Skip to content

Commit 028d2ff

Browse files
tjementumtjementum
committed
Move Entra ID admin provisioning from Bicep to Azure CLI for zero-secret PostgreSQL setup
1 parent 0e32579 commit 028d2ff

6 files changed

Lines changed: 20 additions & 18 deletions

File tree

.github/workflows/_deploy-infrastructure.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -161,6 +161,9 @@ jobs:
161161
- name: Install PostgreSQL Client
162162
run: sudo apt-get update && sudo apt-get install -y postgresql-client
163163

164+
- name: Add PostgreSQL Admin
165+
run: bash ./cloud-infrastructure/cluster/add-postgres-admin.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location_acronym }} ${{ inputs.db_admin_object_id }}
166+
164167
- name: Grant Database Permissions
165168
run: |
166169
bash ./cloud-infrastructure/cluster/grant-database-permissions.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location_acronym }} 'account' ${{ steps.deploy_cluster.outputs.ACCOUNT_IDENTITY_CLIENT_ID }}

cloud-infrastructure/cluster/add-postgres-admin.sh

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
UNIQUE_PREFIX=$1
2+
ENVIRONMENT=$2
3+
CLUSTER_LOCATION_ACRONYM=$3
4+
DB_ADMIN_OBJECT_ID=$4
5+
6+
CLUSTER_RESOURCE_GROUP_NAME=$UNIQUE_PREFIX-$ENVIRONMENT-$CLUSTER_LOCATION_ACRONYM
7+
POSTGRES_SERVER_NAME=$CLUSTER_RESOURCE_GROUP_NAME
8+
9+
echo "$(date +"%Y-%m-%dT%H:%M:%S") Adding Entra ID group $DB_ADMIN_OBJECT_ID as admin on PostgreSQL server $POSTGRES_SERVER_NAME"
10+
11+
az postgres flexible-server microsoft-entra-admin create \
12+
--resource-group $CLUSTER_RESOURCE_GROUP_NAME \
13+
--server-name $POSTGRES_SERVER_NAME \
14+
--display-name "Database Admins" \
15+
--object-id $DB_ADMIN_OBJECT_ID \
16+
--type Group

cloud-infrastructure/cluster/deploy-cluster.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,6 @@ export UNIQUE_PREFIX
2929
export ENVIRONMENT
3030
export LOCATION=$CLUSTER_LOCATION
3131
export DOMAIN_NAME
32-
export DB_ADMIN_OBJECT_ID
3332
export GOOGLE_OAUTH_CLIENT_ID
3433
export GOOGLE_OAUTH_CLIENT_SECRET
3534
export STRIPE_PUBLISHABLE_KEY
@@ -106,6 +105,7 @@ then
106105
echo "BACK_OFFICE_IDENTITY_CLIENT_ID=$BACK_OFFICE_IDENTITY_CLIENT_ID" >> $GITHUB_OUTPUT
107106
echo "MAIN_IDENTITY_CLIENT_ID=$MAIN_IDENTITY_CLIENT_ID" >> $GITHUB_OUTPUT
108107
else
108+
. ./add-postgres-admin.sh $UNIQUE_PREFIX $ENVIRONMENT $CLUSTER_LOCATION_ACRONYM $DB_ADMIN_OBJECT_ID
109109
. ./grant-database-permissions.sh $UNIQUE_PREFIX $ENVIRONMENT $CLUSTER_LOCATION_ACRONYM 'account' $ACCOUNT_IDENTITY_CLIENT_ID
110110
. ./grant-database-permissions.sh $UNIQUE_PREFIX $ENVIRONMENT $CLUSTER_LOCATION_ACRONYM 'back-office' $BACK_OFFICE_IDENTITY_CLIENT_ID
111111
. ./grant-database-permissions.sh $UNIQUE_PREFIX $ENVIRONMENT $CLUSTER_LOCATION_ACRONYM 'main' $MAIN_IDENTITY_CLIENT_ID

cloud-infrastructure/cluster/main-cluster.bicep

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,6 @@ param globalResourceGroupName string
66
param environment string
77
param containerRegistryName string
88
param domainName string
9-
param dbAdminObjectId string
109
param appGatewayVersion string
1110
param accountVersion string
1211
param backOfficeVersion string
@@ -151,7 +150,6 @@ module postgresServer '../modules/postgresql-flexible-server.bicep' = {
151150
name: clusterResourceGroupName
152151
tags: tags
153152
tenantId: subscription().tenantId
154-
dbAdminObjectId: dbAdminObjectId
155153
}
156154
}
157155

cloud-infrastructure/cluster/main-cluster.bicepparam

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@ param globalResourceGroupName = readEnvironmentVariable('GLOBAL_RESOURCE_GROUP_N
77
param environment = readEnvironmentVariable('ENVIRONMENT')
88
param containerRegistryName = readEnvironmentVariable('CONTAINER_REGISTRY_NAME')
99
param domainName = readEnvironmentVariable('DOMAIN_NAME', '')
10-
param dbAdminObjectId = readEnvironmentVariable('DB_ADMIN_OBJECT_ID')
1110
param appGatewayVersion = readEnvironmentVariable('APP_GATEWAY_VERSION')
1211
param accountVersion = readEnvironmentVariable('ACCOUNT_VERSION')
1312
param backOfficeVersion = readEnvironmentVariable('BACK_OFFICE_VERSION')

cloud-infrastructure/modules/postgresql-flexible-server.bicep

Lines changed: 0 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -2,15 +2,11 @@ param name string
22
param location string
33
param tags object
44
param tenantId string
5-
param dbAdminObjectId string
65

76
resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2025-08-01' = {
87
name: name
98
location: location
109
tags: tags
11-
identity: {
12-
type: 'SystemAssigned'
13-
}
1410
sku: {
1511
name: 'Standard_B1ms'
1612
tier: 'Burstable'
@@ -39,16 +35,6 @@ resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2025-08-01' =
3935
}
4036
}
4137

42-
resource postgresServerAdministrator 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2025-08-01' = {
43-
parent: postgresServer
44-
name: dbAdminObjectId
45-
properties: {
46-
principalName: 'Database Admins'
47-
principalType: 'Group'
48-
tenantId: tenantId
49-
}
50-
}
51-
5238
resource postgresVirtualNetworkRule 'Microsoft.DBforPostgreSQL/flexibleServers/firewallRules@2025-08-01' = {
5339
parent: postgresServer
5440
name: 'allow-azure-services'

0 commit comments

Comments
 (0)