Add lock to PostgreSQL flexible server module (#238)

pagopa · Feb 5, 2025 · 00fccad · 00fccad
1 parent e7a44b0
commit 00fccad
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 0 deletions.
diff --git a/.changeset/khaki-pumas-jog.md b/.changeset/khaki-pumas-jog.md
@@ -0,0 +1,5 @@
+---
+"azure_postgres_server": minor
+---
+
+Added lock resource
diff --git a/infra/modules/azure_postgres_server/README.md b/infra/modules/azure_postgres_server/README.md
@@ -18,6 +18,7 @@
 
 | Name | Type |
 |------|------|
+| [azurerm_management_lock.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_lock) | resource |
 | [azurerm_monitor_diagnostic_setting.replica](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |
 | [azurerm_monitor_diagnostic_setting.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |
 | [azurerm_monitor_metric_alert.replica](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
@@ -43,6 +44,7 @@
 | <a name="input_db_version"></a> [db\_version](#input\_db\_version) | The version of PostgreSQL Flexible Server to use. Possible values are 11, 12, 13, 14, 15 and 16 | `string` | `"16"` | no |
 | <a name="input_default_metric_alerts"></a> [default\_metric\_alerts](#input\_default\_metric\_alerts) | Map of name = criteria objects | <pre>map(object({<br/>    # criteria.*.aggregation to be one of [Average Count Minimum Maximum Total]<br/>    aggregation = string<br/>    metric_name = string<br/>    # "Insights.Container/pods" "Insights.Container/nodes"<br/>    metric_namespace = string<br/>    # criteria.0.operator to be one of [Equals NotEquals GreaterThan GreaterThanOrEqual LessThan LessThanOrEqual]<br/>    operator  = string<br/>    threshold = number<br/>    # Possible values are PT1M, PT5M, PT15M, PT30M and PT1H<br/>    frequency = string<br/>    # Possible values are PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H and P1D.<br/>    window_size = string<br/>    # severity: The severity of this Metric Alert. Possible values are 0, 1, 2, 3 and 4. Defaults to 3.<br/>    severity = number<br/>  }))</pre> | <pre>{<br/>  "active_connections": {<br/>    "aggregation": "Average",<br/>    "frequency": "PT5M",<br/>    "metric_name": "active_connections",<br/>    "metric_namespace": "Microsoft.DBforPostgreSQL/flexibleServers",<br/>    "operator": "GreaterThan",<br/>    "severity": 2,<br/>    "threshold": 80,<br/>    "window_size": "PT30M"<br/>  },<br/>  "connections_failed": {<br/>    "aggregation": "Total",<br/>    "frequency": "PT5M",<br/>    "metric_name": "connections_failed",<br/>    "metric_namespace": "Microsoft.DBforPostgreSQL/flexibleServers",<br/>    "operator": "GreaterThan",<br/>    "severity": 2,<br/>    "threshold": 80,<br/>    "window_size": "PT30M"<br/>  },<br/>  "cpu_percent": {<br/>    "aggregation": "Average",<br/>    "frequency": "PT5M",<br/>    "metric_name": "cpu_percent",<br/>    "metric_namespace": "Microsoft.DBforPostgreSQL/flexibleServers",<br/>    "operator": "GreaterThan",<br/>    "severity": 2,<br/>    "threshold": 80,<br/>    "window_size": "PT30M"<br/>  },<br/>  "memory_percent": {<br/>    "aggregation": "Average",<br/>    "frequency": "PT5M",<br/>    "metric_name": "memory_percent",<br/>    "metric_namespace": "Microsoft.DBforPostgreSQL/flexibleServers",<br/>    "operator": "GreaterThan",<br/>    "severity": 2,<br/>    "threshold": 80,<br/>    "window_size": "PT30M"<br/>  },<br/>  "storage_percent": {<br/>    "aggregation": "Average",<br/>    "frequency": "PT5M",<br/>    "metric_name": "storage_percent",<br/>    "metric_namespace": "Microsoft.DBforPostgreSQL/flexibleServers",<br/>    "operator": "GreaterThan",<br/>    "severity": 2,<br/>    "threshold": 80,<br/>    "window_size": "PT30M"<br/>  }<br/>}</pre> | no |
 | <a name="input_diagnostic_settings"></a> [diagnostic\_settings](#input\_diagnostic\_settings) | Define if diagnostic settings should be enabled.<br/>if it is:<br/>Specifies the ID of a Log Analytics Workspace where Diagnostics Data should be sent and <br/>the ID of the Storage Account where logs should be sent. (Changing this forces a new resource to be created) | <pre>object({<br/>    enabled                                   = bool<br/>    log_analytics_workspace_id                = string<br/>    diagnostic_setting_destination_storage_id = string<br/>  })</pre> | <pre>{<br/>  "diagnostic_setting_destination_storage_id": null,<br/>  "enabled": false,<br/>  "log_analytics_workspace_id": null<br/>}</pre> | no |
+| <a name="input_enable_lock"></a> [enable\_lock](#input\_enable\_lock) | Define if lock should be enabled. | `bool` | `true` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Values which are used to generate resource names and location short names. They are all mandatory except for domain, which should not be used only in the case of a resource used by multiple domains. | <pre>object({<br/>    prefix          = string<br/>    env_short       = string<br/>    location        = string<br/>    domain          = optional(string)<br/>    app_name        = string<br/>    instance_number = string<br/>  })</pre> | n/a | yes |
 | <a name="input_pgbouncer_enabled"></a> [pgbouncer\_enabled](#input\_pgbouncer\_enabled) | Is PgBouncer enabled into configurations? | `bool` | `true` | no |
 | <a name="input_private_dns_zone_resource_group_name"></a> [private\_dns\_zone\_resource\_group\_name](#input\_private\_dns\_zone\_resource\_group\_name) | Resource group of the private DNS zone | `string` | n/a | yes |

diff --git a/infra/modules/azure_postgres_server/main.tf b/infra/modules/azure_postgres_server/main.tf
@@ -82,3 +82,11 @@ resource "azurerm_postgresql_flexible_server_configuration" "pgbouncer" {
   server_id = azurerm_postgresql_flexible_server.this.id
   value     = "true"
 }
+
+resource "azurerm_management_lock" "this" {
+  count      = var.enable_lock ? 1 : 0
+  name       = azurerm_postgresql_flexible_server.this.name
+  scope      = azurerm_postgresql_flexible_server.this.id
+  lock_level = "CanNotDelete"
+  notes      = "Locked via Terraform"
+}
diff --git a/infra/modules/azure_postgres_server/variables.tf b/infra/modules/azure_postgres_server/variables.tf
@@ -261,4 +261,10 @@ variable "diagnostic_settings" {
     )
     error_message = "log_analytics_workspace_id and diagnostic_setting_destination_storage_id are mandatory if diagnostic is enabled."
   }
+}
+
+variable "enable_lock" {
+  type        = bool
+  default     = true
+  description = "Define if lock should be enabled."
 }
diff --git a/yarn.lock b/yarn.lock
@@ -4405,6 +4405,12 @@ __metadata:
   languageName: unknown
   linkType: soft
 
+"azure_repo_starter_pack@workspace:infra/modules/azure_github_environment_bootstrap":
+  version: 0.0.0-use.local
+  resolution: "azure_repo_starter_pack@workspace:infra/modules/azure_github_environment_bootstrap"
+  languageName: unknown
+  linkType: soft
+
 "azure_role_assignments@workspace:infra/modules/azure_role_assignments":
   version: 0.0.0-use.local
   resolution: "azure_role_assignments@workspace:infra/modules/azure_role_assignments"