-
Notifications
You must be signed in to change notification settings - Fork 28
/
postgres-public-db.tf
75 lines (73 loc) · 3.88 KB
/
postgres-public-db.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# NOTE: managing DB resources requires routes to database (private endpoints and private DNSes):
# * Either:
# ** VPN access is required with routing to the database subnets set up to your user,
# ** OR running terraform in a subnet with a private endpoint access/routing to the DB subnet
# * Also, as there are no public DNS, either:
# ** Set up your local `/etc/hosts` (check the `providers.tf` for details),
# ** OR have your subnet set up to use the private DNS records
######
# Dedicated subnet is reserved as "delegated" for the pgsql server on the public network
# Ref. https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking
# Defined in https://github.com/jenkins-infra/azure-net/blob/main/vnets.tf
data "azurerm_subnet" "public_db_vnet_postgres_tier" {
name = "${data.azurerm_virtual_network.public_db.name}-postgres-tier"
virtual_network_name = data.azurerm_virtual_network.public_db.name
resource_group_name = data.azurerm_resource_group.public.name
}
resource "azurerm_network_security_group" "db_pgsql_tier" {
name = "${data.azurerm_virtual_network.public_db.name}-postgres"
location = var.location
resource_group_name = data.azurerm_resource_group.public.name
}
resource "azurerm_subnet_network_security_group_association" "db_pgsql_tier" {
subnet_id = data.azurerm_subnet.public_db_vnet_postgres_tier.id
network_security_group_id = azurerm_network_security_group.db_pgsql_tier.id
}
# Used by 'local.public_db_pgsql_admin_login' (which is itself needed by the postgres provider)
resource "random_password" "public_db_pgsql_admin_login" {
length = 14
special = false
upper = false
}
resource "random_password" "public_db_pgsql_admin_password" {
length = 24
}
resource "azurerm_postgresql_flexible_server" "public_db" {
name = "public-db"
resource_group_name = data.azurerm_resource_group.public.name
location = var.location
public_network_access_enabled = false
administrator_login = local.public_db_pgsql_admin_login
administrator_password = random_password.public_db_pgsql_admin_password.result
sku_name = "B_Standard_B1ms" # 1vCore / 2 Gb - https://docs.microsoft.com/en-us/azure/virtual-machines/sizes-b-series-burstable
storage_mb = "131072"
version = "13"
zone = "1"
private_dns_zone_id = azurerm_private_dns_zone.public_db_pgsql.id
delegated_subnet_id = data.azurerm_subnet.public_db_vnet_postgres_tier.id
depends_on = [
/**
The network link from private pod is required to allow the provider "postgresql"
to connect to this server from the private Jenkins agents where terraform runs
(or through VPN tunnelling)
**/
azurerm_private_dns_zone_virtual_network_link.public_db_pgsql["private-vnet"],
azurerm_private_dns_zone_virtual_network_link.public_db_pgsql["infracijenkinsio-sponsorship-vnet"],
]
}
resource "azurerm_private_dns_zone" "public_db_pgsql" {
name = "public-db-pgsql.jenkins-infra.postgres.database.azure.com"
resource_group_name = data.azurerm_resource_group.public.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "public_db_pgsql" {
for_each = {
"public-vnet" = data.azurerm_virtual_network.public.id,
"publicdb-vnet" = data.azurerm_virtual_network.public_db.id,
"private-vnet" = data.azurerm_virtual_network.private.id,
"infracijenkinsio-sponsorship-vnet" = data.azurerm_virtual_network.infra_ci_jenkins_io_sponsorship.id,
}
name = "${each.key}-to-publicdbpgsql"
resource_group_name = data.azurerm_resource_group.public.name
private_dns_zone_name = azurerm_private_dns_zone.public_db_pgsql.name
virtual_network_id = each.value
}