Fix Postgres infrastructure and JWT token issuer configuration (#865)

### Summary & Motivation

Clean up PostgreSQL infrastructure provisioning and fix JWT token
signing to use the actual deployment domain.

- Move Entra ID admin provisioning for PostgreSQL into Bicep, replacing
the separate `add-postgres-admin.sh` shell script that ran as a
post-deployment step. The admin is now declared as a resource on the
flexible server, removing the need for a separate post-deployment script
- Fix cosmetic type mismatch for the tenant id column in the account
initial migration where the C# generic type was `string` but the column
type is `bigint`, corrected to `long`
- Use the custom domain (e.g., `https://your-domain.com`) as the JWT
token issuer and audience instead of a hardcoded value. The previous
`iss` and `aud` claims were not a valid URL, which caused JWT signature
verification to fail on tools like jwt.io. The domain is now passed from
the cluster deployment into the Key Vault module, falling back to a
hardcoded value when no custom domain is configured

### Downstream projects

The JWT issuer/audience change only takes effect when a custom domain is
configured before the first deployment. Bicep does not overwrite
existing Key Vault secrets, so existing deployments will keep the old
values. To update an existing deployment, run the following from the
Azure Portal Cloud Shell (Bash):

```bash
az account set --subscription <subscription-id>

VAULT_NAME="<key-vault-name>"
DOMAIN="https://your-domain.com"
USER_ID=$(az ad signed-in-user show --query id -o tsv)
VAULT_ID=$(az keyvault show --name "$VAULT_NAME" --query id -o tsv)
MY_IP=$(curl -s ifconfig.me)

az role assignment create --role "Key Vault Secrets Officer" --assignee "$USER_ID" --scope "$VAULT_ID"
az keyvault network-rule add --name "$VAULT_NAME" --ip-address "$MY_IP/32"

echo "Waiting 60 seconds for RBAC propagation..."
sleep 60

az keyvault secret set --vault-name "$VAULT_NAME" --name authentication-token-issuer --value "$DOMAIN"
az keyvault secret set --vault-name "$VAULT_NAME" --name authentication-token-audience --value "$DOMAIN"

az keyvault network-rule remove --name "$VAULT_NAME" --ip-address "$MY_IP/32"
az role assignment delete --role "Key Vault Secrets Officer" --assignee "$USER_ID" --scope "$VAULT_ID"
```

The Key Vault name matches the cluster resource group name.

### Checklist

- [x] I have added tests, or done manual regression tests
- [x] I have updated the documentation, if necessary

Author: tjementum

.github/workflows/_deploy-infrastructure.yml

@@ -79,6 +79,7 @@ jobs:
       - name: Plan Cluster Resources
         id: deploy_cluster
         env:
+          POSTGRES_ADMIN_OBJECT_ID: ${{ inputs.postgres_admin_object_id }}
           GOOGLE_OAUTH_CLIENT_ID: ${{ vars.GOOGLE_OAUTH_CLIENT_ID }}
           GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.GOOGLE_OAUTH_CLIENT_SECRET }}
           STRIPE_PUBLISHABLE_KEY: ${{ vars.STRIPE_PUBLISHABLE_KEY }}
@@ -144,6 +145,7 @@ jobs:
       - name: Deploy Cluster Resources
         id: deploy_cluster
         env:
+          POSTGRES_ADMIN_OBJECT_ID: ${{ inputs.postgres_admin_object_id }}
           GOOGLE_OAUTH_CLIENT_ID: ${{ vars.GOOGLE_OAUTH_CLIENT_ID }}
           GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.GOOGLE_OAUTH_CLIENT_SECRET }}
           STRIPE_PUBLISHABLE_KEY: ${{ vars.STRIPE_PUBLISHABLE_KEY }}
@@ -161,9 +163,6 @@ jobs:
       - name: Install PostgreSQL Client
         run: sudo apt-get update && sudo apt-get install -y postgresql-client
 
-      - name: Add PostgreSQL Admin
-        run: bash ./cloud-infrastructure/cluster/add-postgres-admin.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location_acronym }} ${{ inputs.postgres_admin_object_id }}
-
       - name: Open Firewall
         working-directory: cloud-infrastructure/cluster
         env:

application/account/Core/Database/Migrations/20260303023200_Initial.cs

@@ -26,7 +26,7 @@ protected override void Up(MigrationBuilder migrationBuilder)
             "tenants",
             table => new
             {
-                id = table.Column<string>("bigint", nullable: false),
+                id = table.Column<long>("bigint", nullable: false),
                 created_at = table.Column<DateTimeOffset>("timestamptz", nullable: false),
                 modified_at = table.Column<DateTimeOffset>("timestamptz", nullable: true),
                 deleted_at = table.Column<DateTimeOffset>("timestamptz", nullable: true),

