Postgres (#19)

* integrating postgres * tfsec resolved * postgres no more public Co-authored-by: anttorre <[email protected]> Co-authored-by: Pasquale De Vita <[email protected]>
pagopa · Oct 21, 2021 · 9618d6b · 9618d6b
1 parent 9da381f
commit 9618d6b
Show file tree

Hide file tree

Showing 6 changed files with 326 additions and 0 deletions.
diff --git a/src/core/env/dev/terraform.tfvars b/src/core/env/dev/terraform.tfvars
@@ -16,6 +16,7 @@ lock_enable = false
 cidr_vnet                    = ["10.1.0.0/16"]
 cidr_subnet_k8s              = ["10.1.0.0/17"]
 cidr_subnet_appgateway       = ["10.1.128.0/24"]
+cidr_subnet_postgres         = ["10.1.129.0/24"]
 cidr_subnet_azdoa            = ["10.1.130.0/24"]
 cidr_subnet_redis            = ["10.1.132.0/24"]
 cidr_subnet_vpn              = ["10.1.133.0/24"]
@@ -48,3 +49,21 @@ aks_max_pods     = 100
 # CosmosDb MongoDb
 cosmosdb_mongodb_enable_serverless             = true
 cosmosdb_mongodb_public_network_access_enabled = true
+
+# postgres
+postgres_sku_name       = "GP_Gen5_2"
+postgres_enable_replica = false
+postgres_configuration = {
+  autovacuum_work_mem         = "-1"
+  effective_cache_size        = "655360"
+  log_autovacuum_min_duration = "5000"
+  log_connections             = "off"
+  log_line_prefix             = "%t [%p apps:%a host:%r]: [%l-1] db=%d,user=%u"
+  log_temp_files              = "4096"
+  maintenance_work_mem        = "524288"
+  max_wal_size                = "4096"
+  log_connections             = "on"
+  log_checkpoints             = "on"
+  connection_throttling       = "on"
+}
+postgres_alerts_enabled = false
diff --git a/src/core/env/prod/terraform.tfvars b/src/core/env/prod/terraform.tfvars
@@ -16,6 +16,7 @@ lock_enable = true
 cidr_vnet                    = ["10.1.0.0/16"]
 cidr_subnet_k8s              = ["10.1.0.0/17"]
 cidr_subnet_appgateway       = ["10.1.128.0/24"]
+cidr_subnet_postgres         = ["10.1.129.0/24"]
 cidr_subnet_azdoa            = ["10.1.130.0/24"]
 cidr_subnet_redis            = ["10.1.132.0/24"]
 cidr_subnet_vpn              = ["10.1.133.0/24"]
@@ -60,3 +61,22 @@ cosmosdb_mongodb_enable_serverless = true # TODO set to false before launch
 # cosmosdb_mongodb_max_throughput TODO define before launch
 cosmosdb_mongodb_enable_free_tier = true # TODO change to false before launch
 # cosmosdb_mongodb_additional_geo_locations TODO do we want replication?
+
+#postgres
+postgres_sku_name                     = "GP_Gen5_2" # TODO to define
+postgres_geo_redundant_backup_enabled = false
+postgres_enable_replica               = false #TODO to define
+# postgres_storage_mb                   = 5242880 # 5TB TODO to define
+postgres_configuration = {
+  autovacuum_work_mem         = "-1"
+  effective_cache_size        = "5242880"
+  log_autovacuum_min_duration = "5000"
+  log_connections             = "off"
+  log_line_prefix             = "%t [%p apps:%a host:%r]: [%l-1] db=%d,user=%u"
+  log_temp_files              = "4096"
+  maintenance_work_mem        = "524288"
+  max_wal_size                = "4096"
+  log_connections             = "on"
+  log_checkpoints             = "on"
+  connection_throttling       = "on"
+}
diff --git a/src/core/env/uat/terraform.tfvars b/src/core/env/uat/terraform.tfvars
@@ -16,6 +16,7 @@ lock_enable = true
 cidr_vnet                    = ["10.1.0.0/16"]
 cidr_subnet_k8s              = ["10.1.0.0/17"]
 cidr_subnet_appgateway       = ["10.1.128.0/24"]
+cidr_subnet_postgres         = ["10.1.129.0/24"]
 cidr_subnet_azdoa            = ["10.1.130.0/24"]
 cidr_subnet_redis            = ["10.1.132.0/24"]
 cidr_subnet_vpn              = ["10.1.133.0/24"]
@@ -48,3 +49,22 @@ aks_max_pods     = 100
 
