diff --git a/ops/terraform/main.tf b/ops/terraform/main.tf index 5bf953cf..0d381b84 100644 --- a/ops/terraform/main.tf +++ b/ops/terraform/main.tf @@ -20,6 +20,10 @@ module "networking" { middlewaresubnetcidr = local.workspace["middlewaresubnetcidr"] dbsubnetcidr = local.workspace["dbsubnetcidr"] env = local.environment + + # The DNS zone and DNS link are managed inside the networking module. + postgres_server_id = module.database.postgres_server_id + } module "securitygroup" { @@ -69,11 +73,15 @@ module "middleware_api" { app_subnet_id = module.networking.middlewaresubnet_id app_settings = { - WEBSITES_PORT = "8081" + WEBSITES_PORT = "8081" + POSTGRES_HOST = module.database.postgres_fqdn + POSTGRES_DB = module.database.postgres_db_name + POSTGRES_USER = module.database.postgres_user + POSTGRES_PASSWORD = module.vault.postgres_password } lb_subnet_id = module.networking.lbsubnet_id - health_path = "/actuator/health" + health_path = "/actuator/health" env = local.environment vnet = module.networking.network_name sku_name = var.sku_name @@ -93,12 +101,12 @@ module "ocr_api" { WEBSITES_PORT = "8000" } - lb_subnet_id = module.networking.middlewaresubnet_id - env = local.environment - vnet = module.networking.network_name - sku_name = var.sku_name - https_only = true - depends_on = [module.networking.ocrsubnet_id, module.networking.middlewaresubnet_id] + lb_subnet_id = module.networking.middlewaresubnet_id + env = local.environment + vnet = module.networking.network_name + sku_name = var.sku_name + https_only = true + depends_on = [module.networking.ocrsubnet_id, module.networking.middlewaresubnet_id] } module "ocr_autoscale" { @@ -117,14 +125,17 @@ module "ocr_autoscale" { module "database" { source = "./modules/database" env = local.environment + name = var.name resource_group_name = data.azurerm_resource_group.rg.name - subnet = module.networking.dbsubnet_id + db_subnet = module.networking.dbsubnet_id private_dns_zone_id = module.networking.private_dns_zone_id postgres_password = module.vault.postgres_password # Password from Vault to DB } module "vault" { source = "./modules/vault" + env = local.environment + name = var.name location = data.azurerm_resource_group.rg.location resource_group_name = data.azurerm_resource_group.rg.name tenant_id = var.tenant_id diff --git a/ops/terraform/modules/app_service/variables.tf b/ops/terraform/modules/app_service/variables.tf index 74acc424..1a204d5e 100644 --- a/ops/terraform/modules/app_service/variables.tf +++ b/ops/terraform/modules/app_service/variables.tf @@ -9,7 +9,6 @@ variable "sku_name" { } variable "service" {} - variable "https_only" { type = bool default = false @@ -22,4 +21,4 @@ variable "app_settings" { } variable "health_path" { default = "/" -} \ No newline at end of file +} diff --git a/ops/terraform/modules/database/main.tf b/ops/terraform/modules/database/main.tf index ce371058..eba5cbc4 100644 --- a/ops/terraform/modules/database/main.tf +++ b/ops/terraform/modules/database/main.tf @@ -2,7 +2,7 @@ # As a result we are using Azure Database for PostgreSQL Flexible Server # with granular control, flexibility and better cost optimization. resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" { - name = "reportvisionpostgresql-flexible-server-${var.env}" + name = "${var.name}postgresql-fs-${var.env}" location = var.location resource_group_name = var.resource_group_name sku_name = var.postgres_sku_name @@ -12,14 +12,14 @@ resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" { administrator_login = var.db_username administrator_password = var.postgres_password - delegated_subnet_id = var.subnet + delegated_subnet_id = var.db_subnet private_dns_zone_id = var.private_dns_zone_id # Disable Public Network Access public_network_access_enabled = false lifecycle { - prevent_destroy = true + prevent_destroy = false ignore_changes = [zone] } } diff --git a/ops/terraform/modules/database/outputs.tf b/ops/terraform/modules/database/outputs.tf index dcbc9368..95879f07 100644 --- a/ops/terraform/modules/database/outputs.tf +++ b/ops/terraform/modules/database/outputs.tf @@ -1,9 +1,9 @@ output "postgres_server_id" { - value = azurerm_postgresql_flexible_server.postgres_flexible_server + value = azurerm_postgresql_flexible_server.postgres_flexible_server.id } output "postgres_fqdn" { - value = azurerm_postgresql_flexible_server.postgres_flexible_server + value = azurerm_postgresql_flexible_server.postgres_flexible_server.fqdn description = "The fully qualified domain name (FQDN) of the PostgreSQL flexible server" } @@ -12,6 +12,7 @@ output "postgres_user" { description = "User name for the Application's PostgreSQL flexible server database" } + output "postgres_db_name" { - value = var.db_username + value = azurerm_postgresql_flexible_server.postgres_flexible_server.name } diff --git a/ops/terraform/modules/database/variables.tf b/ops/terraform/modules/database/variables.tf index 6a81bd7f..583741fe 100644 --- a/ops/terraform/modules/database/variables.tf +++ b/ops/terraform/modules/database/variables.tf @@ -15,6 +15,11 @@ variable "location" { default = "eastus2" } +variable "name" { + type = string + description = "The name of the Project" +} + variable "resource_group_name" { type = string description = "The Azure Resource Group to deploy to" @@ -32,7 +37,7 @@ variable "postgres_sku_name" { default = "B_Standard_B1ms" } -variable "subnet" { +variable "db_subnet" { type = string description = "The subnet ID to associate with the PostgreSQL Flexible Server" } diff --git a/ops/terraform/modules/network/main.tf b/ops/terraform/modules/network/main.tf index 6ed93f96..c498ef68 100644 --- a/ops/terraform/modules/network/main.tf +++ b/ops/terraform/modules/network/main.tf @@ -61,7 +61,6 @@ resource "azurerm_subnet" "middleware-subnet" { } } - resource "azurerm_subnet" "db-subnet" { name = "${var.name}-db-subnet-${var.env}" virtual_network_name = azurerm_virtual_network.vnet.name @@ -69,9 +68,12 @@ resource "azurerm_subnet" "db-subnet" { address_prefixes = [var.dbsubnetcidr] delegation { - name = "postgresql-delegation" + name = "postgresql-fs-delegation" service_delegation { name = "Microsoft.DBforPostgreSQL/flexibleServers" + actions = [ + "Microsoft.Network/virtualNetworks/subnets/join/action", + ] } } } @@ -87,4 +89,13 @@ resource "azurerm_private_dns_zone_virtual_network_link" "dns_link" { resource_group_name = var.resource_group private_dns_zone_name = azurerm_private_dns_zone.postgresql_dns_zone.name virtual_network_id = azurerm_virtual_network.vnet.id + depends_on = [var.postgres_server_id] +} + +resource "azurerm_postgresql_flexible_server_firewall_rule" "app_service_firewall_rule" { + name = "allow-app-service" + server_id = var.postgres_server_id + start_ip_address = cidrhost(var.middlewaresubnetcidr, 0) # CIDR block start + end_ip_address = cidrhost(var.middlewaresubnetcidr, 255) # CIDR block end } + diff --git a/ops/terraform/modules/network/variables.tf b/ops/terraform/modules/network/variables.tf index 78d319bb..7a8a63e3 100644 --- a/ops/terraform/modules/network/variables.tf +++ b/ops/terraform/modules/network/variables.tf @@ -11,3 +11,6 @@ variable "dbsubnetcidr" {} variable "location" { default = "eastus2" } + +variable "postgres_server_id" { +} diff --git a/ops/terraform/modules/vault/main.tf b/ops/terraform/modules/vault/main.tf index 591c0276..37d0115f 100644 --- a/ops/terraform/modules/vault/main.tf +++ b/ops/terraform/modules/vault/main.tf @@ -1,10 +1,11 @@ resource "azurerm_key_vault" "this" { - name = "reportvisionvault" - location = var.location - resource_group_name = var.resource_group_name - sku_name = "standard" - tenant_id = data.azurerm_client_config.current.tenant_id - purge_protection_enabled = true + name = "${var.name}vault${var.env}" + location = var.location + resource_group_name = var.resource_group_name + sku_name = "standard" + tenant_id = data.azurerm_client_config.current.tenant_id + purge_protection_enabled = false + soft_delete_retention_days = 7 access_policy { tenant_id = data.azurerm_client_config.current.tenant_id @@ -31,8 +32,8 @@ resource "random_string" "postgres_password" { override_special = "_!@#-$%^&*()[]{}" # excluded characters } -resource "azurerm_key_vault_secret" "postgres_db_secret" { - name = "reportvision-postgres-db-password" +resource "azurerm_key_vault_secret" "postgres_db_password" { + name = "${var.name}postgresdb-pwd-${var.env}" value = random_string.postgres_password.result key_vault_id = azurerm_key_vault.this.id diff --git a/ops/terraform/modules/vault/outputs.tf b/ops/terraform/modules/vault/outputs.tf index afc86b67..f1cb5e1c 100644 --- a/ops/terraform/modules/vault/outputs.tf +++ b/ops/terraform/modules/vault/outputs.tf @@ -1,4 +1,5 @@ output "postgres_password" { - value = random_string.postgres_password.result - sensitive = true + value = random_string.postgres_password.result + sensitive = true + description = "The randomly generated password for the PostgreSQL database" } diff --git a/ops/terraform/modules/vault/variables.tf b/ops/terraform/modules/vault/variables.tf index 7738ce02..0fbb513c 100644 --- a/ops/terraform/modules/vault/variables.tf +++ b/ops/terraform/modules/vault/variables.tf @@ -1,5 +1,7 @@ variable "client_id" {} +variable "env" {} variable "location" {} +variable "name" {} variable "object_id" { type = string } diff --git a/ops/terraform/providers.tf b/ops/terraform/providers.tf index 8a7fb866..af5f3ead 100644 --- a/ops/terraform/providers.tf +++ b/ops/terraform/providers.tf @@ -19,11 +19,6 @@ terraform { } provider "azurerm" { - features { - key_vault { - purge_soft_delete_on_destroy = true - recover_soft_deleted_key_vaults = true - } - } + features {} } diff --git a/ops/terraform/variables.tf b/ops/terraform/variables.tf index 05b57c5b..dd8ccc1e 100644 --- a/ops/terraform/variables.tf +++ b/ops/terraform/variables.tf @@ -2,11 +2,14 @@ variable "client_id" {} variable "name" {} variable "object_id" {} variable "tenant_id" {} + variable "sku_name" { type = string description = "The Azure Stock Keep Unit (SKU) version" } + variable "subscription_id" {} + variable "resource_group_name" { description = "value of the Azure resource group to deploy to" }