Create an Azure PostgreSQL Database

This Terraform module creates a Azure PostgreSQL Database.

Usage in Terraform 0.13

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "examples-rg"
  location = "West Europe"
}

module "postgresql" {
  source = "Azure/postgresql/azurerm"

  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  server_name                   = "examples-server"
  sku_name                      = "GP_Gen5_2"
  storage_mb                    = 5120
  auto_grow_enabled             = false
  backup_retention_days         = 7
  geo_redundant_backup_enabled  = false
  administrator_login           = "login"
  administrator_password        = "password"
  server_version                = "9.5"
  ssl_enforcement_enabled       = true
  public_network_access_enabled = true
  db_names                      = ["my_db1", "my_db2"]
  db_charset                    = "UTF8"
  db_collation                  = "English_United States.1252"

  firewall_rule_prefix = "firewall-"
  firewall_rules = [
    { name = "test1", start_ip = "10.0.0.5", end_ip = "10.0.0.8" },
    { start_ip = "127.0.0.0", end_ip = "127.0.1.0" },
  ]

  vnet_rule_name_prefix = "postgresql-vnet-rule-"
  vnet_rules = [
    { name = "subnet1", subnet_id = "<subnet_id>" }
  ]

  tags = {
    Environment = "Production",
    CostCenter  = "Contoso IT",
  }

  postgresql_configurations = {
    backslash_quote = "on",
  }

  depends_on = [azurerm_resource_group.example]
}

Usage

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "examples-rg"
  location = "West Europe"
}

module "postgresql" {
  source = "Azure/postgresql/azurerm"

  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  server_name                   = "examples-server"
  sku_name                      = "GP_Gen5_2"
  storage_mb                    = 5120
  auto_grow_enabled             = false
  backup_retention_days         = 7
  geo_redundant_backup_enabled  = false
  administrator_login           = "login"
  administrator_password        = "password"
  server_version                = "9.5"
  ssl_enforcement_enabled       = true
  public_network_access_enabled = true
  db_names                      = ["my_db1", "my_db2"]
  db_charset                    = "UTF8"
  db_collation                  = "English_United States.1252"

  firewall_rule_prefix = "firewall-"
  firewall_rules = [
    { name = "test1", start_ip = "10.0.0.5", end_ip = "10.0.0.8" },
    { start_ip = "127.0.0.0", end_ip = "127.0.1.0" },
  ]

  vnet_rule_name_prefix = "postgresql-vnet-rule-"
  vnet_rules = [
    { name = "subnet1", subnet_id = "<subnet_id>" }
  ]

  tags = {
    Environment = "Production",
    CostCenter  = "Contoso IT",
  }

  postgresql_configurations = {
    backslash_quote = "on",
  }
}

Pre-Commit & Pr-Check & Test

Configurations

• Configure Terraform for Azure

We assumed that you have setup service principal's credentials in your environment variables like below:

export ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
export ARM_TENANT_ID="<azure_subscription_tenant_id>"
export ARM_CLIENT_ID="<service_principal_appid>"
export ARM_CLIENT_SECRET="<service_principal_password>"

On Windows Powershell:

$env:ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
$env:ARM_TENANT_ID="<azure_subscription_tenant_id>"
$env:ARM_CLIENT_ID="<service_principal_appid>"
$env:ARM_CLIENT_SECRET="<service_principal_password>"

We provide a docker image to run the pre-commit checks and tests for you: mcr.microsoft.com/azterraform:latest

To run the pre-commit task, we can run the following command:

$ docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit

On Windows Powershell:

$ docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit

In pre-commit task, we will:

1. Run terraform fmt -recursive command for your Terraform code.
2. Run terrafmt fmt -f command for markdown files and go code files to ensure that the Terraform code embedded in these files are well formatted.
3. Run go mod tidy and go mod vendor for test folder to ensure that all the dependencies have been synced.
4. Run gofmt for all go code files.
5. Run gofumpt for all go code files.
6. Run terraform-docs on README.md file, then run markdown-table-formatter to format markdown tables in README.md.

