You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Azure Database for MySQL is easy to set up, manage and scale. It automates the management and maintenance of your infrastructure and database server, including routine updates, backups and security. Enjoy maximum control of database management with custom maintenance windows and multiple configuration parameters for fine grained tuning with Flexible Server (Preview).
3
+
Azure Database for PostgreSQL Single Server is a fully managed database service with minimal requirements for customizations of database. The single server platform is designed to handle most of the database management functions such as patching, backups, high availability, security with minimal user configuration and control. The architecture is optimized for built-in high availability with 99.99% availability on single availability zone. It supports community version of PostgreSQL 9.5, 9,6, 10, and 11.
*[MySQL Active Directory Administrator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_active_directory_administrator)
*[PostgreSQL Active Directory Administrator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_active_directory_administrator)
# Firewall Rules to allow azure and external clients and specific Ip address/ranges.
81
79
firewall_rules = {
@@ -97,3 +95,163 @@ module "postgresql-db" {
97
95
}
98
96
}
99
97
```
98
+
99
+
## Default Local Administrator and the Password
100
+
101
+
This module utilizes __`postgresadmin`__ as a local administrator on PostgreSQL server. If you want to you use custom username, then specify the same by setting up the argument `admin_username` with a valid user string.
102
+
103
+
By default, this module generates a strong password for PostgreSQL server also allows you to change the length of the random password (currently 24) using the `random_password_length` variable. If you want to set the custom password, specify the argument `admin_password` with a valid string.
104
+
105
+
## **`postgresql_server_settings`** - Setting up your PostgreSQL Server
106
+
107
+
This object helps you setup desired PostgreSQL server and support following arguments.
108
+
109
+
| Argument | Description |
110
+
|--|--|
111
+
`sku_name`|Specifies the SKU Name for this PostgreSQL Server. The name of the SKU, follows the tier + family + cores pattern (e.g. `B_Gen4_1`, `GP_Gen5_8`). Valid values are `B_Gen4_1`, `B_Gen4_2`, `B_Gen5_1`, `B_Gen5_2`, `GP_Gen4_2`, `GP_Gen4_4`, `GP_Gen4_8`, `GP_Gen4_16`, `GP_Gen4_32`, `GP_Gen5_2`, `GP_Gen5_4`, `GP_Gen5_8`, `GP_Gen5_16`, `GP_Gen5_32`, `GP_Gen5_64`, `MO_Gen5_2`, `MO_Gen5_4`, `MO_Gen5_8`, `MO_Gen5_16`, `MO_Gen5_32`.
112
+
`storage_mb`|Max storage allowed for a server. Possible values are between `5120` MB(5GB) and `1048576` MB(1TB) for the Basic SKU and between `5120` MB(5GB) and `16777216` MB(16TB) for General Purpose/Memory Optimized SKUs.
113
+
`version`|Specifies the version of PostgreSQL to use. Valid values are `9.5`, `9.6`, `10`, `10.0`, and `11`.
114
+
`database_name`|Specifies the name of the PostgreSQL Database, which needs [to be a valid PostgreSQL identifier](https://www.postgresql.org/docs/current/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS).
115
+
`charset`|Specifies the Charset for the PostgreSQL Database, which needs [to be a valid PostgreSQL Charset.](https://www.postgresql.org/docs/current/static/multibyte.html).
116
+
`collation`|Specifies the Collation for the PostgreSQL Database, which needs [to be a valid PostgreSQL Collation](https://www.postgresql.org/docs/current/static/collation.html). Note that Microsoft uses different [notation](https://msdn.microsoft.com/library/windows/desktop/dd373814.aspx) - en-US instead of en_US.
117
+
`admin_username`|The Administrator Login for the PostgreSQL Server. Required when `create_mode` is `Default`.
118
+
`admin_password`|The Password associated with the `admin_username` for the PostgreSQL Server. Required when `create_mode` is `Default`
119
+
`auto_grow_enabled`|Enable/Disable auto-growing of the storage. Storage auto-grow prevents your server from running out of storage and becoming read-only. If storage auto grow is enabled, the storage automatically grows without impacting the workload. The default value if not explicitly specified is `true`
120
+
`backup_retention_days`|Backup retention days for the server, supported values are between `7` and `35` days.
121
+
`geo_redundant_backup_enabled`|Turn Geo-redundant server backups on/off. This allows you to choose between locally redundant or geo-redundant backup storage in the General Purpose and Memory Optimized tiers. When the backups are stored in geo-redundant backup storage, they are not only stored within the region in which your server is hosted, but are also replicated to a paired data center. This provides better protection and ability to restore your server in a different region in the event of a disaster. This is not support for the Basic tier.
122
+
`infrastructure_encryption_enabled`|Whether or not infrastructure is encrypted for this server. This property is currently still in development and not supported by Microsoft. If the `infrastructure_encryption_enabled` attribute is set to `true` the postgreSQL instance will incur a substantial performance degradation due to a second encryption pass on top of the existing default encryption that is already provided by Azure Storage. It is strongly suggested to leave this value `false` as not doing so can lead to unclear error messages. Defaults to `false`
123
+
`public_network_access_enabled`|Whether or not public network access is allowed for this server. Defaults to `true`.