cloud-infrastructure/cluster/add-postgres-admin.sh

@@ -29,6 +29,7 @@ export UNIQUE_PREFIX
 export ENVIRONMENT
 export LOCATION=$CLUSTER_LOCATION
 export DOMAIN_NAME
+export POSTGRES_ADMIN_OBJECT_ID
 export GOOGLE_OAUTH_CLIENT_ID
 export GOOGLE_OAUTH_CLIENT_SECRET
 export STRIPE_PUBLISHABLE_KEY
@@ -105,7 +106,6 @@ then
     echo "BACK_OFFICE_IDENTITY_CLIENT_ID=$BACK_OFFICE_IDENTITY_CLIENT_ID" >> $GITHUB_OUTPUT
     echo "MAIN_IDENTITY_CLIENT_ID=$MAIN_IDENTITY_CLIENT_ID" >> $GITHUB_OUTPUT
   else
-    . ./add-postgres-admin.sh $UNIQUE_PREFIX $ENVIRONMENT $CLUSTER_LOCATION_ACRONYM $POSTGRES_ADMIN_OBJECT_ID
     . ./grant-database-permissions.sh $UNIQUE_PREFIX $ENVIRONMENT $CLUSTER_LOCATION_ACRONYM 'account' $ACCOUNT_IDENTITY_CLIENT_ID
     . ./grant-database-permissions.sh $UNIQUE_PREFIX $ENVIRONMENT $CLUSTER_LOCATION_ACRONYM 'back-office' $BACK_OFFICE_IDENTITY_CLIENT_ID
     . ./grant-database-permissions.sh $UNIQUE_PREFIX $ENVIRONMENT $CLUSTER_LOCATION_ACRONYM 'main' $MAIN_IDENTITY_CLIENT_ID

cloud-infrastructure/cluster/deploy-cluster.sh

@@ -15,6 +15,9 @@ param communicationServicesDataLocation string = 'europe'
 param mailSenderDisplayName string = 'PlatformPlatform'
 param revisionSuffix string
 
+@description('Object ID of the Entra ID security group for PostgreSQL administration')
+param postgresAdminObjectId string = ''
+
 @secure()
 param googleOAuthClientId string
 @secure()
@@ -101,6 +104,7 @@ module keyVault '../modules/key-vault.bicep' = {
     subnetId: virtualNetwork.outputs.containerAppsSubnetId
     storageAccountId: diagnosticStorageAccount.outputs.storageAccountId
     workspaceId: existingLogAnalyticsWorkspace.id
+    domainName: domainName
   }
 }
 
@@ -153,6 +157,7 @@ module postgresServer '../modules/postgresql-flexible-server.bicep' = {
     virtualNetworkId: virtualNetwork.outputs.virtualNetworkId
     isProduction: environment == 'prod'
     diagnosticStorageAccountId: diagnosticStorageAccount.outputs.storageAccountId
+    dbAdminObjectId: postgresAdminObjectId
   }
 }
 

cloud-infrastructure/cluster/main-cluster.bicep

@@ -13,6 +13,7 @@ param backOfficeVersion = readEnvironmentVariable('BACK_OFFICE_VERSION')
 param mainVersion = readEnvironmentVariable('MAIN_VERSION')
 param applicationInsightsConnectionString = readEnvironmentVariable('APPLICATIONINSIGHTS_CONNECTION_STRING')
 param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
+param postgresAdminObjectId = readEnvironmentVariable('POSTGRES_ADMIN_OBJECT_ID', '')
 param googleOAuthClientId = readEnvironmentVariable('GOOGLE_OAUTH_CLIENT_ID', '')
 param googleOAuthClientSecret = readEnvironmentVariable('GOOGLE_OAUTH_CLIENT_SECRET', '')
 param stripePublishableKey = readEnvironmentVariable('STRIPE_PUBLISHABLE_KEY', '')

cloud-infrastructure/cluster/main-cluster.bicepparam

@@ -5,6 +5,7 @@ param tenantId string
 param subnetId string
 param storageAccountId string
 param workspaceId string
+param domainName string = ''
 
 resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
   name: name
@@ -119,19 +120,21 @@ resource authenticationTokenSigningKey 'Microsoft.KeyVault/vaults/keys@2023-07-0
   }
 }
 
+var tokenIssuerAndAudience = domainName != '' ? 'https://${domainName}' : 'PlatformPlatform'
+
 resource authenticationTokenIssuer 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
   parent: keyVault
   name: 'authentication-token-issuer'
   properties: {
-    value: 'PlatformPlatform' // Consider using the domain name (https://app.your-company.net) or company name (Your Company) as the issuer
+    value: tokenIssuerAndAudience
   }
 }
 
 resource authenticationTokenAudience 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
   parent: keyVault
   name: 'authentication-token-audience'
   properties: {
-    value: 'PlatformPlatform' // Consider using the domain name (https://product.your-company.net) or product name (product-name) as the audience
+    value: tokenIssuerAndAudience
   }
 }
 

cloud-infrastructure/modules/key-vault.bicep

@@ -6,6 +6,8 @@ param subnetId string
 param virtualNetworkId string
 param isProduction bool
 param diagnosticStorageAccountId string
+@description('Object ID of the Entra ID security group to assign as PostgreSQL administrator')
+param dbAdminObjectId string = ''
 
 resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2025-08-01' = {
   name: name
@@ -44,6 +46,16 @@ resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2025-08-01' =
   }
 }
 
+resource postgresServerAdministrator 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2025-08-01' = if (!empty(dbAdminObjectId)) {
+  parent: postgresServer
+  name: dbAdminObjectId
+  properties: {
+    principalName: 'PostgreSQL Admins - ${isProduction ? 'Production' : 'Staging'}'
+    principalType: 'Group'
+    tenantId: tenantId
+  }
+}
+
 resource privateDnsZone 'Microsoft.Network/privateDnsZones@2024-06-01' = {
   name: 'privatelink.postgres.database.azure.com'
   location: 'global'