Replace Azure SQL Server infrastructure with PostgreSQL Flexible Server using Entra ID authentication

Author: tjementum

.github/workflows/_deploy-infrastructure.yml

@@ -30,7 +30,7 @@ on:
       domain_name:
         required: true
         type: string
-      sql_admin_object_id:
+      postgres_admin_object_id:
         required: true
         type: string
       production_service_principal_object_id:
@@ -84,7 +84,7 @@ jobs:
           STRIPE_PUBLISHABLE_KEY: ${{ vars.STRIPE_PUBLISHABLE_KEY }}
           STRIPE_API_KEY: ${{ secrets.STRIPE_API_KEY }}
           STRIPE_WEBHOOK_SECRET: ${{ secrets.STRIPE_WEBHOOK_SECRET }}
-        run: bash ./cloud-infrastructure/cluster/deploy-cluster.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location }} ${{ inputs.cluster_location_acronym }} ${{ inputs.sql_admin_object_id }} ${{ inputs.domain_name }} --plan
+        run: bash ./cloud-infrastructure/cluster/deploy-cluster.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location }} ${{ inputs.cluster_location_acronym }} ${{ inputs.postgres_admin_object_id }} ${{ inputs.domain_name }} --plan
 
       - name: Show DNS Configuration
         if: ${{ inputs.domain_name != '' && inputs.domain_name != '-' }}
@@ -149,7 +149,7 @@ jobs:
           STRIPE_PUBLISHABLE_KEY: ${{ vars.STRIPE_PUBLISHABLE_KEY }}
           STRIPE_API_KEY: ${{ secrets.STRIPE_API_KEY }}
           STRIPE_WEBHOOK_SECRET: ${{ secrets.STRIPE_WEBHOOK_SECRET }}
-        run: bash ./cloud-infrastructure/cluster/deploy-cluster.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location }} ${{ inputs.cluster_location_acronym }} ${{ inputs.sql_admin_object_id }} ${{ inputs.domain_name }} --apply
+        run: bash ./cloud-infrastructure/cluster/deploy-cluster.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location }} ${{ inputs.cluster_location_acronym }} ${{ inputs.postgres_admin_object_id }} ${{ inputs.domain_name }} --apply
 
       - name: Refresh Azure Tokens # The previous step may take a while, so we refresh the token to avoid timeouts
         uses: azure/login@v2
@@ -158,14 +158,14 @@ jobs:
           tenant-id: ${{ inputs.tenant_id }}
           subscription-id: ${{ inputs.subscription_id }}
 
-      - name: Install Microsoft sqlcmd Utility
-        run: |
-          curl https://packages.microsoft.com/keys/microsoft.asc | sudo tee /etc/apt/trusted.gpg.d/microsoft.asc &&
-          sudo add-apt-repository "$(wget -qO- https://packages.microsoft.com/config/ubuntu/22.04/prod.list)" &&
-          sudo apt-get update &&
-          sudo apt-get install -y sqlcmd
+      - name: Install PostgreSQL Client
+        run: sudo apt-get update && sudo apt-get install -y postgresql-client
+
+      - name: Add PostgreSQL Admin
+        run: bash ./cloud-infrastructure/cluster/add-postgres-admin.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location_acronym }} ${{ inputs.postgres_admin_object_id }}
 
       - name: Grant Database Permissions
         run: |
           bash ./cloud-infrastructure/cluster/grant-database-permissions.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location_acronym }} 'account' ${{ steps.deploy_cluster.outputs.ACCOUNT_IDENTITY_CLIENT_ID }}
           bash ./cloud-infrastructure/cluster/grant-database-permissions.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location_acronym }} 'back-office' ${{ steps.deploy_cluster.outputs.BACK_OFFICE_IDENTITY_CLIENT_ID }}
+          bash ./cloud-infrastructure/cluster/grant-database-permissions.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location_acronym }} 'main' ${{ steps.deploy_cluster.outputs.MAIN_IDENTITY_CLIENT_ID }}

