Postgresql flexible server private endpoint (#1938)

* feat(postgresql_flexible_servers): add private endpoint * feat(postgresql_flexible_server): add example for private endpoint --------- Co-authored-by: Simon Schneider <[email protected]>
aztfmod · Mar 14, 2024 · 58395fb · 58395fb
1 parent c8322d9
commit 58395fb
Show file tree

Hide file tree

Showing 5 changed files with 177 additions and 6 deletions.
diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json
@@ -130,6 +130,7 @@
     "postgresql_flexible_server/100-simple-postgresql-flexible",
     "postgresql_flexible_server/101-delegated-subnet-with-fw-rule",
     "postgresql_flexible_server/102-advanced-postgresql-flexible",
+    "postgresql_flexible_server/104-private-endpoint",
     "postgresql_server/100-simple-postgresql",
     "postgresql_server/101-vnet-rule-postgresql",
     "postgresql_server/102-private-endpoint-postgresql",

diff --git a/examples/postgresql_flexible_server/104-private-endpoint/configuration.tfvars b/examples/postgresql_flexible_server/104-private-endpoint/configuration.tfvars
@@ -0,0 +1,143 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "uksouth"
+  }
+}
+
+resource_groups = {
+  postgresql_region1 = {
+    name   = "postgresql-region1"
+    region = "region1"
+  }
+}
+
+postgresql_flexible_servers = {
+  primary_region1 = {
+    name       = "primary-region1"
+    region     = "region1"
+    version    = "12"
+    sku_name   = "MO_Standard_E4s_v3"
+    zone       = 1
+    storage_mb = 131072
+
+    resource_group = {
+      key = "postgresql_region1"
+      # lz_key = ""                           # Set the lz_key if the resource group is remote.
+    }
+
+    # Auto-generated administrator credentials stored in azure keyvault when not set (recommended).
+    # administrator_username  = "postgresqladmin"
+    # administrator_password  = "ComplxP@ssw0rd!"
+    keyvault = {
+      key = "postgresql_region1" # (Required) when auto-generated administrator credentials needed.
+      # lz_key      = ""                      # Set the lz_key if the keyvault is remote.
+    }
+
+    # [Optional] Firewall Rules
+    postgresql_firewall_rules = {
+      postgresql-firewall-rule1 = {
+        name             = "postgresql-firewall-rule1"
+        start_ip_address = "10.0.1.10"
+        end_ip_address   = "10.0.1.11"
+      }
+      postgresql-firewall-rule2 = {
+        name             = "postgresql-firewall-rule2"
+        start_ip_address = "10.0.2.10"
+        end_ip_address   = "10.0.2.11"
+      }
+    }
+
+    # [Optional] Server Configurations
+    postgresql_configurations = {
+      backslash_quote = {
+        name  = "backslash_quote"
+        value = "on"
+      }
+      bgwriter_delay = {
+        name  = "bgwriter_delay"
+        value = "25"
+      }
+    }
+
+
+    postgresql_databases = {
+      sampledb1 = {
+        name = "sampledb1"
+      }
+      sampledb2 = {
+        name        = "sampledb2"
+        passthrough = true
+      }
+    }
+
+    private_endpoints = {
+      pe1 = {
+        name               = "pe1"
+        vnet_key           = "vnet_region1"
+        subnet_key         = "private_endpoints"
+        resource_group_key = "postgresql_region1"
+
+        private_service_connection = {
+          name                 = "pe1"
+          is_manual_connection = false
+          subresource_names    = ["postgresqlServer"]
+        }
+
+        private_dns = {
+          zone_group_name = "postgres"
+          keys            = ["postgres"]
+        }
+      }
+    }
+
+    tags = {
+      segment = "sales"
+    }
+
+  }
+
+}
+
+# Store the postgresql_flexible_server administrator credentials into keyvault if the attribute keyvault{} block is defined.
+keyvaults = {
+  postgresql_region1 = {
+    name                = "akv"
+    resource_group_key  = "postgresql_region1"
+    sku_name            = "standard"
+    soft_delete_enabled = true
+    creation_policies = {
+      logged_in_user = {
+        secret_permissions = ["Set", "Get", "List", "Delete", "Purge"]
+      }
+    }
+  }
+}
+
+## Networking configuration
+vnets = {
+  vnet_region1 = {
+    resource_group_key = "postgresql_region1"
+    region             = "region1"
+
+    vnet = {
+      name          = "postgresql"
+      address_space = ["10.10.0.0/24"]
+    }
+
+    subnets = {
+      private_endpoints = {
+        name                                           = "private-endpoint"
+        cidr                                           = ["10.10.0.0/25"]
+        enforce_private_link_endpoint_network_policies = true
+      }
+    }
+  }
+}
+
+private_dns = {
+  postgres = {
+    name               = "privatelink.postgres.database.azure.com"
+    resource_group_key = "postgresql_region1"
+  }
+}
diff --git a/modules/databases/postgresql_flexible_server/private_endpoint.tf b/modules/databases/postgresql_flexible_server/private_endpoint.tf
@@ -0,0 +1,16 @@
+module "private_endpoint" {
+  source   = "../../networking/private_endpoint"
+  for_each = try(var.private_endpoints, {})
+
+  resource_id         = azurerm_postgresql_flexible_server.postgresql.id
+  name                = each.value.name
+  location            = local.location
+  resource_group_name = local.resource_group_name
+  subnet_id           = can(each.value.subnet_id) ? each.value.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id
+  settings            = each.value
+  global_settings     = var.global_settings
+  base_tags           = var.base_tags
+  tags                = local.tags
+  private_dns         = var.private_dns
+  client_config       = var.client_config
+}
diff --git a/modules/databases/postgresql_flexible_server/variables.tf b/modules/databases/postgresql_flexible_server/variables.tf
@@ -25,4 +25,12 @@ variable "resource_group" {
 variable "base_tags" {
   description = "Base tags for the resource to be inherited from the resource group."
   type        = bool
-}
+}
+
+variable "vnets" {}
+
+variable "private_endpoints" {}
+
+variable "private_dns" {
+  default = {}
+}
diff --git a/postgresql_flexible_servers.tf b/postgresql_flexible_servers.tf
@@ -7,11 +7,14 @@ module "postgresql_flexible_servers" {
   depends_on = [module.keyvaults, module.networking]
   for_each   = local.database.postgresql_flexible_servers
 
-  global_settings = local.global_settings
-  client_config   = local.client_config
-  settings        = each.value
-  resource_group  = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)]
-  base_tags       = local.global_settings.inherit_tags
+  global_settings   = local.global_settings
+  client_config     = local.client_config
+  settings          = each.value
+  resource_group    = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)]
+  base_tags         = local.global_settings.inherit_tags
+  vnets             = local.combined_objects_networking
+  private_endpoints = try(each.value.private_endpoints, {})
+  private_dns       = local.combined_objects_private_dns
 
   remote_objects = {
     subnet_id           = can(each.value.vnet.subnet_key) ? local.combined_objects_networking[try(each.value.vnet.lz_key, local.client_config.landingzone_key)][each.value.vnet.key].subnets[each.value.vnet.subnet_key].id : null