Then we can run the pr-check task to check whether our code meets our pipeline's requirement(We strongly recommend you run the following command before you commit):

$ docker run --rm -v $(pwd):/src -w /src -e TFLINT_CONFIG=.tflint_alt.hcl mcr.microsoft.com/azterraform:latest make pr-check

On Windows Powershell:

$ docker run --rm -v ${pwd}:/src -w /src -e TFLINT_CONFIG=.tflint_alt.hcl mcr.microsoft.com/azterraform:latest make pr-check

To run the e2e-test, we can run the following command:

docker run --rm -v $(pwd):/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test

On Windows Powershell:

docker run --rm -v ${pwd}:/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test

Prerequisites

• Docker

Enable or disable tracing tags

We're using BridgeCrew Yor and yorbox to help manage tags consistently across infrastructure as code (IaC) frameworks. In this module you might see tags like:

resource "azurerm_resource_group" "rg" {
  location = "eastus"
  name     = random_pet.name
  tags = merge(var.tags, (/*<box>*/ (var.tracing_tags_enabled ? { for k, v in /*</box>*/ {
    avm_git_commit           = "3077cc6d0b70e29b6e106b3ab98cee6740c916f6"
    avm_git_file             = "main.tf"
    avm_git_last_modified_at = "2023-05-05 08:57:54"
    avm_git_org              = "lonegunmanb"
    avm_git_repo             = "terraform-yor-tag-test-module"
    avm_yor_trace            = "a0425718-c57d-401c-a7d5-f3d88b2551a4"
  } /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/))
}

To enable tracing tags, set the variable to true:

module "example" {
  source               = "{module_source}"
  ...
  tracing_tags_enabled = true
}

The tracing_tags_enabled is default to false.

To customize the prefix for your tracing tags, set the tracing_tags_prefix variable value in your Terraform configuration:

module "example" {
  source              = "{module_source}"
  ...
  tracing_tags_prefix = "custom_prefix_"
}

The actual applied tags would be:

{
  custom_prefix_git_commit           = "3077cc6d0b70e29b6e106b3ab98cee6740c916f6"
  custom_prefix_git_file             = "main.tf"
  custom_prefix_git_last_modified_at = "2023-05-05 08:57:54"
  custom_prefix_git_org              = "lonegunmanb"
  custom_prefix_git_repo             = "terraform-yor-tag-test-module"
  custom_prefix_yor_trace            = "a0425718-c57d-401c-a7d5-f3d88b2551a4"
}

License

MIT

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Requirements

Name	Version
terraform	>= 1.2
azurerm	>= 3.0, < 4.0

Providers

Name	Version
azurerm	>= 3.0, < 4.0

Modules

No modules.

Resources

Name	Type
azurerm_postgresql_configuration.db_configs	resource
azurerm_postgresql_database.dbs	resource
azurerm_postgresql_firewall_rule.firewall_rules	resource
azurerm_postgresql_server.server	resource
azurerm_postgresql_virtual_network_rule.vnet_rules	resource

