prod: set up Keycloak SQL database
This commit is contained in:
Родитель
b73e61bb04
Коммит
00e1431e6d
|
@ -0,0 +1,53 @@
|
|||
# Base-layer infrastructure for the Constellations backend services.
|
||||
#
|
||||
# Because the MongoDB is isolated on a private network, the usual Azure admin
|
||||
# systems do not work. However, with the bastion host setup defined in
|
||||
# `constellations-bastion.tf`, it is possible to administer the database
|
||||
# locally.
|
||||
#
|
||||
# 1. First, set up the bastion and SSH into it.
|
||||
# 2. Forward a port to the DB:
|
||||
# ```
|
||||
# ssh -O forward -L 10255:wwtprod-cxbe-server.mongo.cosmos.azure.com:10255 wwt@wwtprodcxb.westus.cloudapp.azure.com
|
||||
# ```
|
||||
# 3. Make a temporary connection string, replacing the `...cosmos.azure.com` hostname
|
||||
# with `localhost`. You can get the connection string from the database's admin
|
||||
# page in the Azure Portal.
|
||||
# 4. Connect using pymongo with some special settings:
|
||||
# ```
|
||||
# conn = pymongo.MongoClient(cs, tlsAllowInvalidCertificates=True, directConnection=True)
|
||||
# ```
|
||||
# where `cs` is the temporary connection string.
|
||||
|
||||
resource "azurerm_resource_group" "cx_backend" {
|
||||
name = "${var.prefix}-cxbackend"
|
||||
location = var.location
|
||||
|
||||
lifecycle {
|
||||
prevent_destroy = true
|
||||
}
|
||||
}
|
||||
|
||||
#resource "azurerm_service_plan" "cx_backend" {
|
||||
# name = "${var.prefix}cxbackend"
|
||||
# resource_group_name = azurerm_resource_group.cx_backend.name
|
||||
# location = azurerm_resource_group.cx_backend.location
|
||||
# os_type = "Linux"
|
||||
# sku_name = "P1v2"
|
||||
#}
|
||||
|
||||
# The backend virtual network
|
||||
|
||||
resource "azurerm_virtual_network" "cx_backend" {
|
||||
name = "${var.prefix}-cxbeVnet"
|
||||
location = azurerm_resource_group.cx_backend.location
|
||||
resource_group_name = azurerm_resource_group.cx_backend.name
|
||||
address_space = ["10.0.0.0/16"]
|
||||
}
|
||||
|
||||
resource "azurerm_subnet" "cx_backend_main" {
|
||||
name = "${var.prefix}-cxbeSubnet"
|
||||
resource_group_name = azurerm_resource_group.cx_backend.name
|
||||
virtual_network_name = azurerm_virtual_network.cx_backend.name
|
||||
address_prefixes = ["10.0.0.0/24"]
|
||||
}
|
|
@ -0,0 +1,89 @@
|
|||
# The backing database for the Constellations Keycloak service
|
||||
#
|
||||
# See remarks in `constellations-backbase.tf` for some information that can
|
||||
# hopefully be used to directly connect to this server, if ever needed.
|
||||
|
||||
resource "azurerm_postgresql_server" "cxsql" {
|
||||
name = "${var.prefix}-cxsql"
|
||||
location = azurerm_resource_group.cx_backend.location
|
||||
resource_group_name = azurerm_resource_group.cx_backend.name
|
||||
|
||||
sku_name = "GP_Gen5_2"
|
||||
version = "11"
|
||||
storage_mb = 16384
|
||||
backup_retention_days = 35
|
||||
geo_redundant_backup_enabled = true
|
||||
auto_grow_enabled = true
|
||||
|
||||
public_network_access_enabled = false
|
||||
ssl_enforcement_enabled = true
|
||||
ssl_minimal_tls_version_enforced = "TLS1_2"
|
||||
infrastructure_encryption_enabled = false
|
||||
|
||||
administrator_login = "psqladmin"
|
||||
administrator_login_password = var.cxsqlAdminPassword
|
||||
}
|
||||
|
||||
resource "azurerm_postgresql_database" "keycloak" {
|
||||
name = "keycloak"
|
||||
resource_group_name = azurerm_resource_group.cx_backend.name
|
||||
server_name = azurerm_postgresql_server.cxsql.name
|
||||
charset = "UTF8"
|
||||
collation = "English_United States.1252"
|
||||
}
|
||||
|
||||
# Supporting vnet/private-endpoint stuff
|
||||
|
||||
resource "azurerm_subnet" "cx_backend_sql" {
|
||||
name = "${var.prefix}-cxbeSqlSubnet"
|
||||
resource_group_name = azurerm_resource_group.cx_backend.name
|
||||
virtual_network_name = azurerm_virtual_network.cx_backend.name
|
||||
address_prefixes = ["10.0.4.0/24"]
|
||||
}
|
||||
|
||||
resource "azurerm_private_dns_zone" "cx_sql" {
|
||||
name = "privatelink.postgres.database.azure.com"
|
||||
resource_group_name = azurerm_resource_group.cx_backend.name
|
||||
}
|
||||
|
||||
resource "azurerm_private_endpoint" "cx_backend_sql" {
|
||||
name = "${var.prefix}-cxbeSqlEndpoint"
|
||||
location = azurerm_resource_group.cx_backend.location
|
||||
resource_group_name = azurerm_resource_group.cx_backend.name
|
||||
subnet_id = azurerm_subnet.cx_backend_sql.id
|
||||
|
||||
private_dns_zone_group {
|
||||
name = "default"
|
||||
private_dns_zone_ids = [azurerm_private_dns_zone.cx_sql.id]
|
||||
}
|
||||
|
||||
private_service_connection {
|
||||
name = "${var.prefix}-cxbeSqlEndpoint"
|
||||
private_connection_resource_id = azurerm_postgresql_server.cxsql.id
|
||||
is_manual_connection = false
|
||||
subresource_names = ["postgresqlServer"]
|
||||
}
|
||||
}
|
||||
|
||||
resource "azurerm_private_dns_zone_virtual_network_link" "cx_sql" {
|
||||
name = "privatelink.postgres.database.azure.com-sqllink"
|
||||
resource_group_name = azurerm_resource_group.cx_backend.name
|
||||
private_dns_zone_name = azurerm_private_dns_zone.cx_sql.name
|
||||
virtual_network_id = azurerm_virtual_network.cx_backend.id
|
||||
}
|
||||
|
||||
resource "azurerm_private_dns_a_record" "cx_backend_sql" {
|
||||
name = "${var.prefix}-cxsql"
|
||||
zone_name = azurerm_private_dns_zone.cx_sql.name
|
||||
resource_group_name = azurerm_resource_group.cx_backend.name
|
||||
ttl = 10
|
||||
records = ["10.0.4.4"]
|
||||
}
|
||||
|
||||
resource "azurerm_private_dns_a_record" "cx_backend_sql_loc" {
|
||||
name = "${var.prefix}-cxsql-${azurerm_resource_group.cx_backend.location}"
|
||||
zone_name = azurerm_private_dns_zone.cx_sql.name
|
||||
resource_group_name = azurerm_resource_group.cx_backend.name
|
||||
ttl = 10
|
||||
records = ["10.0.4.5"]
|
||||
}
|
Загрузка…
Ссылка в новой задаче