Merge pull request #1 from truefoundry/db-updates

Updated postgres module version
truefoundry · Jul 28, 2023 · e550de7 · e550de7
2 parents be17782 + 0adc5d9
commit e550de7
Show file tree

Hide file tree

Showing 7 changed files with 203 additions and 56 deletions.
diff --git a/README.md b/README.md
@@ -1,2 +1,85 @@
 # terraform-azure-truefoundry-control-plane
 Truefoundry Azure Control Plane Module
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | n/a |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_container_registry.svcfoundry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry) | resource |
+| [azurerm_federated_identity_credential.mlfoundry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource |
+| [azurerm_federated_identity_credential.svcfoundry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource |
+| [azurerm_key_vault.akv_svcfoundry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) | resource |
+| [azurerm_postgresql_flexible_server.postgresql_flexible](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_flexible_server) | resource |
+| [azurerm_postgresql_flexible_server_configuration.postgres_flexible_configuration](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_flexible_server_configuration) | resource |
+| [azurerm_postgresql_flexible_server_database.postgresql_flexible_database](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_flexible_server_database) | resource |
+| [azurerm_postgresql_flexible_server_firewall_rule.postgres_flexible_firewall_rule](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_flexible_server_firewall_rule) | resource |
+| [azurerm_role_assignment.acr_svcfoundry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.mlfoundry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.storage_svcfoundry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_storage_account.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource |
+| [azurerm_storage_container.truefoundry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
+| [azurerm_subnet.postgresql_flexible_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
+| [azurerm_user_assigned_identity.mlfoundry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_user_assigned_identity.svcfoundry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [random_password.truefoundry_db_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cluster_oidc_url"></a> [cluster\_oidc\_url](#input\_cluster\_oidc\_url) | OIDC url for the cluster to create federated credential for | `string` | n/a | yes |
+| <a name="input_create_acr"></a> [create\_acr](#input\_create\_acr) | Create acr | `bool` | `false` | no |
+| <a name="input_create_blob_storage"></a> [create\_blob\_storage](#input\_create\_blob\_storage) | Create blob storage | `bool` | `false` | no |
+| <a name="input_create_db"></a> [create\_db](#input\_create\_db) | Create postgres flexible server database or not | `bool` | `true` | no |
+| <a name="input_create_kv"></a> [create\_kv](#input\_create\_kv) | Create kv | `bool` | `false` | no |
+| <a name="input_database_name"></a> [database\_name](#input\_database\_name) | Name of the database in postgres | `string` | `"truefoundry"` | no |
+| <a name="input_location"></a> [location](#input\_location) | Location of the resource group | `string` | n/a | yes |
+| <a name="input_mlfoundry_namespace"></a> [mlfoundry\_namespace](#input\_mlfoundry\_namespace) | Name of the mlfoundry namespace | `string` | `"truefoundry"` | no |
+| <a name="input_mlfoundry_svc_acc"></a> [mlfoundry\_svc\_acc](#input\_mlfoundry\_svc\_acc) | Name of the mlfoundry service account | `string` | `"mlfoundry-server"` | no |