Inputs

Name	Description	Type	Default	Required
administrator_login	The Administrator Login for the PostgreSQL Server. Changing this forces a new resource to be created.	string	n/a	yes
administrator_password	The Password associated with the administrator_login for the PostgreSQL Server.	string	n/a	yes
auto_grow_enabled	(Optional) Enable or disable incremental automatic growth of database space. Storage auto-grow prevents your server from running out of storage and becoming read-only. If storage auto grow is enabled, the storage automatically grows without impacting the workload. The default value if not explicitly specified is true.	bool	true	no
backup_retention_days	Backup retention days for the server, supported values are between 7 and 35 days.	number	7	no
create_mode	(Optional) The creation mode. Can be used to restore or replicate existing servers. Possible values are Default, Replica, GeoRestore, and PointInTimeRestore. Defaults to Default.	string	"Default"	no
creation_source_server_id	(Optional) For creation modes other than Default, the source server ID to use.	string	null	no
db_charset	Specifies the Charset for the PostgreSQL Database, which needs to be a valid PostgreSQL Charset. Changing this forces a new resource to be created.	string	"UTF8"	no
db_collation	Specifies the Collation for the PostgreSQL Database, which needs to be a valid PostgreSQL Collation. Note that Microsoft uses different notation - en-US instead of en_US. Changing this forces a new resource to be created.	string	"English_United States.1252"	no
db_names	The list of names of the PostgreSQL Database, which needs to be a valid PostgreSQL identifier. Changing this forces a new resource to be created.	list(string)	[]	no
firewall_rule_prefix	Specifies prefix for firewall rule names.	string	"firewall-"	no
firewall_rules	The list of maps, describing firewall rules. Valid map items: name, start_ip, end_ip.	list(map(string))	[]	no
geo_redundant_backup_enabled	Enable Geo-redundant or not for server backup. Valid values for this property are Enabled or Disabled, not supported for the basic tier.	bool	true	no
infrastructure_encryption_enabled	Whether or not infrastructure is encrypted for this server	bool	true	no
location	Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.	string	n/a	yes
postgresql_configurations	A map with PostgreSQL configurations to enable.	map(string)	{}	no
public_network_access_enabled	Whether or not public network access is allowed for this server. Possible values are Enabled and Disabled.	bool	false	no
resource_group_name	The name of the resource group in which to create the PostgreSQL Server. Changing this forces a new resource to be created.	string	n/a	yes
server_name	Specifies the name of the PostgreSQL Server. Changing this forces a new resource to be created.	string	n/a	yes
server_version	Specifies the version of PostgreSQL to use. Valid values are 9.5, 9.6, 10.0, 10.2 and 11. Changing this forces a new resource to be created.	string	"9.5"	no
sku_name	Specifies the SKU Name for this PostgreSQL Server. The name of the SKU, follows the tier + family + cores pattern (e.g. B_Gen4_1, GP_Gen5_8).	string	"GP_Gen5_4"	no
ssl_enforcement_enabled	Specifies if SSL should be enforced on connections. Possible values are Enabled and Disabled.	bool	true	no
ssl_minimal_tls_version_enforced	(Optional) The minimum TLS version to support on the sever. Possible values are TLSEnforcementDisabled, TLS1_0, TLS1_1, and TLS1_2. Defaults to TLS1_2. ssl_minimal_tls_version_enforced must be set to TLSEnforcementDisabled when ssl_enforcement_enabled is set to false.	string	"TLS1_2"	no
storage_mb	Max storage allowed for a server. Possible values are between 5120 MB(5GB) and 1048576 MB(1TB) for the Basic SKU and between 5120 MB(5GB) and 4194304 MB(4TB) for General Purpose/Memory Optimized SKUs.	number	102400	no
tags	A map of tags to set on every taggable resources. Empty by default.	map(string)	{}	no
threat_detection_policy	Threat detection policy configuration, known in the API as Server Security Alerts Policy	object( { enabled = optional(bool) disabled_alerts = optional(set(string)) email_account_admins = optional(bool) email_addresses = optional(set(string)) retention_days = optional(number) storage_account_access_key = optional(string) storage_endpoint = optional(string) } )	null	no
tracing_tags_enabled	Whether enable tracing tags that generated by BridgeCrew Yor.	bool	false	no
tracing_tags_prefix	Default prefix for generated tracing tags	string	"avm_"	no
vnet_rule_name_prefix	Specifies prefix for vnet rule names.	string	"postgresql-vnet-rule-"	no
vnet_rules	The list of maps, describing vnet rules. Valud map items: name, subnet_id.	list(map(string))	[]	no

Outputs

Name	Description
administrator_login	The Administrator login for the PostgreSQL Server
administrator_password	The Password associated with the administrator_login for the PostgreSQL Server
database_ids	The list of all database resource ids
firewall_rule_ids	The list of all firewall rule resource ids
server_fqdn	The fully qualified domain name (FQDN) of the PostgreSQL server
server_id	The resource id of the PostgreSQL server
server_name	The name of the PostgreSQL server
vnet_rule_ids	The list of all vnet rule resource ids