adding private link configuration and documentation

Author: kumarvna

README.md

@@ -2,7 +2,7 @@
 
 Azure Database for PostgreSQL Single Server is a fully managed database service with minimal requirements for customizations of database. The single server platform is designed to handle most of the database management functions such as patching, backups, high availability, security with minimal user configuration and control. The architecture is optimized for built-in high availability with 99.99% availability on single availability zone. It supports community version of PostgreSQL 9.5, 9,6, 10, and 11.
 
-## Resources are supported
+## Resources supported
 
 * [PostgreSQL Server](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server)
 * [PostgreSQL Database](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_database)
@@ -12,6 +12,8 @@ Azure Database for PostgreSQL Single Server is a fully managed database service
 * [PostgreSQL Customer Managed Key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server_key)
 * [PostgreSQL Virtual Network Rule](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_virtual_network_rule)
 * [PostgreSQL Diagnostics](https://docs.microsoft.com/en-us/azure/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure?tabs=azure-portal)
+* [Private Endpoints](https://www.terraform.io/docs/providers/azurerm/r/private_endpoint.html)
+* [Private DNS zone for `privatelink` A records](https://www.terraform.io/docs/providers/azurerm/r/private_dns_zone.html)
 
 ```terraform
 module "postgresql-db" {
@@ -73,7 +75,15 @@ module "postgresql-db" {
 
   # (Optional) To enable Azure Monitoring for Azure PostgreSQL database
   # (Optional) Specify `storage_account_name` to save monitoring logs to storage. 
-  # log_analytics_workspace_name = "loganalytics-we-sharedtest2"
+  log_analytics_workspace_name = "loganalytics-we-sharedtest2"
+
+  # Creating Private Endpoint requires, VNet name and address prefix to create a subnet
+  # By default this will create a `privatelink.mysql.database.azure.com` DNS zone. 
+  # To use existing private DNS zone specify `existing_private_dns_zone` with valid zone name
+  enable_private_endpoint       = true
+  virtual_network_name          = "vnet-shared-hub-westeurope-001"
+  private_subnet_address_prefix = ["10.1.5.0/29"]
+  #  existing_private_dns_zone     = "demo.example.com"
 
   # Firewall Rules to allow azure and external clients and specific Ip address/ranges. 
   firewall_rules = {
@@ -228,6 +238,10 @@ An effective naming convention assembles resource names by using important resou
 firewall_rules|Range of IP addresses to allow firewall connections|map(object({}))|`null`
 `ad_admin_login_name`|The login name of the principal to set as the server administrator|string|`null`
 `key_vault_key_id`|The URL to a Key Vault custom managed key|string|`null`
+`enable_private_endpoint`|Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link|string|`"false"`
+`virtual_network_name` | The name of the virtual network|string|`""`
+`private_subnet_address_prefix`|A list of subnets address prefixes inside virtual network| list |`[]`
+`existing_private_dns_zone`|Name of the existing private DNS zone|string|`null`
 `Tags` | A map of tags to add to all resources | map | `{}`
 
 ## Outputs
@@ -241,6 +255,10 @@ firewall_rules|Range of IP addresses to allow firewall connections|map(object({}
 `postgresql_server_id`|The resource ID of the PostgreSQL Server
 `postgresql_server_fqdn`|The FQDN of the PostgreSQL Server
 `postgresql_database_id`|The ID of the PostgreSQL Database
+`postgresql_server_private_endpoint`|id of the PostgreSQL server Private Endpoint
+`postgresql_server_private_dns_zone_domain`|DNS zone name of PostgreSQL server Private endpoints dns name records
+`postgresql_server_private_endpoint_ip`|PostgreSQL server private endpoint IPv4 Addresses
+`postgresql_server_private_endpoint_fqdn`|PostgreSQL server private endpoint FQDN Addresses
 
 ## Resource Graph
 

examples/PostgreSQL_Server/output.tf

@@ -0,0 +1,34 @@
+output "resource_group_name" {
+  description = "The name of the resource group in which resources are created"
+  value       = module.postgresql-db.resource_group_name
+}
+
+output "resource_group_location" {
+  description = "The location of the resource group in which resources are created"
+  value       = module.postgresql-db.resource_group_location
+}
+
+output "storage_account_id" {
+  description = "The ID of the storage account"
+  value       = module.postgresql-db.storage_account_id
+}
+
+output "storage_account_name" {
+  description = "The name of the storage account"
+  value       = module.postgresql-db.storage_account_name
+}
+
+output "postgresql_server_id" {
+  description = "The ID of the PostgreSQL Server"
+  value       = module.postgresql-db.postgresql_server_id
+}
+
+output "postgresql_server_fqdn" {
+  description = "The FQDN of the PostgreSQL Server"
+  value       = module.postgresql-db.postgresql_server_fqdn
+}
+
+output "postgresql_database_id" {
+  description = "The ID of the PostgreSQL Database"
+  value       = module.postgresql-db.postgresql_database_id