.github/workflows/_migrate-database.yml

@@ -52,8 +52,8 @@ jobs:
       UNIQUE_PREFIX: ${{ vars.UNIQUE_PREFIX }}
       TENANT_ID: ${{ vars.TENANT_ID }}
       CLUSTER_RESOURCE_GROUP_NAME: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
-      SQL_SERVER_NAME: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
-      SQL_SERVER_FQDN: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}.database.windows.net
+      POSTGRES_SERVER_NAME: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
+      POSTGRES_HOST: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}.postgres.database.azure.com
 
     steps:
       - name: Checkout Code
@@ -83,15 +83,16 @@ jobs:
         working-directory: cloud-infrastructure/cluster
         env:
           CLUSTER_RESOURCE_GROUP_NAME: ${{ env.CLUSTER_RESOURCE_GROUP_NAME }}
-          SQL_SERVER_NAME: ${{ env.SQL_SERVER_NAME }}
-          SQL_DATABASE_NAME: ${{ inputs.database_name }}
+          POSTGRES_SERVER_NAME: ${{ env.POSTGRES_SERVER_NAME }}
+          DATABASE_NAME: ${{ inputs.database_name }}
         run: bash ./firewall.sh open
 
       - name: Generate Script for Pending Migrations
         id: generate-migration-script
         working-directory: application
         run: |
-          CONNECTION_STRING="Server=tcp:${{ env.SQL_SERVER_FQDN }},1433;Database=${{ inputs.database_name }};Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Authentication=Active Directory Default;"
+          ENTRA_USER=$(az postgres flexible-server microsoft-entra-admin list --resource-group ${{ env.CLUSTER_RESOURCE_GROUP_NAME }} --server-name ${{ env.POSTGRES_SERVER_NAME }} --query "[0].principalName" --output tsv)
+          CONNECTION_STRING="Host=${{ env.POSTGRES_HOST }};Database=${{ inputs.database_name }};Username=$ENTRA_USER;Password=$(az account get-access-token --resource-type oss-rdbms --query accessToken --output tsv);Ssl Mode=Require;"
           
           echo "Checking for pending migrations..."
           MIGRATION_INFO=$(dotnet ef migrations list \
@@ -143,8 +144,8 @@ jobs:
         working-directory: cloud-infrastructure/cluster
         env:
           CLUSTER_RESOURCE_GROUP_NAME: ${{ env.CLUSTER_RESOURCE_GROUP_NAME }}
-          SQL_SERVER_NAME: ${{ env.SQL_SERVER_NAME }}
-          SQL_DATABASE_NAME: ${{ inputs.database_name }}
+          POSTGRES_SERVER_NAME: ${{ env.POSTGRES_SERVER_NAME }}
+          DATABASE_NAME: ${{ inputs.database_name }}
         run: bash ./firewall.sh close
 
       - name: Upload Migration Script
@@ -239,8 +240,8 @@ jobs:
       UNIQUE_PREFIX: ${{ vars.UNIQUE_PREFIX }}
       TENANT_ID: ${{ vars.TENANT_ID }}
       CLUSTER_RESOURCE_GROUP_NAME: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
-      SQL_SERVER_NAME: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
-      SQL_SERVER_FQDN: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}.database.windows.net
+      POSTGRES_SERVER_NAME: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
+      POSTGRES_HOST: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}.postgres.database.azure.com
 
     steps:
       - name: Checkout Code
@@ -259,25 +260,23 @@ jobs:
           name: migration-script-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
           path: .
 