124
+
`ssl_enforcement_enabled`|Specifies if SSL should be enforced on connections. Possible values are `true` and `false`
125
+
`ssl_minimal_tls_version_enforced`|The minimum TLS version to support on the sever. Possible values are `TLSEnforcementDisabled`, `TLS1_0`, `TLS1_1`, and `TLS1_2`. Defaults to `TLSEnforcementDisabled`.
126
+
127
+
## Advanced Usage of the Module
128
+
129
+
### **`postgresql_configuration`** - Configure PostgreSQL Server Parameters
130
+
131
+
The PostgreSQL server maintains many system variables that configure its operation. Each system variable has a default value. System variables can be set at server startup using options on the command line or in an option file. Most of them can be changed dynamically at runtime using the SET statement, which enables you to modify operation of the server without having to stop and restart it. You can also use system variable values in expressions.
132
+
133
+
A few Supported parameters are here for your reference. you can find all these `Server Paramter` section in PostgreSQL server. Also check [PostgreSQL website](https://www.postgresql.org/docs/9.6/config-setting.html) for more details.
134
+
135
+
| Parameter name | Description | Parameter Type |Default Value
136
+
|--|--|--|--|
137
+
`connection_throttling`|Enables temporary connection throttling per IP for too many invalid password login failures. Valid values are `ON` and `OFF`|Dynamic|`ON`
138
+
`deadlock_timeout`|Sets the amount of time, in milliseconds, to wait on a lock before checking for deadlock. Allowed value should be: 1-2147483647|Dynamic|`1000`
139
+
`log_min_error_statement`|Causes all statements generating error at or above this level to be logged.|Dynamic|`ERROR`
140
+
`old_snapshot_threshold`|Time before a snapshot is too old to read pages changed after the snapshot was taken. Any change requires server restart.|Static|`-1`
141
+
142
+
### PostgreSQL Virtual Network Rule
143
+
144
+
A virtual network rule for your Azure Database for PostgreSQL server is a subnet that is listed in the access control list (ACL) of your Azure Database for PostgreSQL server. To be in the ACL for your Azure Database for PostgreSQL server, the subnet must contain the **`Microsoft.Sql`** type name. To enable this feature, add a `subnet_id` with valid resource id.
145
+
146
+
>This feature is available in all regions of Azure public cloud where Azure Database for PostgreSQL is deployed for General Purpose and Memory Optimized servers. In case of VNet peering, if traffic is flowing through a common VNet Gateway with service endpoints and is supposed to flow to the peer, please create an ACL/VNet rule to allow Azure Virtual Machines in the Gateway VNet to access the Azure Database for PostgreSQL server.
147
+
148
+
### Data Encryption with a Customer-managed Key
149
+
150
+
Data encryption with customer-managed keys for Azure Database for PostgreSQL enables you to bring your own key (BYOK) for data protection at rest. It also allows organizations to implement separation of duties in the management of keys and data.
151
+
152
+
Data encryption is set at the server-level. The customer-managed key is an asymmetric key stored in a customer-owned and customer-managed Azure `Key Vault` instance. To add you own key from key valut use variable `key_vault_key_id` with valid key URL.
153
+
154
+
### Server Firewall Rules
155
+
156
+
Firewalls prevent all access to your database server until you specify which computers have permission. To configure a firewall, create firewall rules that specify ranges of acceptable IP addresses.
157
+
158
+
By default, no external access to your PostgreSQL Database will be allowed until you explicitly assign permission by creating a firewall rule. To add the firewall rules to the PostgreSQL database, specify the list of `firewall_rules` with valid IP addresses.
159
+
160
+
### Adding Active Directory Administrator to PostgreSQL Database
161
+
162
+
Azure Active Directory authentication is a mechanism of connecting to Microsoft Azure database for PostgreSQL by using identities in Azure Active Directory (Azure AD). This module adds the provided Azure Active Directory user/group to PostgreSQL Database as an administrator so that the user can login to this database with Azure AD authentication.
163
+
164
+
By default, this feature not enabled on this module. To add the Active Directory Administrator, set the argument `ad_admin_login_name` with a valid Azure AD user/group login name.
165
+
166
+
### Threat detection policy AKA Server Security Alerts Policy
167
+
168
+
Advanced Threat Detection for Azure Database for PostgreSQL server detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases and it can trigger the following alerts:
169
+
170
+
* Access from unusual location
171
+
* Access from unusual Azure data center
172
+
* Access from unfamiliar principal
173
+
* Access from a potentially harmful application
174
+
* Brute force login credentials
175
+
176
+
By default, this feature not enabled on this module. Enable threat detection policy setting up the variables `enable_threat_detection_policy`, `log_retention_days` and `email_addresses_for_alerts` with valid values.
177
+
178
+
>Note: Enabling `threat_detection_policy` features on SQL servers and database going to create a storage account to keep all audit logs by this module. Log retention policy to be configured to keep the size within limits for this storage account. Note that this module creates resources that can cost money.
