feat(azurerm_postgresql_flexible_server): add Entra ID administrator (#…

…1903) * feat(azurerm_postgresql_flexible_server): aad adminstrator * feat(azurerm_postgresql_flexible_server): aad admin fixes - remove duplicated authentication block - set administrator login and password to null when password_auth_enabled is false - add managed identity as aad admin --------- Co-authored-by: Simon Schneider <[email protected]>
aztfmod · Mar 14, 2024 · e542183 · e542183
1 parent 58395fb
commit e542183
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 5 deletions.
diff --git a/...stgresql_flexible_server/103-simple-postgresql-flexible-with-az-auth/configuration.tfvars b/...stgresql_flexible_server/103-simple-postgresql-flexible-with-az-auth/configuration.tfvars
@@ -38,8 +38,15 @@ postgresql_flexible_servers = {
 
       # (Optional) The Tenant ID of the Azure Active Directory which is used by the Active Directory authentication. active_directory_auth_enabled must be set to true.
       #tenant_id = "00000-ee35-4265-95f6-46e9a9b4ec96"
-    }
 
+      active_directory_administrators = {
+        test_client = {
+          object_key     = "sp1"
+          principal_name = "testclient"
+          principal_type = "ServicePrincipal"
+        }
+      }
+    }
 
     # Auto-generated administrator credentials stored in azure keyvault when not set (recommended).
     # administrator_username  = "postgresqladmin"
@@ -108,3 +115,18 @@ keyvaults = {
     }
   }
 }
+
+azuread_applications = {
+  test_client = {
+    useprefix        = true
+    application_name = "test-client"
+  }
+}
+
+azuread_service_principals = {
+  sp1 = {
+    azuread_application = {
+      key = "test_client"
+    }
+  }
+}
diff --git a/modules/databases/postgresql_flexible_server/server.tf b/modules/databases/postgresql_flexible_server/server.tf
@@ -24,8 +24,8 @@ resource "azurerm_postgresql_flexible_server" "postgresql" {
   point_in_time_restore_time_in_utc = try(var.settings.create_mode, "PointInTimeRestore") == "PointInTimeRestore" ? try(var.settings.point_in_time_restore_time_in_utc, null) : null
   source_server_id                  = try(var.settings.create_mode, "PointInTimeRestore") == "PointInTimeRestore" ? try(var.settings.source_server_id, null) : null
 
-  administrator_login    = try(var.settings.create_mode, "Default") == "Default" ? try(var.settings.administrator_username, "pgadmin") : null
-  administrator_password = try(var.settings.create_mode, "Default") == "Default" ? try(var.settings.administrator_password, azurerm_key_vault_secret.postgresql_administrator_password.0.value) : null
+  administrator_login    = try(var.settings.create_mode, "Default") == "Default" && try(var.settings.authentication.password_auth_enabled, true) ? try(var.settings.administrator_username, "pgadmin") : null
+  administrator_password = try(var.settings.create_mode, "Default") == "Default" && try(var.settings.authentication.password_auth_enabled, true) ? try(var.settings.administrator_password, azurerm_key_vault_secret.postgresql_administrator_password.0.value) : null
 
   dynamic "authentication" {
     for_each = try(var.settings.authentication, null) == null ? [] : [var.settings.authentication]
@@ -115,4 +115,19 @@ resource "azurerm_key_vault_secret" "postgresql_fqdn" {
   name         = format("%s-fqdn", azurecaf_name.postgresql_flexible_server.result)
   value        = azurerm_postgresql_flexible_server.postgresql.fqdn
   key_vault_id = var.remote_objects.keyvault_id
-}
+}
+
+resource "azurerm_postgresql_flexible_server_active_directory_administrator" "administrator" {
+  for_each            = try(var.settings.authentication.active_directory_administrators, {})
+  server_name         = azurerm_postgresql_flexible_server.postgresql.name
+  resource_group_name = local.resource_group_name
+  tenant_id           = try(var.settings.authentication.tenant_id, var.client_config.tenant_id)
+  object_id = can(each.value.object_id) ? each.value.object_id : (
+    each.value.principal_type == "ServicePrincipal" ? var.remote_objects.service_principals[try(each.value.object_lz_key, var.client_config.landingzone_key)][each.value.object_key].object_id :
+    each.value.principal_type == "Group" ? var.remote_objects.azuread_groups[try(each.value.object_lz_key, var.client_config.landingzone_key)][each.value.object_key].object_id :
+    each.value.principal_type == "User" ? var.remote_objects.azuread_users[try(each.value.object_lz_key, var.client_config.landingzone_key)][each.value.object_key].object_id :
+    each.value.principal_type == "ManagedIdentity" ? var.remote_objects.managed_identities[try(each.value.object_lz_key, var.client_config.landingzone_key)][each.value.object_key].principal_id : null
+  )
+  principal_name = each.value.principal_name
+  principal_type = each.value.principal_type == "ManagedIdentity" ? "ServicePrincipal" : each.value.principal_type
+}
diff --git a/postgresql_flexible_servers.tf b/postgresql_flexible_servers.tf
@@ -21,5 +21,9 @@ module "postgresql_flexible_servers" {
     private_dns_zone_id = can(each.value.private_dns_zone.key) ? local.combined_objects_private_dns[try(each.value.private_dns_zone.lz_key, local.client_config.landingzone_key)][each.value.private_dns_zone.key].id : null
     keyvault_id         = can(each.value.keyvault.key) ? local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][each.value.keyvault.key].id : null
     diagnostics         = local.combined_diagnostics
+    azuread_groups      = local.combined_objects_azuread_groups
+    azuread_users       = local.combined_objects_azuread_users
+    service_principals  = local.combined_objects_azuread_service_principals
+    managed_identities  = local.combined_objects_managed_identities
   }
-}
+}