-      - name: Install Microsoft sqlcmd Utility
-        run: |
-          curl https://packages.microsoft.com/keys/microsoft.asc | sudo tee /etc/apt/trusted.gpg.d/microsoft.asc &&
-          sudo add-apt-repository "$(wget -qO- https://packages.microsoft.com/config/ubuntu/22.04/prod.list)" &&
-          sudo apt-get update &&
-          sudo apt-get install -y sqlcmd
+      - name: Install PostgreSQL Client
+        run: sudo apt-get update && sudo apt-get install -y postgresql-client
 
       - name: Open Firewall
         working-directory: cloud-infrastructure/cluster
         env:
           CLUSTER_RESOURCE_GROUP_NAME: ${{ env.CLUSTER_RESOURCE_GROUP_NAME }}
-          SQL_SERVER_NAME: ${{ env.SQL_SERVER_NAME }}
-          SQL_DATABASE_NAME: ${{ inputs.database_name }}
+          POSTGRES_SERVER_NAME: ${{ env.POSTGRES_SERVER_NAME }}
+          DATABASE_NAME: ${{ inputs.database_name }}
         run: bash ./firewall.sh open
 
       - name: Apply Migrations
         run: |
-          echo "Applying migrations to ${{ inputs.database_name }} database on ${{ env.SQL_SERVER_FQDN }}..."
-          sqlcmd -S "tcp:${{ env.SQL_SERVER_FQDN }},1433" -d "${{ inputs.database_name }}" --authentication-method=ActiveDirectoryDefault --exit-on-error -i migration.sql
+          echo "Applying migrations to ${{ inputs.database_name }} database on ${{ env.POSTGRES_HOST }}..."
+          ACCESS_TOKEN=$(az account get-access-token --resource-type oss-rdbms --query accessToken --output tsv)
+          ENTRA_USER=$(az postgres flexible-server microsoft-entra-admin list --resource-group ${{ env.CLUSTER_RESOURCE_GROUP_NAME }} --server-name ${{ env.POSTGRES_SERVER_NAME }} --query "[0].principalName" --output tsv)
+          PGPASSWORD=$ACCESS_TOKEN psql "host=${{ env.POSTGRES_HOST }} dbname=${{ inputs.database_name }} user='$ENTRA_USER' sslmode=require" -f migration.sql
           echo "Migrations applied successfully!"
 
       - name: Display Migration Summary
@@ -290,6 +289,6 @@ jobs:
         working-directory: cloud-infrastructure/cluster
         env:
           CLUSTER_RESOURCE_GROUP_NAME: ${{ env.CLUSTER_RESOURCE_GROUP_NAME }}
-          SQL_SERVER_NAME: ${{ env.SQL_SERVER_NAME }}
-          SQL_DATABASE_NAME: ${{ inputs.database_name }}
+          POSTGRES_SERVER_NAME: ${{ env.POSTGRES_SERVER_NAME }}
+          DATABASE_NAME: ${{ inputs.database_name }}
         run: bash ./firewall.sh close

.github/workflows/cloud-infrastructure.yml

@@ -37,7 +37,7 @@ jobs:
       shared_location: ${{ vars.STAGING_SHARED_LOCATION }}
       cluster_location: ${{ vars.STAGING_CLUSTER_LOCATION }}
       domain_name: ${{ vars.STAGING_DOMAIN_NAME }}
-      sql_admin_object_id: ${{ vars.STAGING_SQL_ADMIN_OBJECT_ID }}
+      postgres_admin_object_id: ${{ vars.STAGING_POSTGRES_ADMIN_OBJECT_ID }}
       production_service_principal_object_id: ${{ vars.PRODUCTION_SERVICE_PRINCIPAL_OBJECT_ID }}
 
   prod1:
@@ -55,5 +55,5 @@ jobs:
       shared_location: ${{ vars.PRODUCTION_SHARED_LOCATION }}
       cluster_location: ${{ vars.PRODUCTION_CLUSTER1_LOCATION }}
       domain_name: ${{ vars.PRODUCTION_DOMAIN_NAME }}
-      sql_admin_object_id: ${{ vars.PRODUCTION_SQL_ADMIN_OBJECT_ID }}
+      postgres_admin_object_id: ${{ vars.PRODUCTION_POSTGRES_ADMIN_OBJECT_ID }}
       tenant_id: ${{ vars.TENANT_ID }}

