Adding custom manged key and Vnet rules

Author: kumarvna

README.md

@@ -1 +1,99 @@
-# terraform-azurerm-postgresql-db
+# Azure Database for PostgreSQL Terraform Module
+
+Azure Database for MySQL is easy to set up, manage and scale. It automates the management and maintenance of your infrastructure and database server, including routine updates, backups and security. Enjoy maximum control of database management with custom maintenance windows and multiple configuration parameters for fine grained tuning with Flexible Server (Preview).
+
+## Resources are supported
+
+* [MySQL Servers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server)
+* [MySQL Database](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_database)
+* [MySQL Configuration](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_configuration)
+* [MySQL Firewall Rules](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_firewall_rule)
+* [MySQL Active Directory Administrator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_active_directory_administrator)
+* [MySQL Customer Managed Key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server_key)
+* [MySQL Virtual Network Rule](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_virtual_network_rule)
+* [MySQL Diagnostics](https://docs.microsoft.com/en-us/azure/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure?tabs=azure-portal)
+* [Private Endpoints](https://www.terraform.io/docs/providers/azurerm/r/private_endpoint.html)
+* [Private DNS zone for `privatelink` A records](https://www.terraform.io/docs/providers/azurerm/r/private_dns_zone.html)
+
+```terraform
+module "postgresql-db" {
+  source  = "kumarvna/postgresql-db/azurerm"
+  version = "1.0.0"
+
+  # By default, this module will create a resource group
+  # proivde a name to use an existing resource group and set the argument 
+  # to `create_resource_group = false` if you want to existing resoruce group. 
+  # If you use existing resrouce group location will be the same as existing RG.
+  create_resource_group = false
+  resource_group_name   = "rg-shared-westeurope-01"
+  location              = "westeurope"
+
+  # MySQL Server and Database settings
+  postgresql_server_name = "mypostgresdbsrv01"
+
+  postgresql_server_settings = {
+    sku_name   = "GP_Gen5_8"
+    storage_mb = 640000
+    version    = "9.6"
+    # default admin user `sqladmin` and can be specified as per the choice here
+    # by default random password created by this module. required password can be specified here
+    admin_username = "postgresadmin"
+    admin_password = "H@Sh1CoR3!"
+    # Database name, charset and collection arguments  
+    database_name = "demo-postgres-db"
+    charset       = "UTF8"
+    collation     = "English_United States.1252"
+    # Storage Profile and other optional arguments
+    auto_grow_enabled                = true
+    backup_retention_days            = 7
+    geo_redundant_backup_enabled     = true
+    public_network_access_enabled    = true
+    ssl_enforcement_enabled          = true
+    ssl_minimal_tls_version_enforced = "TLS1_2"
+  }
+
+  # PostgreSQL Server Parameters 
+  # For more information: https://bit.ly/3dbYTtB
+  postgresql_configuration = {
+    backslash_quote = "on"
+  }
+
+  # Use Virtual Network service endpoints and rules for Azure Database for MySQL
+  subnet_id = var.subnet_id
+
+  # The URL to a Key Vault custom managed key
+  key_vault_key_id = var.key_vault_key_id
+
+  # To enable Azure Defender for database set `enable_threat_detection_policy` to true 
+  enable_threat_detection_policy = true
+  log_retention_days             = 30
+  email_addresses_for_alerts     = ["user@example.com", "firstname.lastname@example.com"]
+
+  # AD administrator for an Azure MySQL server
+  # Allows you to set a user or group as the AD administrator for an Azure SQL server
+  ad_admin_login_name = "firstname.lastname@example.com"
+
+  # (Optional) To enable Azure Monitoring for Azure MySQL database
+  # (Optional) Specify `storage_account_name` to save monitoring logs to storage. 
+  //log_analytics_workspace_name = "loganalytics-we-sharedtest2"
+
+  # Firewall Rules to allow azure and external clients and specific Ip address/ranges. 
+  firewall_rules = {
+    access-to-azure = {
+      start_ip_address = "0.0.0.0"
+      end_ip_address   = "0.0.0.0"
+    },
+    desktop-ip = {
+      start_ip_address = "49.204.228.223"
+      end_ip_address   = "49.204.228.223"
+    }
+  }
+
+  # Tags for Azure Resources
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+    Owner       = "test-user"
+  }
+}
+```