+| <a name="input_postgres_version"></a> [postgres\_version](#input\_postgres\_version) | PostgreSQL version | `string` | `"13"` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the resource group | `string` | n/a | yes |
+| <a name="input_svcfoundry_namespace"></a> [svcfoundry\_namespace](#input\_svcfoundry\_namespace) | Name of the svcfoundry namespace | `string` | `"truefoundry"` | no |
+| <a name="input_svcfoundry_svc_acc"></a> [svcfoundry\_svc\_acc](#input\_svcfoundry\_svc\_acc) | Name of the svcfoundry service account | `string` | `"servicefoundry-server"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags common to all the resources created | `map(string)` | `{}` | no |
+| <a name="input_truefoundry_db_allocated_storage"></a> [truefoundry\_db\_allocated\_storage](#input\_truefoundry\_db\_allocated\_storage) | Storage for DB | `number` | n/a | yes |
+| <a name="input_truefoundry_db_enable_override"></a> [truefoundry\_db\_enable\_override](#input\_truefoundry\_db\_enable\_override) | Truefoundry db name override to be enabled | `bool` | `false` | no |
+| <a name="input_truefoundry_db_instance_class"></a> [truefoundry\_db\_instance\_class](#input\_truefoundry\_db\_instance\_class) | Instance class for DB | `string` | n/a | yes |
+| <a name="input_truefoundry_db_override_name"></a> [truefoundry\_db\_override\_name](#input\_truefoundry\_db\_override\_name) | Truefoundry db name override | `string` | n/a | yes |
+| <a name="input_truefoundry_db_private_dns_zone_id"></a> [truefoundry\_db\_private\_dns\_zone\_id](#input\_truefoundry\_db\_private\_dns\_zone\_id) | Private DNS zone ID | `string` | n/a | yes |
+| <a name="input_truefoundry_db_subnet_cidr"></a> [truefoundry\_db\_subnet\_cidr](#input\_truefoundry\_db\_subnet\_cidr) | CIDR of the subnet which we should use for the db | `string` | n/a | yes |
+| <a name="input_truefoundry_db_subnet_id"></a> [truefoundry\_db\_subnet\_id](#input\_truefoundry\_db\_subnet\_id) | Subnet ID where truefoundry database is hosted | `bool` | `""` | no |
+| <a name="input_truefoundry_db_subnet_shim"></a> [truefoundry\_db\_subnet\_shim](#input\_truefoundry\_db\_subnet\_shim) | DB subnet shim | `bool` | n/a | yes |
+| <a name="input_truefoundry_db_vnet_name"></a> [truefoundry\_db\_vnet\_name](#input\_truefoundry\_db\_vnet\_name) | Name of the virtual network | `string` | n/a | yes |
+| <a name="input_unique_name"></a> [unique\_name](#input\_unique\_name) | Truefoundry deployment unique name | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_mlfoundry_identity_client_id"></a> [mlfoundry\_identity\_client\_id](#output\_mlfoundry\_identity\_client\_id) | n/a |
+| <a name="output_svcfoundry_identity_client_id"></a> [svcfoundry\_identity\_client\_id](#output\_svcfoundry\_identity\_client\_id) | n/a |
+| <a name="output_truefoundry_db_fqdn"></a> [truefoundry\_db\_fqdn](#output\_truefoundry\_db\_fqdn) | n/a |
+| <a name="output_truefoundry_db_name"></a> [truefoundry\_db\_name](#output\_truefoundry\_db\_name) | n/a |
+| <a name="output_truefoundry_db_password"></a> [truefoundry\_db\_password](#output\_truefoundry\_db\_password) | n/a |
+| <a name="output_truefoundry_db_port"></a> [truefoundry\_db\_port](#output\_truefoundry\_db\_port) | n/a |
+| <a name="output_truefoundry_db_subnet_id"></a> [truefoundry\_db\_subnet\_id](#output\_truefoundry\_db\_subnet\_id) | n/a |
+| <a name="output_truefoundry_db_username"></a> [truefoundry\_db\_username](#output\_truefoundry\_db\_username) | n/a |
+| <a name="output_truefoundry_storage_container_id"></a> [truefoundry\_storage\_container\_id](#output\_truefoundry\_storage\_container\_id) | n/a |
+<!-- END_TF_DOCS -->
diff --git a/locals.tf b/locals.tf
@@ -9,7 +9,7 @@ locals {
 