cloud-infrastructure/cluster/add-postgres-admin.sh

@@ -0,0 +1,16 @@
+UNIQUE_PREFIX=$1
+ENVIRONMENT=$2
+CLUSTER_LOCATION_ACRONYM=$3
+POSTGRES_ADMIN_OBJECT_ID=$4
+
+CLUSTER_RESOURCE_GROUP_NAME=$UNIQUE_PREFIX-$ENVIRONMENT-$CLUSTER_LOCATION_ACRONYM
+POSTGRES_SERVER_NAME=$CLUSTER_RESOURCE_GROUP_NAME
+
+echo "$(date +"%Y-%m-%dT%H:%M:%S") Adding Entra ID group $POSTGRES_ADMIN_OBJECT_ID as admin on PostgreSQL server $POSTGRES_SERVER_NAME"
+
+az postgres flexible-server microsoft-entra-admin create \
+  --resource-group $CLUSTER_RESOURCE_GROUP_NAME \
+  --server-name $POSTGRES_SERVER_NAME \
+  --display-name "PostgreSQL Admins" \
+  --object-id $POSTGRES_ADMIN_OBJECT_ID \
+  --type Group

cloud-infrastructure/cluster/deploy-cluster.sh

@@ -4,7 +4,7 @@ UNIQUE_PREFIX=$1
 ENVIRONMENT=$2
 CLUSTER_LOCATION=$3
 CLUSTER_LOCATION_ACRONYM=$4
-SQL_ADMIN_OBJECT_ID=$5
+POSTGRES_ADMIN_OBJECT_ID=$5
 DOMAIN_NAME=$6
 
 get_active_version()
@@ -29,7 +29,6 @@ export UNIQUE_PREFIX
 export ENVIRONMENT
 export LOCATION=$CLUSTER_LOCATION
 export DOMAIN_NAME
-export SQL_ADMIN_OBJECT_ID
 export GOOGLE_OAUTH_CLIENT_ID
 export GOOGLE_OAUTH_CLIENT_SECRET
 export STRIPE_PUBLISHABLE_KEY
@@ -97,7 +96,7 @@ then
     exit 1
   fi
 
-  # Extract the ID of the Managed Identities, which can be used to grant access to SQL Database
+  # Extract the ID of the Managed Identities, which can be used to grant access to PostgreSQL databases
   ACCOUNT_IDENTITY_CLIENT_ID=$(echo "$cleaned_output" | jq -r '.properties.outputs.accountIdentityClientId.value')
   BACK_OFFICE_IDENTITY_CLIENT_ID=$(echo "$cleaned_output" | jq -r '.properties.outputs.backOfficeIdentityClientId.value')
   MAIN_IDENTITY_CLIENT_ID=$(echo "$cleaned_output" | jq -r '.properties.outputs.mainIdentityClientId.value')
@@ -106,6 +105,7 @@ then
     echo "BACK_OFFICE_IDENTITY_CLIENT_ID=$BACK_OFFICE_IDENTITY_CLIENT_ID" >> $GITHUB_OUTPUT
     echo "MAIN_IDENTITY_CLIENT_ID=$MAIN_IDENTITY_CLIENT_ID" >> $GITHUB_OUTPUT
   else
+    . ./add-postgres-admin.sh $UNIQUE_PREFIX $ENVIRONMENT $CLUSTER_LOCATION_ACRONYM $POSTGRES_ADMIN_OBJECT_ID
     . ./grant-database-permissions.sh $UNIQUE_PREFIX $ENVIRONMENT $CLUSTER_LOCATION_ACRONYM 'account' $ACCOUNT_IDENTITY_CLIENT_ID
     . ./grant-database-permissions.sh $UNIQUE_PREFIX $ENVIRONMENT $CLUSTER_LOCATION_ACRONYM 'back-office' $BACK_OFFICE_IDENTITY_CLIENT_ID
     . ./grant-database-permissions.sh $UNIQUE_PREFIX $ENVIRONMENT $CLUSTER_LOCATION_ACRONYM 'main' $MAIN_IDENTITY_CLIENT_ID