+}

examples/postgresql_server_with_private_endpoints/README.md

@@ -0,0 +1,110 @@
+# Azure Database for PostgreSQL Terraform Module
+
+Azure Database for PostgreSQL Single Server is a fully managed database service with minimal requirements for customizations of database. The single server platform is designed to handle most of the database management functions such as patching, backups, high availability, security with minimal user configuration and control. The architecture is optimized for built-in high availability with 99.99% availability on single availability zone. It supports community version of PostgreSQL 9.5, 9,6, 10, and 11.
+
+## Module Usage
+
+```terraform
+module "postgresql-db" {
+  source  = "kumarvna/postgresql-db/azurerm"
+  version = "1.0.0"
+
+  # By default, this module will create a resource group
+  # proivde a name to use an existing resource group and set the argument 
+  # to `create_resource_group = false` if you want to existing resoruce group. 
+  # If you use existing resrouce group location will be the same as existing RG.
+  create_resource_group = false
+  resource_group_name   = "rg-shared-westeurope-01"
+  location              = "westeurope"
+
+  # PostgreSQL Server and Database settings
+  postgresql_server_name = "mypostgresdbsrv01"
+
+  postgresql_server_settings = {
+    sku_name   = "GP_Gen5_8"
+    storage_mb = 640000
+    version    = "9.6"
+    # default admin user `postgresadmin` and can be specified as per the choice here
+    # by default random password created by this module. required password can be specified here
+    admin_username = "postgresadmin"
+    admin_password = "H@Sh1CoR3!"
+    # Database name, charset and collection arguments  
+    database_name = "demo-postgres-db"
+    charset       = "UTF8"
+    collation     = "English_United States.1252"
+    # Storage Profile and other optional arguments
+    auto_grow_enabled                = true
+    backup_retention_days            = 7
+    geo_redundant_backup_enabled     = true
+    public_network_access_enabled    = true
+    ssl_enforcement_enabled          = true
+    ssl_minimal_tls_version_enforced = "TLS1_2"
+  }
+
+  # PostgreSQL Server Parameters 
+  # For more information: https://bit.ly/3dbYTtB
+  postgresql_configuration = {
+    backslash_quote = "on"
+  }
+
+  # Use Virtual Network service endpoints and rules for Azure Database for PostgreSQL
+  subnet_id = var.subnet_id
+
+  # The URL to a Key Vault custom managed key
+  key_vault_key_id = var.key_vault_key_id
+
+  # To enable Azure Defender for database set `enable_threat_detection_policy` to true 
+  enable_threat_detection_policy = true
+  log_retention_days             = 30
+  email_addresses_for_alerts     = ["user@example.com", "firstname.lastname@example.com"]
+
+  # AD administrator for an Azure database for PostgreSQL
+  # Allows you to set a user or group as the AD administrator for PostgreSQL server
+  ad_admin_login_name = "firstname.lastname@example.com"
+
+  # (Optional) To enable Azure Monitoring for Azure PostgreSQL database
+  # (Optional) Specify `storage_account_name` to save monitoring logs to storage. 
+  log_analytics_workspace_name = "loganalytics-we-sharedtest2"
+
+  # Creating Private Endpoint requires, VNet name and address prefix to create a subnet
+  # By default this will create a `privatelink.mysql.database.azure.com` DNS zone. 
+  # To use existing private DNS zone specify `existing_private_dns_zone` with valid zone name
+  enable_private_endpoint       = true
+  virtual_network_name          = "vnet-shared-hub-westeurope-001"
+  private_subnet_address_prefix = ["10.1.5.0/29"]
+  #  existing_private_dns_zone     = "demo.example.com"
+
+  # Firewall Rules to allow azure and external clients and specific Ip address/ranges. 
+  firewall_rules = {
+    access-to-azure = {
+      start_ip_address = "0.0.0.0"
+      end_ip_address   = "0.0.0.0"
+    },
+    desktop-ip = {
+      start_ip_address = "49.204.228.223"
+      end_ip_address   = "49.204.228.223"
+    }
+  }
+
+  # Tags for Azure Resources
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+    Owner       = "test-user"
+  }
+}
+```
+
+## Terraform Usage
+
+To run this example you need to execute following Terraform commands
+
+```hcl
+terraform init
+
+terraform plan
+
+terraform apply
+```
+
+Run `terraform destroy` when you don't need these resources.

examples/postgresql_server_with_private_endpoints/main.tf

@@ -0,0 +1,88 @@
+module "postgresql-db" {
+  source  = "kumarvna/postgresql-db/azurerm"
+  version = "1.0.0"
+
+  # By default, this module will create a resource group
+  # proivde a name to use an existing resource group and set the argument 
+  # to `create_resource_group = false` if you want to existing resoruce group. 
+  # If you use existing resrouce group location will be the same as existing RG.
+  create_resource_group = false
+  resource_group_name   = "rg-shared-westeurope-01"
+  location              = "westeurope"
+
+  # PostgreSQL Server and Database settings
+  postgresql_server_name = "mypostgresdbsrv01"
+
+  postgresql_server_settings = {
