From 04b137d2002ca6b58243d088d05aee4aef2db99b Mon Sep 17 00:00:00 2001 From: anttorre Date: Thu, 14 Oct 2021 17:10:37 +0200 Subject: [PATCH 1/3] integrating postgres --- src/core/env/dev/terraform.tfvars | 16 +++ src/core/env/prod/terraform.tfvars | 17 +++ src/core/env/uat/terraform.tfvars | 17 +++ src/core/outputs.tf | 19 ++++ src/core/postgres.tf | 79 ++++++++++++++ src/core/variables.tf | 167 +++++++++++++++++++++++++++++ 6 files changed, 315 insertions(+) create mode 100644 src/core/postgres.tf diff --git a/src/core/env/dev/terraform.tfvars b/src/core/env/dev/terraform.tfvars index d336a0fb5..a6f8ed045 100644 --- a/src/core/env/dev/terraform.tfvars +++ b/src/core/env/dev/terraform.tfvars @@ -16,6 +16,7 @@ lock_enable = false cidr_vnet = ["10.1.0.0/16"] cidr_subnet_k8s = ["10.1.0.0/17"] cidr_subnet_appgateway = ["10.1.128.0/24"] +cidr_subnet_postgres = ["10.1.129.0/24"] cidr_subnet_azdoa = ["10.1.130.0/24"] cidr_subnet_redis = ["10.1.132.0/24"] cidr_subnet_vpn = ["10.1.133.0/24"] @@ -47,3 +48,18 @@ aks_alerts_enabled = false # This is the k8s ingress controller ip. It must be in the aks subnet range. reverse_proxy_ip = "10.1.0.250" aks_max_pods = 100 + +# postgres +postgres_sku_name = "GP_Gen5_2" +postgres_enable_replica = false +postgres_configuration = { + autovacuum_work_mem = "-1" + effective_cache_size = "655360" + log_autovacuum_min_duration = "5000" + log_connections = "off" + log_line_prefix = "%t [%p apps:%a host:%r]: [%l-1] db=%d,user=%u" + log_temp_files = "4096" + maintenance_work_mem = "524288" + max_wal_size = "4096" +} +postgres_alerts_enabled = false diff --git a/src/core/env/prod/terraform.tfvars b/src/core/env/prod/terraform.tfvars index e30f5df6c..f5cc04829 100644 --- a/src/core/env/prod/terraform.tfvars +++ b/src/core/env/prod/terraform.tfvars @@ -16,6 +16,7 @@ lock_enable = true cidr_vnet = ["10.1.0.0/16"] cidr_subnet_k8s = ["10.1.0.0/17"] cidr_subnet_appgateway = ["10.1.128.0/24"] +cidr_subnet_postgres = ["10.1.129.0/24"] cidr_subnet_azdoa = ["10.1.130.0/24"] cidr_subnet_redis = ["10.1.132.0/24"] cidr_subnet_vpn = ["10.1.133.0/24"] @@ -56,3 +57,19 @@ aks_node_count = 1 # TODO to define before release to prod aks_max_pods = 100 # aks_vm_size = "Standard_D8S_v3" # TODO to define and uncomment before release to prod # aks_sku_tier = "Paid" # TODO to define and uncomment before release to prod + +#postgres +postgres_sku_name = "GP_Gen5_2" # TODO to define +postgres_geo_redundant_backup_enabled = false +postgres_enable_replica = false #TODO to define +# postgres_storage_mb = 5242880 # 5TB TODO to define +postgres_configuration = { + autovacuum_work_mem = "-1" + effective_cache_size = "5242880" + log_autovacuum_min_duration = "5000" + log_connections = "off" + log_line_prefix = "%t [%p apps:%a host:%r]: [%l-1] db=%d,user=%u" + log_temp_files = "4096" + maintenance_work_mem = "524288" + max_wal_size = "4096" +} diff --git a/src/core/env/uat/terraform.tfvars b/src/core/env/uat/terraform.tfvars index 280dba7f6..df78a5aac 100644 --- a/src/core/env/uat/terraform.tfvars +++ b/src/core/env/uat/terraform.tfvars @@ -16,6 +16,7 @@ lock_enable = true cidr_vnet = ["10.1.0.0/16"] cidr_subnet_k8s = ["10.1.0.0/17"] cidr_subnet_appgateway = ["10.1.128.0/24"] +cidr_subnet_postgres = ["10.1.129.0/24"] cidr_subnet_azdoa = ["10.1.130.0/24"] cidr_subnet_redis = ["10.1.132.0/24"] cidr_subnet_vpn = ["10.1.133.0/24"] @@ -47,3 +48,19 @@ aks_alerts_enabled = false # This is the k8s ingress controller ip. It must be in the aks subnet range. reverse_proxy_ip = "10.1.0.250" aks_max_pods = 100 + +# postgres +postgres_sku_name = "GP_Gen5_2" +postgres_enable_replica = false +# postgres_storage_mb = 204800 # 200 GB TODO to define +postgres_configuration = { + autovacuum_work_mem = "-1" + effective_cache_size = "2621440" + log_autovacuum_min_duration = "5000" + log_connections = "off" + log_line_prefix = "%t [%p apps:%a host:%r]: [%l-1] db=%d,user=%u" + log_temp_files = "4096" + maintenance_work_mem = "524288" + max_wal_size = "4096" +} +postgres_alerts_enabled = false diff --git a/src/core/outputs.tf b/src/core/outputs.tf index e8c3924a2..8565e655b 100644 --- a/src/core/outputs.tf +++ b/src/core/outputs.tf @@ -118,3 +118,22 @@ output "api_fqdn" { output "reverse_proxy_ip" { value = var.reverse_proxy_ip } + +## Postgresql server +output "postgresql_fqdn" { + value = module.postgresql.fqdn +} + +output "postgresql_administrator_login" { + value = data.azurerm_key_vault_secret.postgres_administrator_login.value + sensitive = true +} + +output "postgresql_administrator_login_password" { + value = data.azurerm_key_vault_secret.postgres_administrator_login_password.value + sensitive = true +} + +output "postgresql_replica_fqdn" { + value = module.postgresql.replica_fqdn +} diff --git a/src/core/postgres.tf b/src/core/postgres.tf new file mode 100644 index 000000000..6a1fce94f --- /dev/null +++ b/src/core/postgres.tf @@ -0,0 +1,79 @@ +resource "azurerm_resource_group" "postgres_rg" { + name = format("%s-postgres-rg", local.project) + location = var.location + + tags = var.tags +} + +data "azurerm_key_vault_secret" "postgres_administrator_login" { + name = "postgres-administrator-login" + key_vault_id = module.key_vault.id +} + +data "azurerm_key_vault_secret" "postgres_administrator_login_password" { + name = "postgres-administrator-login-password" + key_vault_id = module.key_vault.id +} + +## Database subnet +module "postgres_snet" { + source = "git::https://github.com/pagopa/azurerm.git//subnet?ref=v1.0.60" + name = format("%s-postgres-snet", local.project) + address_prefixes = var.cidr_subnet_postgres + resource_group_name = azurerm_resource_group.rg_vnet.name + virtual_network_name = module.vnet.name + service_endpoints = ["Microsoft.Sql"] + enforce_private_link_endpoint_network_policies = true +} + +#tfsec:ignore:azure-database-no-public-access +module "postgresql" { + source = "git::https://github.com/pagopa/azurerm.git//postgresql_server?ref=v1.0.60" + name = format("%s-postgresql", local.project) + location = azurerm_resource_group.postgres_rg.location + resource_group_name = azurerm_resource_group.postgres_rg.name + virtual_network_id = module.vnet.id + subnet_id = module.postgres_snet.id + administrator_login = data.azurerm_key_vault_secret.postgres_administrator_login.value + administrator_login_password = data.azurerm_key_vault_secret.postgres_administrator_login_password.value + sku_name = var.postgres_sku_name + storage_mb = var.postgres_storage_mb + db_version = 11 + geo_redundant_backup_enabled = var.postgres_geo_redundant_backup_enabled + enable_replica = var.postgres_enable_replica + ssl_minimal_tls_version_enforced = "TLS1_2" + public_network_access_enabled = true + lock_enable = var.lock_enable + + network_rules = var.postgres_network_rules + replica_network_rules = var.postgres_replica_network_rules + + configuration = var.postgres_configuration + configuration_replica = var.postgres_configuration + + alerts_enabled = var.postgres_alerts_enabled + monitor_metric_alert_criteria = var.postgres_metric_alerts + replica_monitor_metric_alert_criteria = var.postgres_metric_alerts + action = [ + { + action_group_id = azurerm_monitor_action_group.email.id + webhook_properties = null + }, + { + action_group_id = azurerm_monitor_action_group.slack.id + webhook_properties = null + } + ] + replica_action = [ + { + action_group_id = azurerm_monitor_action_group.email.id + webhook_properties = null + }, + { + action_group_id = azurerm_monitor_action_group.slack.id + webhook_properties = null + } + ] + + tags = var.tags +} diff --git a/src/core/variables.tf b/src/core/variables.tf index 1e952cb42..e62851a51 100644 --- a/src/core/variables.tf +++ b/src/core/variables.tf @@ -405,6 +405,11 @@ variable "cidr_subnet_dnsforwarder" { description = "DNS Forwarder network address space." } +variable "cidr_subnet_postgres" { + type = list(string) + description = "Database network address space." +} + # DNS variable "dns_default_ttl_sec" { type = number @@ -487,3 +492,165 @@ variable "enable_iac_pipeline" { description = "If true create the key vault policy to allow used by azure devops iac pipelines." default = false } + + + +## Database server postgresl +variable "postgres_sku_name" { + type = string + description = "Specifies the SKU Name for this PostgreSQL Server." +} + +variable "postgres_geo_redundant_backup_enabled" { + type = bool + default = false + description = "Turn Geo-redundant server backups on/off." +} + +variable "postgres_enable_replica" { + type = bool + default = false + description = "Create a PostgreSQL Server Replica." +} + +variable "postgres_storage_mb" { + type = number + description = "Max storage allowed for a server" + default = 5120 +} + +variable "postgres_configuration" { + type = map(string) + description = "PostgreSQL Server configuration" + default = {} +} + +variable "postgres_alerts_enabled" { + type = bool + default = false + description = "Database alerts enabled?" +} + +variable "postgres_network_rules" { + type = object({ + ip_rules = list(string) + allow_access_to_azure_services = bool + }) + default = { + ip_rules = [] + # dblink + allow_access_to_azure_services = true + } + description = "Database network rules" +} + +variable "postgres_replica_network_rules" { + type = object({ + ip_rules = list(string) + allow_access_to_azure_services = bool + }) + default = { + ip_rules = [] + # dblink + allow_access_to_azure_services = true + } + description = "Database network rules" +} + +variable "postgres_metric_alerts" { + description = < Date: Fri, 15 Oct 2021 17:29:30 +0200 Subject: [PATCH 2/3] tfsec resolved --- src/core/env/dev/terraform.tfvars | 3 +++ src/core/env/prod/terraform.tfvars | 3 +++ src/core/env/uat/terraform.tfvars | 19 +++++++++++-------- src/core/postgres.tf | 7 ++++++- 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/src/core/env/dev/terraform.tfvars b/src/core/env/dev/terraform.tfvars index 90aa6e842..f0a502613 100644 --- a/src/core/env/dev/terraform.tfvars +++ b/src/core/env/dev/terraform.tfvars @@ -66,5 +66,8 @@ postgres_configuration = { log_temp_files = "4096" maintenance_work_mem = "524288" max_wal_size = "4096" + log_connections = "on" + log_checkpoints = "on" + connection_throttling = "on" } postgres_alerts_enabled = false diff --git a/src/core/env/prod/terraform.tfvars b/src/core/env/prod/terraform.tfvars index 60a4cbbce..2454d793e 100644 --- a/src/core/env/prod/terraform.tfvars +++ b/src/core/env/prod/terraform.tfvars @@ -80,4 +80,7 @@ postgres_configuration = { log_temp_files = "4096" maintenance_work_mem = "524288" max_wal_size = "4096" + log_connections = "on" + log_checkpoints = "on" + connection_throttling = "on" } diff --git a/src/core/env/uat/terraform.tfvars b/src/core/env/uat/terraform.tfvars index 5f6ad9962..0902be6cc 100644 --- a/src/core/env/uat/terraform.tfvars +++ b/src/core/env/uat/terraform.tfvars @@ -13,14 +13,14 @@ lock_enable = true # networking # main vnet -cidr_vnet = ["10.1.0.0/16"] -cidr_subnet_k8s = ["10.1.0.0/17"] -cidr_subnet_appgateway = ["10.1.128.0/24"] -cidr_subnet_postgres = ["10.1.129.0/24"] -cidr_subnet_azdoa = ["10.1.130.0/24"] -cidr_subnet_redis = ["10.1.132.0/24"] -cidr_subnet_vpn = ["10.1.133.0/24"] -cidr_subnet_dnsforwarder = ["10.1.134.0/29"] +cidr_vnet = ["10.1.0.0/16"] +cidr_subnet_k8s = ["10.1.0.0/17"] +cidr_subnet_appgateway = ["10.1.128.0/24"] +cidr_subnet_postgres = ["10.1.129.0/24"] +cidr_subnet_azdoa = ["10.1.130.0/24"] +cidr_subnet_redis = ["10.1.132.0/24"] +cidr_subnet_vpn = ["10.1.133.0/24"] +cidr_subnet_dnsforwarder = ["10.1.134.0/29"] cidr_subnet_cosmosdb_mongodb = ["10.1.135.0/24"] # integration vnet @@ -66,5 +66,8 @@ postgres_configuration = { log_temp_files = "4096" maintenance_work_mem = "524288" max_wal_size = "4096" + log_connections = "on" + log_checkpoints = "on" + connection_throttling = "on" } postgres_alerts_enabled = false diff --git a/src/core/postgres.tf b/src/core/postgres.tf index 6a1fce94f..98c58e0d3 100644 --- a/src/core/postgres.tf +++ b/src/core/postgres.tf @@ -26,9 +26,14 @@ module "postgres_snet" { enforce_private_link_endpoint_network_policies = true } +// azure-database-postgres-configuration ignored because these rules are not correctly evaluated! this configuration is enabled using postgres_configurations var #tfsec:ignore:azure-database-no-public-access +#tfsec:ignore:azure-database-postgres-configuration-log-checkpoints +#tfsec:ignore:azure-database-postgres-configuration-log-connection-throttling +#tfsec:ignore:azure-database-postgres-configuration-log-connections module "postgresql" { - source = "git::https://github.com/pagopa/azurerm.git//postgresql_server?ref=v1.0.60" + source = "git::https://github.com/pagopa/azurerm.git//postgresql_server?ref=v1.0.60" + name = format("%s-postgresql", local.project) location = azurerm_resource_group.postgres_rg.location resource_group_name = azurerm_resource_group.postgres_rg.name From b1b4fda81ac624e0ebe7f98f1359cd23a261f44f Mon Sep 17 00:00:00 2001 From: anttorre Date: Mon, 18 Oct 2021 16:03:32 +0200 Subject: [PATCH 3/3] postgres no more public --- src/core/postgres.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/core/postgres.tf b/src/core/postgres.tf index 98c58e0d3..8b3faeace 100644 --- a/src/core/postgres.tf +++ b/src/core/postgres.tf @@ -27,7 +27,6 @@ module "postgres_snet" { } // azure-database-postgres-configuration ignored because these rules are not correctly evaluated! this configuration is enabled using postgres_configurations var -#tfsec:ignore:azure-database-no-public-access #tfsec:ignore:azure-database-postgres-configuration-log-checkpoints #tfsec:ignore:azure-database-postgres-configuration-log-connection-throttling #tfsec:ignore:azure-database-postgres-configuration-log-connections @@ -47,7 +46,7 @@ module "postgresql" { geo_redundant_backup_enabled = var.postgres_geo_redundant_backup_enabled enable_replica = var.postgres_enable_replica ssl_minimal_tls_version_enforced = "TLS1_2" - public_network_access_enabled = true + public_network_access_enabled = false lock_enable = var.lock_enable network_rules = var.postgres_network_rules