179
+
180
+
## Recommended naming and tagging conventions
181
+
182
+
Applying tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name `Environment` and the value `Production` to all the resources in production.
183
+
For recommendations on how to implement a tagging strategy, see Resource naming and tagging decision guide.
184
+
185
+
>**Important** :
186
+
Tag names are case-insensitive for operations. A tag with a tag name, regardless of the casing, is updated or retrieved. However, the resource provider might keep the casing you provide for the tag name. You'll see that casing in cost reports. **Tag values are case-sensitive.**
187
+
188
+
An effective naming convention assembles resource names by using important resource information as parts of a resource's name. For example, using these [recommended naming conventions](https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging#example-names), a public IP resource for a production SharePoint workload is named like this: `pip-sharepoint-prod-westus-001`.
189
+
190
+
## Requirements
191
+
192
+
| Name | Version |
193
+
|------|---------|
194
+
| terraform | >= 0.13 |
195
+
| azurerm | >= 2.59.0 |
196
+
197
+
## Providers
198
+
199
+
| Name | Version |
200
+
|------|---------|
201
+
| azurerm | >= 2.59.0 |
202
+
| random |>= 3.1.0 |
203
+
204
+
## Inputs
205
+
206
+
| Name | Description | Type | Default |
207
+
|--|--|--|--|
208
+
`create_resource_group` | Whether to create resource group and use it for all networking resources | string | `"false"`
209
+
`resource_group_name` | The name of the resource group in which resources are created | string | `""`
210
+
`location` | The location of the resource group in which resources are created | string | `""`
211
+
`log_analytics_workspace_name`|The name of log analytics workspace name|string|`null`
212
+
`random_password_length`|The desired length of random password created by this module|string|`24`
213
+
`subnet_id`|The resource ID of the subnet|string|`null`
214
+
`postgresql_server_name`|PostgreSQL server Name|string|`""`
215
+
`admin_username`|The username of the local administrator used for the SQL Server|string|`"postgresadmin"`
216
+
`admin_password`|The Password which should be used for the local-administrator on this SQL Server|string|`null`
217
+
`identity`|If you want your SQL Server to have an managed identity. Defaults to false|string|`false`
218
+
`postgresql_server_settings`|PostgreSQL server settings|object({})|`{}`
219
+
`create_mode`|The creation mode. Can be used to restore or replicate existing servers. Possible values are `Default`, `Replica`, `GeoRestore`, and `PointInTimeRestore`|string|`Default`
220
+
`creation_source_server_id`|For creation modes other than `Default`, the source server ID to use|string|`null`
221
+
`restore_point_in_time`|When `create_mode` is `PointInTimeRestore`, specifies the point in time to restore from `creation_source_server_id`|string|`null`
222
+
`storage_account_name`|The name of the storage account name|string|`null`
223
+
`enable_threat_detection_policy`|Threat detection policy configuration, known in the API as Server Security Alerts Policy|string|`false`
224
+
`email_addresses_for_alerts`|Account administrators email for alerts|`list(any)`|`""`
225
+
`disabled_alerts`|Specifies a list of alerts which should be disabled. Possible values include `Access_Anomaly`, `Sql_Injection` and `Sql_Injection_Vulnerability`|list(any)|`[]`
226
+
`log_retention_days`|Specifies the number of days to keep in the Threat Detection audit logs|number|`30`
227
+
`postgresql_configuration`|Sets a PostgreSQL Configuration value on a PostgreSQL Server|map(string)|`{}`
228
+
firewall_rules|Range of IP addresses to allow firewall connections|map(object({}))|`null`
229
+
`ad_admin_login_name`|The login name of the principal to set as the server administrator|string|`null`
230
+
`key_vault_key_id`|The URL to a Key Vault custom managed key|string|`null`
231
+
`extaudit_diag_logs`|Database Monitoring Category details for Azure Diagnostic setting|list(string)|`["PostgreSQLLogs", "QueryStoreRuntimeStatistics", "QueryStoreWaitStatistics"]`
232
+
`Tags` | A map of tags to add to all resources | map | `{}`
233
+
234
+
## Outputs
235
+
236
+
| Name | Description |
237
+
|--|--|
238
+
`resource_group_name`|The name of the resource group in which resources are created
239
+
`resource_group_location`|The location of the resource group in which resources are created
240
+
`storage_account_id`|The resource ID of the storage account
241
+
`storage_account_name`|The name of the storage account
242
+
`postgresql_server_id`|The resource ID of the PostgreSQL Server
243
+
`postgresql_server_fqdn`|The FQDN of the PostgreSQL Server
244
+
`postgresql_database_id`|The ID of the PostgreSQL Database
245
+
246
+
## Resource Graph
247
+
248
+
249
+
250
+
## Authors
251
+
252
+
Originally created by [Kumaraswamy Vithanala](mailto:kumarvna@gmail.com)
253
+
254
+
## Other resources
255
+
256
+
*[Azure database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/)
0 commit comments