cloud-infrastructure/cluster/firewall.sh

@@ -1,11 +1,11 @@
 IP_ADDRESS=$(curl -s https://api.ipify.org)
-FIREWALL_RULE_NAME="GitHub Action Workflows - ${SQL_DATABASE_NAME} - Only active when deploying"
+FIREWALL_RULE_NAME="github-action-${DATABASE_NAME}"
 
 if [[ "$1" == "open" ]]
 then
-    echo "$(date +"%Y-%m-%dT%H:%M:%S") Add the IP $IP_ADDRESS to the SQL Server firewall on server $SQL_SERVER_NAME for database $SQL_DATABASE_NAME"
-    az sql server firewall-rule create --resource-group $CLUSTER_RESOURCE_GROUP_NAME --server $SQL_SERVER_NAME --name "$FIREWALL_RULE_NAME" --start-ip-address $IP_ADDRESS --end-ip-address $IP_ADDRESS
+    echo "$(date +"%Y-%m-%dT%H:%M:%S") Add the IP $IP_ADDRESS to the PostgreSQL server firewall on server $POSTGRES_SERVER_NAME for database $DATABASE_NAME"
+    az postgres flexible-server firewall-rule create --resource-group $CLUSTER_RESOURCE_GROUP_NAME --server-name $POSTGRES_SERVER_NAME --name "$FIREWALL_RULE_NAME" --start-ip-address $IP_ADDRESS --end-ip-address $IP_ADDRESS
 else
-    echo "$(date +"%Y-%m-%dT%H:%M:%S") Delete the IP $IP_ADDRESS from the SQL Server firewall on server $SQL_SERVER_NAME for database $SQL_DATABASE_NAME"
-    az sql server firewall-rule delete --resource-group $CLUSTER_RESOURCE_GROUP_NAME --server $SQL_SERVER_NAME --name "$FIREWALL_RULE_NAME"
+    echo "$(date +"%Y-%m-%dT%H:%M:%S") Delete the IP $IP_ADDRESS from the PostgreSQL server firewall on server $POSTGRES_SERVER_NAME for database $DATABASE_NAME"
+    az postgres flexible-server firewall-rule delete --resource-group $CLUSTER_RESOURCE_GROUP_NAME --server-name $POSTGRES_SERVER_NAME --name "$FIREWALL_RULE_NAME" --yes
 fi

cloud-infrastructure/cluster/grant-database-permissions.sh

@@ -1,41 +1,43 @@
 UNIQUE_PREFIX=$1
 ENVIRONMENT=$2
 CLUSTER_LOCATION_ACRONYM=$3
-SQL_DATABASE_NAME=$4
+DATABASE_NAME=$4
 MANAGED_IDENTITY_CLIENT_ID=$5
 
 CLUSTER_RESOURCE_GROUP_NAME=$UNIQUE_PREFIX-$ENVIRONMENT-$CLUSTER_LOCATION_ACRONYM
 MANAGED_IDENTITY_NAME=$CLUSTER_RESOURCE_GROUP_NAME-$4
-SQL_SERVER_NAME=$CLUSTER_RESOURCE_GROUP_NAME
-SQL_SERVER=$SQL_SERVER_NAME.database.windows.net
+POSTGRES_SERVER_NAME=$CLUSTER_RESOURCE_GROUP_NAME
+POSTGRES_HOST=$POSTGRES_SERVER_NAME.postgres.database.azure.com
 
 cd "$(dirname "${BASH_SOURCE[0]}")"
-# Export SQL_DATABASE_NAME for firewall.sh to use
-export SQL_DATABASE_NAME=$SQL_DATABASE_NAME
-trap '. ./firewall.sh close' EXIT # Ensure that the firewall is closed no matter if other commands fail
+
+export CLUSTER_RESOURCE_GROUP_NAME
+export POSTGRES_SERVER_NAME
+export DATABASE_NAME
+trap '. ./firewall.sh close' EXIT
 . ./firewall.sh open
 