examples/PostgreSQL_Server/README.md

@@ -0,0 +1,102 @@
+# Azure Database for MySQL Terraform Module
+
+Azure Database for MySQL is easy to set up, manage and scale. It automates the management and maintenance of your infrastructure and database server, including routine updates, backups and security. Enjoy maximum control of database management with custom maintenance windows and multiple configuration parameters for fine grained tuning with Flexible Server (Preview).
+
+## Module Usage
+
+```hcl
+module "postgresql-db" {
+  source  = "kumarvna/postgresql-db/azurerm"
+  version = "1.0.0"
+
+  # By default, this module will create a resource group
+  # proivde a name to use an existing resource group and set the argument 
+  # to `create_resource_group = false` if you want to existing resoruce group. 
+  # If you use existing resrouce group location will be the same as existing RG.
+  create_resource_group = false
+  resource_group_name   = "rg-shared-westeurope-01"
+  location              = "westeurope"
+
+  # MySQL Server and Database settings
+  postgresql_server_name = "mypostgresdbsrv01"
+
+  postgresql_server_settings = {
+    sku_name   = "GP_Gen5_8"
+    storage_mb = 640000
+    version    = "9.6"
+    # default admin user `sqladmin` and can be specified as per the choice here
+    # by default random password created by this module. required password can be specified here
+    admin_username = "postgresadmin"
+    admin_password = "H@Sh1CoR3!"
+    # Database name, charset and collection arguments  
+    database_name = "demo-postgres-db"
+    charset       = "UTF8"
+    collation     = "English_United States.1252"
+    # Storage Profile and other optional arguments
+    auto_grow_enabled                = true
+    backup_retention_days            = 7
+    geo_redundant_backup_enabled     = true
+    public_network_access_enabled    = true
+    ssl_enforcement_enabled          = true
+    ssl_minimal_tls_version_enforced = "TLS1_2"
+  }
+
+  # PostgreSQL Server Parameters 
+  # For more information: https://bit.ly/3dbYTtB
+  postgresql_configuration = {
+    backslash_quote = "on"
+  }
+
+  # Use Virtual Network service endpoints and rules for Azure Database for MySQL
+  subnet_id = var.subnet_id
+
+  # The URL to a Key Vault custom managed key
+  key_vault_key_id = var.key_vault_key_id
+
+  # To enable Azure Defender for database set `enable_threat_detection_policy` to true 
+  enable_threat_detection_policy = true
+  log_retention_days             = 30
+  email_addresses_for_alerts     = ["user@example.com", "firstname.lastname@example.com"]
+
+  # AD administrator for an Azure MySQL server
+  # Allows you to set a user or group as the AD administrator for an Azure SQL server
+  ad_admin_login_name = "firstname.lastname@example.com"
+
+  # (Optional) To enable Azure Monitoring for Azure MySQL database
+  # (Optional) Specify `storage_account_name` to save monitoring logs to storage. 
+  //log_analytics_workspace_name = "loganalytics-we-sharedtest2"
+
+  # Firewall Rules to allow azure and external clients and specific Ip address/ranges. 
+  firewall_rules = {
+    access-to-azure = {
+      start_ip_address = "0.0.0.0"
+      end_ip_address   = "0.0.0.0"
+    },
+    desktop-ip = {
+      start_ip_address = "49.204.228.223"
+      end_ip_address   = "49.204.228.223"
+    }
+  }
+
+  # Tags for Azure Resources
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+    Owner       = "test-user"
+  }
+}
+```
+
+## Terraform Usage
+
+To run this example you need to execute following Terraform commands
+
+```hcl
+terraform init
+
+terraform plan
+
+terraform apply
+```
+
+Run `terraform destroy` when you don't need these resources.

examples/PostgreSQL_Server/main.tf

@@ -1,7 +1,6 @@
 module "postgresql-db" {
-  // source  = "kumarvna/postgresql-db/azurerm"
-  // version = "1.0.0"
-  source = "../../"
+  source  = "kumarvna/postgresql-db/azurerm"
+  version = "1.0.0"
 
   # By default, this module will create a resource group
   # proivde a name to use an existing resource group and set the argument 
@@ -11,7 +10,7 @@ module "postgresql-db" {
   resource_group_name   = "rg-shared-westeurope-01"
   location              = "westeurope"
 
-  # MySQL Server and Database settings
+  # PostgreSQL Server and Database settings
   postgresql_server_name = "mypostgresdbsrv01"
 
   postgresql_server_settings = {
@@ -40,25 +39,25 @@ module "postgresql-db" {
   postgresql_configuration = {
     backslash_quote = "on"
   }
-  /*
-  # Use Virtual Network service endpoints and rules for Azure Database for MySQL
+
+  # Use Virtual Network service endpoints and rules for Azure Database for PostgreSQL
   subnet_id = var.subnet_id
 