 # CosmosDb MongoDb
 cosmosdb_mongodb_enable_serverless = true
+
+# postgres
+postgres_sku_name       = "GP_Gen5_2"
+postgres_enable_replica = false
+# postgres_storage_mb     = 204800 # 200 GB TODO to define
+postgres_configuration = {
+  autovacuum_work_mem         = "-1"
+  effective_cache_size        = "2621440"
+  log_autovacuum_min_duration = "5000"
+  log_connections             = "off"
+  log_line_prefix             = "%t [%p apps:%a host:%r]: [%l-1] db=%d,user=%u"
+  log_temp_files              = "4096"
+  maintenance_work_mem        = "524288"
+  max_wal_size                = "4096"
+  log_connections             = "on"
+  log_checkpoints             = "on"
+  connection_throttling       = "on"
+}
+postgres_alerts_enabled = false
diff --git a/src/core/outputs.tf b/src/core/outputs.tf
@@ -138,3 +138,22 @@ output "cosmosdb_account_mongodb_connection_strings" {
 output "cosmosdb_mongodb_id" {
   value = azurerm_cosmosdb_mongo_database.mongodb.id
 }
+
+## Postgresql server
+output "postgresql_fqdn" {
+  value = module.postgresql.fqdn
+}
+
+output "postgresql_administrator_login" {
+  value     = data.azurerm_key_vault_secret.postgres_administrator_login.value
+  sensitive = true
+}
+
+output "postgresql_administrator_login_password" {
+  value     = data.azurerm_key_vault_secret.postgres_administrator_login_password.value
+  sensitive = true
+}
+
+output "postgresql_replica_fqdn" {
+  value = module.postgresql.replica_fqdn
+}
diff --git a/src/core/postgres.tf b/src/core/postgres.tf
@@ -0,0 +1,83 @@
+resource "azurerm_resource_group" "postgres_rg" {
+  name     = format("%s-postgres-rg", local.project)
+  location = var.location
+
+  tags = var.tags
+}
+
+data "azurerm_key_vault_secret" "postgres_administrator_login" {
+  name         = "postgres-administrator-login"
+  key_vault_id = module.key_vault.id
+}
+
+data "azurerm_key_vault_secret" "postgres_administrator_login_password" {
+  name         = "postgres-administrator-login-password"
+  key_vault_id = module.key_vault.id
+}
+
+## Database subnet
+module "postgres_snet" {
+  source                                         = "git::https://github.com/pagopa/azurerm.git//subnet?ref=v1.0.60"
+  name                                           = format("%s-postgres-snet", local.project)
+  address_prefixes                               = var.cidr_subnet_postgres
+  resource_group_name                            = azurerm_resource_group.rg_vnet.name
+  virtual_network_name                           = module.vnet.name
+  service_endpoints                              = ["Microsoft.Sql"]
+  enforce_private_link_endpoint_network_policies = true
+}
+
+// azure-database-postgres-configuration ignored because these rules are not correctly evaluated! this configuration is enabled using postgres_configurations var
+#tfsec:ignore:azure-database-postgres-configuration-log-checkpoints
+#tfsec:ignore:azure-database-postgres-configuration-log-connection-throttling
+#tfsec:ignore:azure-database-postgres-configuration-log-connections
+module "postgresql" {
+  source = "git::https://github.com/pagopa/azurerm.git//postgresql_server?ref=v1.0.60"
+
+  name                             = format("%s-postgresql", local.project)
+  location                         = azurerm_resource_group.postgres_rg.location
+  resource_group_name              = azurerm_resource_group.postgres_rg.name
+  virtual_network_id               = module.vnet.id
+  subnet_id                        = module.postgres_snet.id
+  administrator_login              = data.azurerm_key_vault_secret.postgres_administrator_login.value
+  administrator_login_password     = data.azurerm_key_vault_secret.postgres_administrator_login_password.value
+  sku_name                         = var.postgres_sku_name
+  storage_mb                       = var.postgres_storage_mb
+  db_version                       = 11
+  geo_redundant_backup_enabled     = var.postgres_geo_redundant_backup_enabled
+  enable_replica                   = var.postgres_enable_replica
+  ssl_minimal_tls_version_enforced = "TLS1_2"
+  public_network_access_enabled    = false
+  lock_enable                      = var.lock_enable
+
+  network_rules         = var.postgres_network_rules
+  replica_network_rules = var.postgres_replica_network_rules
+
+  configuration         = var.postgres_configuration
+  configuration_replica = var.postgres_configuration
+
+  alerts_enabled                        = var.postgres_alerts_enabled
+  monitor_metric_alert_criteria         = var.postgres_metric_alerts
+  replica_monitor_metric_alert_criteria = var.postgres_metric_alerts
+  action = [
+    {
+      action_group_id    = azurerm_monitor_action_group.email.id
+      webhook_properties = null
+    },
+    {
+      action_group_id    = azurerm_monitor_action_group.slack.id
+      webhook_properties = null
+    }
+  ]
+  replica_action = [
+    {
+      action_group_id    = azurerm_monitor_action_group.email.id
+      webhook_properties = null
+    },
+    {
+      action_group_id    = azurerm_monitor_action_group.slack.id
+      webhook_properties = null
+    }
+  ]
+
+  tags = var.tags
+}
diff --git a/src/core/variables.tf b/src/core/variables.tf
@@ -405,6 +405,11 @@ variable "cidr_subnet_cosmosdb_mongodb" {
   description = "Application gateway address space."
 }
 