   tags = merge(
     {
-      "terraform-module" = "terraform-azc-truefoundry"
+      "terraform-module" = "terraform-truefoundry-control-plane"
       "terraform"        = "true"
     },
     var.tags

diff --git a/outputs.tf b/outputs.tf
@@ -1,24 +1,28 @@
 output "truefoundry_db_name" {
-  value = var.create_db == true ? module.postgresql-db[0].server_name : "dummy"
+  value = var.create_db == true ? var.database_name : "dummy"
 }
 
-output "truefoundry_db_endpoint" {
-  value = var.create_db == true ? module.postgresql-db[0].server_fqdn : "dummy"
-}
-
-output "truefoundry_db_private_ip" {
-  value = var.create_db == true ? resource.azurerm_private_endpoint.postgresql_private_connection[0].private_service_connection[0].private_ip_address : "dummy"
+output "truefoundry_db_fqdn" {
+  value = var.create_db == true ? resource.azurerm_postgresql_flexible_server.postgresql_flexible[0].fqdn : "dummy"
 }
 
 output "truefoundry_db_password" {
-  value     = var.create_db == true ? module.postgresql-db[0].administrator_password : "dummy"
+  value     = var.create_db == true ? random_password.truefoundry_db_password.result : "dummy"
   sensitive = true
 }
 
+output "truefoundry_db_username" {
+  value = var.create_db == true ? local.truefoundry_db_master_username : "dummy"
+}
+
 output "truefoundry_db_port" {
   value = "5432"
 }
 
+output "truefoundry_db_subnet_id" {
+  value = var.create_db == true ? azurerm_subnet.postgresql_flexible_subnet.id : "dummy"
+}
+
 output "truefoundry_storage_container_id" {
   value = var.create_blob_storage == true ? azurerm_storage_container.truefoundry[0].id : "dummy"
 }

diff --git a/postgres.tf b/postgres.tf
@@ -1,41 +1,69 @@
 resource "random_password" "truefoundry_db_password" {
   length           = 24
   special          = true
-  override_special = "!#$%&*()-_=+[]{}<>:?"
+  override_special = "!#()-_=+[]:?"
 }
 
-module "postgresql-db" {
-  count                            = var.create_db == true ? 1 : 0
-  source                           = "Azure/postgresql/azurerm"
-  version                          = "3.0.0"
-  server_name                      = var.truefoundry_db_enable_override ? var.truefoundry_db_override_name : "${var.unique_name}-db"
-  sku_name                         = var.truefoundry_db_instance_class
-  location                         = var.location
-  resource_group_name              = var.resource_group_name
-  storage_mb                       = var.truefoundry_db_allocated_storage
-  backup_retention_days            = 7
-  geo_redundant_backup_enabled     = false
-  administrator_login              = local.truefoundry_db_master_username
-  administrator_password           = random_password.truefoundry_db_password.result
-  server_version                   = "11"
-  ssl_enforcement_enabled          = false
-  ssl_minimal_tls_version_enforced = "TLSEnforcementDisabled"
-  db_names                         = ["truefoundry"]
-  tags                             = local.tags
-  public_network_access_enabled    = false
+resource "azurerm_subnet" "postgresql_flexible_subnet" {
+  count                = var.create_db ? var.truefoundry_db_subnet_shim ? 0 : 1 : 0
+  name                 = "${var.unique_name}-postgres-subnet"
+  resource_group_name  = var.resource_group_name
+  virtual_network_name = var.truefoundry_db_vnet_name
+  address_prefixes     = [var.truefoundry_db_subnet_cidr]
+  service_endpoints    = ["Microsoft.Sql"]
+  delegation {
+    name = "fs"
+    service_delegation {
+      name = "Microsoft.DBforPostgreSQL/flexibleServers"
+      actions = [
+        "Microsoft.Network/virtualNetworks/subnets/join/action",
+      ]
+    }
+  }
 }
 