+    sku_name   = "GP_Gen5_8"
+    storage_mb = 640000
+    version    = "9.6"
+    # default admin user `postgresadmin` and can be specified as per the choice here
+    # by default random password created by this module. required password can be specified here
+    admin_username = "postgresadmin"
+    admin_password = "H@Sh1CoR3!"
+    # Database name, charset and collection arguments  
+    database_name = "demo-postgres-db"
+    charset       = "UTF8"
+    collation     = "English_United States.1252"
+    # Storage Profile and other optional arguments
+    auto_grow_enabled                = true
+    backup_retention_days            = 7
+    geo_redundant_backup_enabled     = true
+    public_network_access_enabled    = true
+    ssl_enforcement_enabled          = true
+    ssl_minimal_tls_version_enforced = "TLS1_2"
+  }
+
+  # PostgreSQL Server Parameters 
+  # For more information: https://bit.ly/3dbYTtB
+  postgresql_configuration = {
+    backslash_quote = "on"
+  }
+
+  # Use Virtual Network service endpoints and rules for Azure Database for PostgreSQL
+  subnet_id = var.subnet_id
+
+  # The URL to a Key Vault custom managed key
+  key_vault_key_id = var.key_vault_key_id
+
+  # To enable Azure Defender for database set `enable_threat_detection_policy` to true 
+  enable_threat_detection_policy = true
+  log_retention_days             = 30
+  email_addresses_for_alerts     = ["user@example.com", "firstname.lastname@example.com"]
+
+  # AD administrator for an Azure database for PostgreSQL
+  # Allows you to set a user or group as the AD administrator for PostgreSQL server
+  ad_admin_login_name = "firstname.lastname@example.com"
+
+  # (Optional) To enable Azure Monitoring for Azure PostgreSQL database
+  # (Optional) Specify `storage_account_name` to save monitoring logs to storage. 
+  log_analytics_workspace_name = "loganalytics-we-sharedtest2"
+
+  # Creating Private Endpoint requires, VNet name and address prefix to create a subnet
+  # By default this will create a `privatelink.mysql.database.azure.com` DNS zone. 
+  # To use existing private DNS zone specify `existing_private_dns_zone` with valid zone name
+  enable_private_endpoint       = true
+  virtual_network_name          = "vnet-shared-hub-westeurope-001"
+  private_subnet_address_prefix = ["10.1.5.0/29"]
+  #  existing_private_dns_zone     = "demo.example.com"
+
+  # Firewall Rules to allow azure and external clients and specific Ip address/ranges. 
+  firewall_rules = {
+    access-to-azure = {
+      start_ip_address = "0.0.0.0"
+      end_ip_address   = "0.0.0.0"
+    },
+    desktop-ip = {
+      start_ip_address = "49.204.228.223"
+      end_ip_address   = "49.204.228.223"
+    }
+  }
+
+  # Tags for Azure Resources
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+    Owner       = "test-user"
+  }
+}

examples/postgresql_server_with_private_endpoints/output.tf

@@ -0,0 +1,54 @@
+output "resource_group_name" {
+  description = "The name of the resource group in which resources are created"
+  value       = module.postgresql-db.resource_group_name
+}
+
+output "resource_group_location" {
+  description = "The location of the resource group in which resources are created"
+  value       = module.postgresql-db.resource_group_location
+}
+
+output "storage_account_id" {
+  description = "The ID of the storage account"
+  value       = module.postgresql-db.storage_account_id
+}
+
+output "storage_account_name" {
+  description = "The name of the storage account"
+  value       = module.postgresql-db.storage_account_name
+}
+
+output "postgresql_server_id" {
+  description = "The ID of the PostgreSQL Server"
+  value       = module.postgresql-db.postgresql_server_id
+}
+
+output "postgresql_server_fqdn" {
+  description = "The FQDN of the PostgreSQL Server"
+  value       = module.postgresql-db.postgresql_server_fqdn
+}
+
+output "postgresql_database_id" {
+  description = "The ID of the PostgreSQL Database"
+  value       = module.postgresql-db.postgresql_database_id
+}
+
+output "postgresql_server_private_endpoint" {
+  description = "id of the PostgreSQL server Private Endpoint"
+  value       = module.postgresql-db.postgresql_server_private_endpoint
+}
+
+output "postgresql_server_private_dns_zone_domain" {
+  description = "DNS zone name of PostgreSQL server Private endpoints dns name records"
+  value       = module.postgresql-db.postgresql_server_private_dns_zone_domain
+}
+
+output "postgresql_server_private_endpoint_ip" {
+  description = "PostgreSQL server private endpoint IPv4 Addresses "
+  value       = module.postgresql-db.postgresql_server_private_endpoint_ip
+}
+
+output "postgresql_server_private_endpoint_fqdn" {
+  description = "PostgreSQL server private endpoint FQDN Addresses "
+  value       = module.postgresql-db.postgresql_server_private_endpoint_fqdn
+}

examples/postgresql_server_with_private_endpoints/variables.tf

@@ -0,0 +1,9 @@
+variable "key_vault_key_id" {
+  description = "The URL to a Key Vault Key"
+  default     = null
+}
+
+variable "subnet_id" {
+  description = "The resource ID of the subnet"
+  default     = null
+}