+variable "cidr_subnet_postgres" {
+  type        = list(string)
+  description = "Database network address space."
+}
+
 # DNS
 variable "dns_default_ttl_sec" {
   type        = number
@@ -553,3 +558,163 @@ variable "cosmosdb_mongodb_max_throughput" {
   description = "The maximum throughput of the MongoDB database (RU/s). Must be between 4,000 and 1,000,000. Must be set in increments of 1,000. Conflicts with throughput"
   default     = 4000
 }
+
+## Database server postgresl
+variable "postgres_sku_name" {
+  type        = string
+  description = "Specifies the SKU Name for this PostgreSQL Server."
+}
+
+variable "postgres_geo_redundant_backup_enabled" {
+  type        = bool
+  default     = false
+  description = "Turn Geo-redundant server backups on/off."
+}
+
+variable "postgres_enable_replica" {
+  type        = bool
+  default     = false
+  description = "Create a PostgreSQL Server Replica."
+}
+
+variable "postgres_storage_mb" {
+  type        = number
+  description = "Max storage allowed for a server"
+  default     = 5120
+}
+
+variable "postgres_configuration" {
+  type        = map(string)
+  description = "PostgreSQL Server configuration"
+  default     = {}
+}
+
+variable "postgres_alerts_enabled" {
+  type        = bool
+  default     = false
+  description = "Database alerts enabled?"
+}
+
+variable "postgres_network_rules" {
+  type = object({
+    ip_rules                       = list(string)
+    allow_access_to_azure_services = bool
+  })
+  default = {
+    ip_rules = []
+    # dblink
+    allow_access_to_azure_services = true
+  }
+  description = "Database network rules"
+}
+
+variable "postgres_replica_network_rules" {
+  type = object({
+    ip_rules                       = list(string)
+    allow_access_to_azure_services = bool
+  })
+  default = {
+    ip_rules = []
+    # dblink
+    allow_access_to_azure_services = true
+  }
+  description = "Database network rules"
+}
+
+variable "postgres_metric_alerts" {
+  description = <<EOD
+Map of name = criteria objects, see these docs for options
+https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported#microsoftdbforpostgresqlservers
+https://docs.microsoft.com/en-us/azure/postgresql/concepts-limits#maximum-connections
+EOD
+
+  type = map(object({
+    # criteria.*.aggregation to be one of [Average Count Minimum Maximum Total]
+    aggregation = string
+    metric_name = string
+    # criteria.0.operator to be one of [Equals NotEquals GreaterThan GreaterThanOrEqual LessThan LessThanOrEqual]
+    operator  = string
+    threshold = number
+    # Possible values are PT1M, PT5M, PT15M, PT30M and PT1H
+    frequency = string
+    # Possible values are PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H and P1D.
+    window_size = string
+
+    dimension = list(object(
+      {
+        name     = string
+        operator = string
+        values   = list(string)
+      }
+    ))
+  }))
+
+  default = {
+    cpu = {
+      aggregation = "Average"
+      metric_name = "cpu_percent"
+      operator    = "GreaterThan"
+      threshold   = 70
+      frequency   = "PT1M"
+      window_size = "PT5M"
+      dimension   = []
+    }
+    memory = {
+      aggregation = "Average"
+      metric_name = "memory_percent"
+      operator    = "GreaterThan"
+      threshold   = 75
+      frequency   = "PT1M"
+      window_size = "PT5M"
+      dimension   = []
+    }
+    io = {
+      aggregation = "Average"
+      metric_name = "io_consumption_percent"
+      operator    = "GreaterThan"
+      threshold   = 55
+      frequency   = "PT1M"
+      window_size = "PT5M"
+      dimension   = []
+    }
+    # https://docs.microsoft.com/it-it/azure/postgresql/concepts-limits
+    # GP_Gen5_2 -| 145 / 100 * 80 = 116
+    # GP_Gen5_32 -| 1495 / 100 * 80 = 1196
+    max_active_connections = {
+      aggregation = "Average"
+      metric_name = "active_connections"
+      operator    = "GreaterThan"
+      threshold   = 1196
+      frequency   = "PT5M"
+      window_size = "PT5M"
+      dimension   = []
+    }
+    min_active_connections = {
+      aggregation = "Average"
+      metric_name = "active_connections"
+      operator    = "LessThanOrEqual"
+      threshold   = 0
+      frequency   = "PT5M"
+      window_size = "PT15M"
+      dimension   = []
+    }
+    failed_connections = {
+      aggregation = "Total"
+      metric_name = "connections_failed"
+      operator    = "GreaterThan"
+      threshold   = 10
+      frequency   = "PT5M"
+      window_size = "PT15M"
+      dimension   = []
+    }
+    replica_lag = {
+      aggregation = "Average"
+      metric_name = "pg_replica_log_delay_in_seconds"
+      operator    = "GreaterThan"
+      threshold   = 60
+      frequency   = "PT1M"
+      window_size = "PT5M"
+      dimension   = []
+    }
+  }
+}