Enable pgaadauth extension, add Private DNS dependsOn, fix firewall CLI syntax, and fail on SQL errors

tjementum · tjementum · commit 6bfd8e5775e4 · 2026-03-16T10:37:53.000+01:00
diff --git a/cloud-infrastructure/cluster/firewall.sh b/cloud-infrastructure/cluster/firewall.sh
@@ -4,8 +4,8 @@ FIREWALL_RULE_NAME="github-action-${DATABASE_NAME}"
 if [[ "$1" == "open" ]]
 then
     echo "$(date +"%Y-%m-%dT%H:%M:%S") Add the IP $IP_ADDRESS to the PostgreSQL server firewall on server $POSTGRES_SERVER_NAME for database $DATABASE_NAME"
-    az postgres flexible-server firewall-rule create --resource-group $CLUSTER_RESOURCE_GROUP_NAME --server-name $POSTGRES_SERVER_NAME --name "$FIREWALL_RULE_NAME" --start-ip-address $IP_ADDRESS --end-ip-address $IP_ADDRESS
+    az postgres flexible-server firewall-rule create --resource-group $CLUSTER_RESOURCE_GROUP_NAME --name $POSTGRES_SERVER_NAME --rule-name "$FIREWALL_RULE_NAME" --start-ip-address $IP_ADDRESS --end-ip-address $IP_ADDRESS
 else
     echo "$(date +"%Y-%m-%dT%H:%M:%S") Delete the IP $IP_ADDRESS from the PostgreSQL server firewall on server $POSTGRES_SERVER_NAME for database $DATABASE_NAME"
-    az postgres flexible-server firewall-rule delete --resource-group $CLUSTER_RESOURCE_GROUP_NAME --server-name $POSTGRES_SERVER_NAME --name "$FIREWALL_RULE_NAME" --yes
+    az postgres flexible-server firewall-rule delete --resource-group $CLUSTER_RESOURCE_GROUP_NAME --name $POSTGRES_SERVER_NAME --rule-name "$FIREWALL_RULE_NAME" --yes
 fi
diff --git a/cloud-infrastructure/cluster/grant-database-permissions.sh b/cloud-infrastructure/cluster/grant-database-permissions.sh
@@ -25,7 +25,7 @@ echo "$(date +"%Y-%m-%dT%H:%M:%S") Granting $MANAGED_IDENTITY_NAME (Client ID: $
 # and grant it the necessary permissions. The pgaadauth_create_principal function handles
 # Entra ID principal creation in Azure Database for PostgreSQL Flexible Server.
 ENTRA_USER=$(az postgres flexible-server microsoft-entra-admin list --resource-group $CLUSTER_RESOURCE_GROUP_NAME --server-name $POSTGRES_SERVER_NAME --query "[0].principalName" --output tsv)
-PGPASSWORD=$ACCESS_TOKEN psql "host=$POSTGRES_HOST dbname=$DATABASE_NAME user='$ENTRA_USER' sslmode=require" << EOF
+PGPASSWORD=$ACCESS_TOKEN psql -v ON_ERROR_STOP=1 "host=$POSTGRES_HOST dbname=$DATABASE_NAME user='$ENTRA_USER' sslmode=require" << EOF
 DO \$\$
 BEGIN
     IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '$MANAGED_IDENTITY_NAME') THEN
diff --git a/cloud-infrastructure/modules/postgresql-flexible-server.bicep b/cloud-infrastructure/modules/postgresql-flexible-server.bicep
@@ -56,10 +56,11 @@ resource privateDnsZoneVnetLink 'Microsoft.Network/privateDnsZones/virtualNetwor
 }
 
 resource privateEndpoint 'Microsoft.Network/privateEndpoints@2025-01-01' = {
-  name: '${name}-postgres-private-endpoint'
+  name: '${name}-postgres'
   location: location
   tags: tags
   properties: {
+    customNetworkInterfaceName: '${name}-postgres'
     subnet: {
       id: subnetId
     }

Original file line number	Diff line number	Diff line change
`@@ -56,10 +56,11 @@ resource privateDnsZoneVnetLink 'Microsoft.Network/privateDnsZones/virtualNetwor`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`resource privateEndpoint 'Microsoft.Network/privateEndpoints@2025-01-01' = {`
`59`		`- name: '${name}-postgres-private-endpoint'`
	`59`	`+ name: '${name}-postgres'`
`60`	`60`	`location: location`
`61`	`61`	`tags: tags`
`62`	`62`	`properties: {`
	`63`	`+ customNetworkInterfaceName: '${name}-postgres'`
`63`	`64`	`subnet: {`
`64`	`65`	`id: subnetId`
`65`	`66`	`}`