-# Convert the ClientId of the Managed Identity to the binary version. The following bash script is equivalent to this PowerShell:
-#   $SID = "0x" + [System.BitConverter]::ToString(([guid]$SID).ToByteArray()).Replace("-", "")
-SID=$(echo $MANAGED_IDENTITY_CLIENT_ID | tr 'a-f' 'A-F' | tr -d '-') # Convert to uppercase and remove hyphens
-SID=$(awk -v id="$SID" 'BEGIN {
-  printf "0x%s%s%s%s\n",
-    substr(id,7,2) substr(id,5,2) substr(id,3,2) substr(id,1,2),
-    substr(id,11,2) substr(id,9,2),
-    substr(id,15,2) substr(id,13,2),
-    substr(id,17)
-}') # Reverse the byte order for the first three sections of the GUID and concatenate
+ACCESS_TOKEN=$(az account get-access-token --resource-type oss-rdbms --query accessToken --output tsv)
 
-echo "$(date +"%Y-%m-%dT%H:%M:%S") Granting $MANAGED_IDENTITY_NAME (ID: $SID) in Resource group $CLUSTER_RESOURCE_GROUP_NAME permissions on $SQL_SERVER/$SQL_DATABASE_NAME database"
+echo "$(date +"%Y-%m-%dT%H:%M:%S") Granting $MANAGED_IDENTITY_NAME (Client ID: $MANAGED_IDENTITY_CLIENT_ID) permissions on $POSTGRES_HOST/$DATABASE_NAME database"
 
-# Execute the SQL script using mssql-scripter. Pass the script as a heredoc to sqlcmd to allow for complex SQL.
-sqlcmd -S $SQL_SERVER -d $SQL_DATABASE_NAME --authentication-method=ActiveDirectoryDefault --exit-on-error << EOF
-IF NOT EXISTS (SELECT [name] FROM [sys].[database_principals] WHERE [name] = '$MANAGED_IDENTITY_NAME' AND [type] = 'E')
+# PostgreSQL uses roles instead of SQL Server users. Create a role for the managed identity
+# and grant it the necessary permissions. The pgaadauth_create_principal function handles
+# Entra ID principal creation in Azure Database for PostgreSQL Flexible Server.
+ENTRA_USER=$(az postgres flexible-server microsoft-entra-admin list --resource-group $CLUSTER_RESOURCE_GROUP_NAME --server-name $POSTGRES_SERVER_NAME --query "[0].principalName" --output tsv)
+PGPASSWORD=$ACCESS_TOKEN psql "host=$POSTGRES_HOST dbname=$DATABASE_NAME user='$ENTRA_USER' sslmode=require" << EOF
+DO \$\$
 BEGIN
-    CREATE USER [$MANAGED_IDENTITY_NAME] WITH SID = $SID, TYPE = E;
-    ALTER ROLE db_datareader ADD MEMBER [$MANAGED_IDENTITY_NAME];
-    ALTER ROLE db_datawriter ADD MEMBER [$MANAGED_IDENTITY_NAME];
-    ALTER ROLE db_ddladmin ADD MEMBER [$MANAGED_IDENTITY_NAME];
+    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '$MANAGED_IDENTITY_NAME') THEN
+        PERFORM pgaadauth_create_principal('$MANAGED_IDENTITY_NAME', false, false);
+    END IF;
 END
-GO
+\$\$;
+
+GRANT CONNECT ON DATABASE "$DATABASE_NAME" TO "$MANAGED_IDENTITY_NAME";
+GRANT USAGE ON SCHEMA public TO "$MANAGED_IDENTITY_NAME";
+GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO "$MANAGED_IDENTITY_NAME";
+GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO "$MANAGED_IDENTITY_NAME";
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO "$MANAGED_IDENTITY_NAME";
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE, SELECT ON SEQUENCES TO "$MANAGED_IDENTITY_NAME";
 EOF