identity + module.azuread_applications.identity_2 ] tags = local.tags @@ -278,7 +276,7 @@ module "azurerm_postgres_flexible_server" { postgres_database_name = "test_db" - user_managed_identity_pg_ad_admin = module.azuread_applications.postgres_identity + user_managed_identity_pg_ad_admin = module.azuread_applications.identity_1 application_tenant_id = data.azurerm_client_config.current.tenant_id tags = local.tags @@ -365,16 +363,12 @@ module "github_secrets" { value = module.azuread_applications.identity_1.id }, { - name = "TF_AZURE_IDENTITY_2_APP_ID" - value = module.azuread_applications.identity_2.client_id - }, - { - name = "TF_AZURE_POSTGRES_IDENTITY_APP_ID" - value = module.azuread_applications.postgres_identity.client_id + name = "TF_AZURE_IDENTITY_1_NAME" + value = module.azuread_applications.identity_1.name }, { - name = "TF_AZURE_POSTGRES_IDENTITY_NAME" - value = module.azuread_applications.postgres_identity.name + name = "TF_AZURE_IDENTITY_2_APP_ID" + value = module.azuread_applications.identity_2.client_id }, { name = "TF_AZURE_POSTGRES_FQDN" diff --git a/terraform/modules/azure/managed_identities/main.tf b/terraform/modules/azure/managed_identities/main.tf index 73a946b..aaa4d53 100644 --- a/terraform/modules/azure/managed_identities/main.tf +++ b/terraform/modules/azure/managed_identities/main.tf @@ -17,10 +17,4 @@ resource "azurerm_user_assigned_identity" "keda_identity_2" { name = "${var.unique_project_name}-e2e-test-identity-2" location = data.azurerm_resource_group.rg.location resource_group_name = data.azurerm_resource_group.rg.name -} - -resource "azurerm_user_assigned_identity" "postgres_identity" { - name = "${var.unique_project_name}-e2e-test-postgres" - location = data.azurerm_resource_group.rg.location - resource_group_name = data.azurerm_resource_group.rg.name } \ No newline at end of file diff --git a/terraform/modules/azure/managed_identities/outputs.tf b/terraform/modules/azure/managed_identities/outputs.tf index 919cebf..71bb9ce 100644 --- a/terraform/modules/azure/managed_identities/outputs.tf +++ b/terraform/modules/azure/managed_identities/outputs.tf @@ -4,8 +4,4 @@ output "identity_1" { output "identity_2" { value = azurerm_user_assigned_identity.keda_identity_2 -} - -output "postgres_identity" { - value = azurerm_user_assigned_identity.postgres_identity } \ No newline at end of file diff --git a/terraform/modules/azure/postgres-flex-server/outputs.tf b/terraform/modules/azure/postgres-flex-server/outputs.tf index 96ecf97..956707c 100644 --- a/terraform/modules/azure/postgres-flex-server/outputs.tf +++ b/terraform/modules/azure/postgres-flex-server/outputs.tf @@ -2,6 +2,10 @@ output "postgres_flex_server_fqdn" { value = azurerm_postgresql_flexible_server.postgres_flex_server.fqdn } +output "postgres_database_name" { + value = azurerm_postgresql_flexible_server_database.postgres_flex_server_db.name +} + output "admin_username" { value = random_string.admin_username.result } @@ -10,6 +14,3 @@ output "admin_password" { value = random_password.admin_password.result } -output "postgres_database_name" { - value = azurerm_postgresql_flexible_server_database.postgres_flex_server_db.name -} From da0a7079d1d7ee65e25df6c8d988ec3fb3e78a8b Mon Sep 17 00:00:00 2001 From: Ferdinand de Baecque <45566171+Ferdinanddb@users.noreply.github.com> Date: Sat, 8 Jun 2024 18:55:06 +0200 Subject: [PATCH 7/7] change sku type for PG server + remove numeric from username Signed-off-by: Ferdinand de Baecque <45566171+Ferdinanddb@users.noreply.github.com> --- terraform/main.tf | 2 +- terraform/modules/azure/postgres-flex-server/main.tf | 10 +++++----- terraform/modules/azure/postgres-flex-server/vars.tf | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index 5ffb3fe..1b5d4a4 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -271,7 +271,7 @@ module "azurerm_postgres_flexible_server" { unique_project_name = var.unique_project_name postgres_runtime_version = "14" - postgres_sku_name = "GP_Standard_D2s_v3" + postgres_sku_name = "B_Standard_B1ms" postgres_storage_mb = 32768 postgres_database_name = "test_db" diff --git a/terraform/modules/azure/postgres-flex-server/main.tf b/terraform/modules/azure/postgres-flex-server/main.tf index 6e621de..b6fe5b8 100644 --- a/terraform/modules/azure/postgres-flex-server/main.tf +++ b/terraform/modules/azure/postgres-flex-server/main.tf @@ -20,11 +20,11 @@ resource "random_password" "admin_password" { } resource "random_string" "admin_username" { - length = 8 - special = false - min_lower = 1 - min_numeric = 1 - min_upper = 1 + length = 8 + special = false + numeric = false + min_lower = 1 + min_upper = 1 } resource "azurerm_postgresql_flexible_server" "postgres_flex_server" { diff --git a/terraform/modules/azure/postgres-flex-server/vars.tf b/terraform/modules/azure/postgres-flex-server/vars.tf index dac99ba..7f99c90 100644 --- a/terraform/modules/azure/postgres-flex-server/vars.tf +++ b/terraform/modules/azure/postgres-flex-server/vars.tf @@ -22,7 +22,7 @@ variable "postgres_runtime_version" { variable "postgres_sku_name" { type = string description = "The SKU Name for the PostgreSQL Flexible Server" - default = "GP_Standard_D2s_v3" + default = "B_Standard_B1ms" } variable "postgres_storage_mb" {