Skip to content

Commit

Permalink
Add az auth to postgres flexible (#1801)
Browse files Browse the repository at this point in the history
* Update modules/databases/postgresql_flexible_server/server.tf

* Update modules/databases/postgresql_flexible_server/server.tf

* Fix review

* Fix review

* Update examples/postgresql_flexible_server/103-simple-postgresql-flexible-with-az-auth/configuration.tfvars

---------

Co-authored-by: Arnaud Lheureux <[email protected]>
  • Loading branch information
iSevenBe and arnaudlh authored Sep 29, 2023
1 parent 808b971 commit 56c1c0b
Show file tree
Hide file tree
Showing 2 changed files with 119 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
global_settings = {
default_region = "region1"
regions = {
region1 = "uksouth"
}
}

resource_groups = {
postgresql_region1 = {
name = "postgresql-region1"
region = "region1"
}
security_region1 = {
name = "security-region1"
}
}

postgresql_flexible_servers = {
primary_region1 = {
name = "primary-region1"
region = "region1"
version = "12"
sku_name = "MO_Standard_E4s_v3"
zone = 2
storage_mb = 131072

resource_group = {
key = "postgresql_region1"
# lz_key = "" # Set the lz_key if the resource group is remote.
}

authentication = {
# (Optional) Whether or not Active Directory authentication is allowed to access the PostgreSQL Flexible Server. Defaults to false.
active_directory_auth_enabled = true

# (Optional) Whether or not password authentication is allowed to access the PostgreSQL Flexible Server. Defaults to true.
password_auth_enabled = true

# (Optional) The Tenant ID of the Azure Active Directory which is used by the Active Directory authentication. active_directory_auth_enabled must be set to true.
#tenant_id = "00000-ee35-4265-95f6-46e9a9b4ec96"
}


# Auto-generated administrator credentials stored in azure keyvault when not set (recommended).
# administrator_username = "postgresqladmin"
# administrator_password = "ComplxP@ssw0rd!"
keyvault = {
key = "postgresql_region1" # (Required) when auto-generated administrator credentials needed.
# lz_key = "" # Set the lz_key if the keyvault is remote.
}

# [Optional] Firewall Rules
postgresql_firewall_rules = {
postgresql-firewall-rule1 = {
name = "postgresql-firewall-rule1"
start_ip_address = "10.0.1.10"
end_ip_address = "10.0.1.11"
}
postgresql-firewall-rule2 = {
name = "postgresql-firewall-rule2"
start_ip_address = "10.0.2.10"
end_ip_address = "10.0.2.11"
}
}

# [Optional] Server Configurations
postgresql_configurations = {
backslash_quote = {
name = "backslash_quote"
value = "on"
}
bgwriter_delay = {
name = "bgwriter_delay"
value = "25"
}
}


postgresql_databases = {
sampledb1 = {
name = "sampledb1"
}
sampledb2 = {
name = "sampledb2"
passthrough = true
}
}

tags = {
segment = "sales"
}

}

}

# Store the postgresql_flexible_server administrator credentials into keyvault if the attribute keyvault{} block is defined.
keyvaults = {
postgresql_region1 = {
name = "akv"
resource_group_key = "security_region1"
sku_name = "standard"
soft_delete_enabled = true
creation_policies = {
logged_in_user = {
secret_permissions = ["Set", "Get", "List", "Delete", "Purge"]
}
}
}
}
9 changes: 9 additions & 0 deletions modules/databases/postgresql_flexible_server/server.tf
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,15 @@ resource "azurerm_postgresql_flexible_server" "postgresql" {
administrator_login = try(var.settings.create_mode, "Default") == "Default" ? try(var.settings.administrator_username, "pgadmin") : null
administrator_password = try(var.settings.create_mode, "Default") == "Default" ? try(var.settings.administrator_password, azurerm_key_vault_secret.postgresql_administrator_password.0.value) : null

dynamic "authentication" {
for_each = try(var.settings.authentication, null) == null ? [] : [var.settings.authentication]
content {
active_directory_auth_enabled = try(var.settings.authentication.active_directory_auth_enabled, null)
password_auth_enabled = try(var.settings.authentication.password_auth_enabled, null)
tenant_id = can(var.settings.authentication.tenant_id) ? var.settings.authentication.tenant_id : var.client_config.tenant_id
}
}

backup_retention_days = try(var.settings.backup_retention_days, null)

dynamic "maintenance_window" {
Expand Down

0 comments on commit 56c1c0b

Please sign in to comment.