   # The URL to a Key Vault custom managed key
   key_vault_key_id = var.key_vault_key_id
-*/
+
   # To enable Azure Defender for database set `enable_threat_detection_policy` to true 
   enable_threat_detection_policy = true
   log_retention_days             = 30
   email_addresses_for_alerts     = ["user@example.com", "firstname.lastname@example.com"]
 
-  # AD administrator for an Azure MySQL server
-  # Allows you to set a user or group as the AD administrator for an Azure SQL server
+  # AD administrator for an Azure database for PostgreSQL
+  # Allows you to set a user or group as the AD administrator for PostgreSQL server
   ad_admin_login_name = "firstname.lastname@example.com"
 
-  # (Optional) To enable Azure Monitoring for Azure MySQL database
+  # (Optional) To enable Azure Monitoring for Azure PostgreSQL database
   # (Optional) Specify `storage_account_name` to save monitoring logs to storage. 
-  //log_analytics_workspace_name = "loganalytics-we-sharedtest2"
+  log_analytics_workspace_name = "loganalytics-we-sharedtest2"
 
   # Firewall Rules to allow azure and external clients and specific Ip address/ranges. 
   firewall_rules = {

examples/PostgreSQL_Server/variables.tf

@@ -0,0 +1,9 @@
+variable "key_vault_key_id" {
+  description = "The URL to a Key Vault Key"
+  default     = null
+}
+
+variable "subnet_id" {
+  description = "The resource ID of the subnet"
+  default     = null
+}

main.tf

@@ -139,9 +139,9 @@ resource "azurerm_postgresql_configuration" "main" {
   value               = each.value
 }
 
-#------------------------------------------------------------
+#------------------------------------------------------------------
 # Adding Firewall rules for PostgreSQL Server - Default is "false"
-#------------------------------------------------------------
+#------------------------------------------------------------------
 resource "azurerm_postgresql_firewall_rule" "main" {
   for_each            = var.firewall_rules != null ? { for k, v in var.firewall_rules : k => v if v != null } : {}
   name                = format("%s", each.key)
@@ -162,3 +162,24 @@ resource "azurerm_postgresql_active_directory_administrator" "main" {
   tenant_id           = data.azurerm_client_config.current.tenant_id
   object_id           = data.azurerm_client_config.current.object_id
 }
+
+#-----------------------------------------------------------------------------
+# Manages a Customer Managed Key for a PostgreSQL Server. - Default is "false"
+#-----------------------------------------------------------------------------
+resource "azurerm_postgresql_server_key" "main" {
+  count            = var.key_vault_key_id != null ? 1 : 0
+  server_id        = azurerm_postgresql_server.main.id
+  key_vault_key_id = var.key_vault_key_id
+}
+
+#--------------------------------------------------------------------------------
+# Allowing traffic between an PostgreSQL server and a subnet - Default is "false"
+#--------------------------------------------------------------------------------
+resource "azurerm_postgresql_virtual_network_rule" "main" {
+  count                                = var.subnet_id != null ? 1 : 0
+  name                                 = format("%s-vnet-rule", var.postgresql_server_name)
+  resource_group_name                  = local.resource_group_name
+  server_name                          = azurerm_postgresql_server.main.name
+  subnet_id                            = var.subnet_id
+  ignore_missing_vnet_service_endpoint = var.ignore_missing_vnet_service_endpoint
+}

variables.tf

@@ -13,11 +13,6 @@ variable "location" {
   default     = ""
 }
 
-variable "subnet_id" {
-  description = "The resource ID of the subnet"
-  default     = ""
-}
-
 variable "log_analytics_workspace_name" {
   description = "The name of log analytics workspace name"
   default     = null
@@ -129,6 +124,20 @@ variable "ad_admin_login_name" {
   default     = null
 }
 
+variable "key_vault_key_id" {
+  description = "The URL to a Key Vault Key"
+  default     = null
+}
+
+variable "subnet_id" {
+  description = "The resource ID of the subnet"
+  default     = null
+}
+
+variable "ignore_missing_vnet_service_endpoint" {
+  description = "Should the Virtual Network Rule be created before the Subnet has the Virtual Network Service Endpoint enabled?"
+  default     = false
+}
 variable "tags" {
   description = "A map of tags to add to all resources"
   type        = map(string)