-resource "azurerm_private_endpoint" "postgresql_private_connection" {
-  count               = var.create_db == true ? 1 : 0
-  name                = "${var.unique_name}-db-private-endpoint"
-  location            = var.location
+resource "azurerm_postgresql_flexible_server" "postgresql_flexible" {
+  count               = var.create_db ? 1 : 0
+  name                = var.truefoundry_db_enable_override ? var.truefoundry_db_override_name : "${var.unique_name}-psql"
   resource_group_name = var.resource_group_name
-  subnet_id           = var.truefoundry_db_subnet_id
-
-  private_service_connection {
-    name                           = "${var.unique_name}-db-private-connection"
-    private_connection_resource_id = module.postgresql-db[0].server_id
-    is_manual_connection           = false
-    subresource_names              = ["postgresqlServer"]
+  location            = var.location
+  version             = var.postgres_version
+  authentication {
+    password_auth_enabled = true
+  }
+  administrator_login    = local.truefoundry_db_master_username
+  administrator_password = random_password.truefoundry_db_password.result
+  delegated_subnet_id    = var.truefoundry_db_subnet_shim ? var.truefoundry_db_subnet_id : azurerm_subnet.postgresql_flexible_subnet[0].id
+  private_dns_zone_id    = var.truefoundry_db_private_dns_zone_id
+  zone                   = "3"
+  high_availability {
+    mode                      = "SameZone"
+    standby_availability_zone = "3"
   }
+  backup_retention_days = 14
+  storage_mb            = var.truefoundry_db_allocated_storage
+  sku_name              = var.truefoundry_db_instance_class
+  tags                  = local.tags
+}
+
+resource "azurerm_postgresql_flexible_server_database" "postgresql_flexible_database" {
+  count     = var.create_db ? 1 : 0
+  name      = var.database_name
+  server_id = azurerm_postgresql_flexible_server.postgresql_flexible[0].id
+  collation = "en_US.utf8"
+  charset   = "utf8"
+}
+resource "azurerm_postgresql_flexible_server_configuration" "postgres_flexible_configuration" {
+  count     = var.create_db ? 1 : 0
+  name      = "require_secure_transport"
+  server_id = azurerm_postgresql_flexible_server.postgresql_flexible[0].id
+  value     = "OFF"
+}
+
+resource "azurerm_postgresql_flexible_server_firewall_rule" "postgres_flexible_firewall_rule" {
+  count            = var.create_db ? 1 : 0
+  name             = "postgres-flexible-firewall-rule"
+  server_id        = azurerm_postgresql_flexible_server.postgresql_flexible[0].id
+  start_ip_address = var.truefoundry_db_allowed_ip_range_start_ip_address
+  end_ip_address   = var.truefoundry_db_allowed_ip_range_end_ip_address
 }
diff --git a/providers.tf b/providers.tf
diff --git a/storage.tf b/storage.tf
@@ -5,6 +5,15 @@ resource "azurerm_storage_account" "this" {
   location                 = var.location
   account_tier             = "Standard"
   account_replication_type = "LRS"
+  blob_properties {
+    cors_rule {
+      allowed_headers    = ["*"]
+      allowed_methods    = ["GET", "POST", "PUT"]
+      allowed_origins    = ["*"]
+      exposed_headers    = ["Etag"]
+      max_age_in_seconds = 3000
+    }
+  }
 
   tags = local.tags
 }

diff --git a/variables.tf b/variables.tf
@@ -38,8 +38,20 @@ variable "cluster_oidc_url" {
 
 variable "create_db" {
   type        = bool
-  description = "Create db"
-  default     = false
+  description = "Create postgres flexible server database or not"
+  default     = true
+}
+
+variable "postgres_version" {
+  default     = "13"
+  description = "PostgreSQL version"
+  type        = string
+}
+
+variable "database_name" {
+  type        = string
+  description = "Name of the database in postgres"
+  default     = "truefoundry"
 }
 
 variable "truefoundry_db_enable_override" {
@@ -59,13 +71,36 @@ variable "truefoundry_db_instance_class" {
 }
 
 variable "truefoundry_db_allocated_storage" {
-  type        = string
+  type        = number
   description = "Storage for DB"
 }
 
+### Database subnet SHIM
+variable "truefoundry_db_subnet_shim" {
+  type        = bool
+  description = "DB subnet shim"
+}
+
 variable "truefoundry_db_subnet_id" {
+  type        = bool
+  description = "Subnet ID where truefoundry database is hosted"
+  default     = ""
+}
+
+#### Network
+variable "truefoundry_db_vnet_name" {
+  description = "Name of the virtual network"
   type        = string
-  description = "ID of the subnet which the db should use"
+}
+
+variable "truefoundry_db_subnet_cidr" {
+  type        = string
+  description = "CIDR of the subnet which we should use for the db"
+}
+
+variable "truefoundry_db_private_dns_zone_id" {
+  type = string
+  description = "Private DNS zone ID"
 }
 
 #### Azure Container Repository