Set Postgres Entra admin in Bicep instead of separate script

tjementum · tjementum · commit a441c9d640ac · 2026-04-02T20:44:26.000+02:00
diff --git a/.github/workflows/_deploy-infrastructure.yml b/.github/workflows/_deploy-infrastructure.yml
@@ -79,6 +79,7 @@ jobs:
       - name: Plan Cluster Resources
         id: deploy_cluster
         env:
+          POSTGRES_ADMIN_OBJECT_ID: ${{ inputs.postgres_admin_object_id }}
           GOOGLE_OAUTH_CLIENT_ID: ${{ vars.GOOGLE_OAUTH_CLIENT_ID }}
           GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.GOOGLE_OAUTH_CLIENT_SECRET }}
           STRIPE_PUBLISHABLE_KEY: ${{ vars.STRIPE_PUBLISHABLE_KEY }}
@@ -144,6 +145,7 @@ jobs:
       - name: Deploy Cluster Resources
         id: deploy_cluster
         env:
+          POSTGRES_ADMIN_OBJECT_ID: ${{ inputs.postgres_admin_object_id }}
           GOOGLE_OAUTH_CLIENT_ID: ${{ vars.GOOGLE_OAUTH_CLIENT_ID }}
           GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.GOOGLE_OAUTH_CLIENT_SECRET }}
           STRIPE_PUBLISHABLE_KEY: ${{ vars.STRIPE_PUBLISHABLE_KEY }}
@@ -161,9 +163,6 @@ jobs:
       - name: Install PostgreSQL Client
         run: sudo apt-get update && sudo apt-get install -y postgresql-client
 
-      - name: Add PostgreSQL Admin
-        run: bash ./cloud-infrastructure/cluster/add-postgres-admin.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location_acronym }} ${{ inputs.postgres_admin_object_id }}
-
       - name: Open Firewall
         working-directory: cloud-infrastructure/cluster
         env:
diff --git a/cloud-infrastructure/cluster/add-postgres-admin.sh b/cloud-infrastructure/cluster/add-postgres-admin.sh
diff --git a/cloud-infrastructure/cluster/deploy-cluster.sh b/cloud-infrastructure/cluster/deploy-cluster.sh
@@ -29,6 +29,7 @@ export UNIQUE_PREFIX
 export ENVIRONMENT
 export LOCATION=$CLUSTER_LOCATION
 export DOMAIN_NAME
+export POSTGRES_ADMIN_OBJECT_ID
 export GOOGLE_OAUTH_CLIENT_ID
 export GOOGLE_OAUTH_CLIENT_SECRET
 export STRIPE_PUBLISHABLE_KEY
@@ -105,7 +106,6 @@ then
     echo "BACK_OFFICE_IDENTITY_CLIENT_ID=$BACK_OFFICE_IDENTITY_CLIENT_ID" >> $GITHUB_OUTPUT
     echo "MAIN_IDENTITY_CLIENT_ID=$MAIN_IDENTITY_CLIENT_ID" >> $GITHUB_OUTPUT
   else
-    . ./add-postgres-admin.sh $UNIQUE_PREFIX $ENVIRONMENT $CLUSTER_LOCATION_ACRONYM $POSTGRES_ADMIN_OBJECT_ID
     . ./grant-database-permissions.sh $UNIQUE_PREFIX $ENVIRONMENT $CLUSTER_LOCATION_ACRONYM 'account' $ACCOUNT_IDENTITY_CLIENT_ID
     . ./grant-database-permissions.sh $UNIQUE_PREFIX $ENVIRONMENT $CLUSTER_LOCATION_ACRONYM 'back-office' $BACK_OFFICE_IDENTITY_CLIENT_ID
     . ./grant-database-permissions.sh $UNIQUE_PREFIX $ENVIRONMENT $CLUSTER_LOCATION_ACRONYM 'main' $MAIN_IDENTITY_CLIENT_ID
diff --git a/cloud-infrastructure/cluster/main-cluster.bicep b/cloud-infrastructure/cluster/main-cluster.bicep
@@ -15,6 +15,9 @@ param communicationServicesDataLocation string = 'europe'
 param mailSenderDisplayName string = 'PlatformPlatform'
 param revisionSuffix string
 
+@description('Object ID of the Entra ID security group for PostgreSQL administration')
+param postgresAdminObjectId string = ''
+
 @secure()
 param googleOAuthClientId string
 @secure()
@@ -153,6 +156,7 @@ module postgresServer '../modules/postgresql-flexible-server.bicep' = {
     virtualNetworkId: virtualNetwork.outputs.virtualNetworkId
     isProduction: environment == 'prod'
     diagnosticStorageAccountId: diagnosticStorageAccount.outputs.storageAccountId
+    dbAdminObjectId: postgresAdminObjectId
   }
 }
 
diff --git a/cloud-infrastructure/cluster/main-cluster.bicepparam b/cloud-infrastructure/cluster/main-cluster.bicepparam
@@ -13,6 +13,7 @@ param backOfficeVersion = readEnvironmentVariable('BACK_OFFICE_VERSION')
 param mainVersion = readEnvironmentVariable('MAIN_VERSION')
 param applicationInsightsConnectionString = readEnvironmentVariable('APPLICATIONINSIGHTS_CONNECTION_STRING')
 param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
+param postgresAdminObjectId = readEnvironmentVariable('POSTGRES_ADMIN_OBJECT_ID', '')
 param googleOAuthClientId = readEnvironmentVariable('GOOGLE_OAUTH_CLIENT_ID', '')
 param googleOAuthClientSecret = readEnvironmentVariable('GOOGLE_OAUTH_CLIENT_SECRET', '')
 param stripePublishableKey = readEnvironmentVariable('STRIPE_PUBLISHABLE_KEY', '')
diff --git a/cloud-infrastructure/modules/postgresql-flexible-server.bicep b/cloud-infrastructure/modules/postgresql-flexible-server.bicep
@@ -6,6 +6,8 @@ param subnetId string
 param virtualNetworkId string
 param isProduction bool
 param diagnosticStorageAccountId string
+@description('Object ID of the Entra ID security group to assign as PostgreSQL administrator')
+param dbAdminObjectId string = ''
 
 resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2025-08-01' = {
   name: name
@@ -44,6 +46,16 @@ resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2025-08-01' =
   }
 }
 
+resource postgresServerAdministrator 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2025-08-01' = if (!empty(dbAdminObjectId)) {
+  parent: postgresServer
+  name: dbAdminObjectId
+  properties: {
+    principalName: 'PostgreSQL Admins - ${isProduction ? 'Production' : 'Staging'}'
+    principalType: 'Group'
+    tenantId: tenantId
+  }
+}
+
 resource privateDnsZone 'Microsoft.Network/privateDnsZones@2024-06-01' = {
   name: 'privatelink.postgres.database.azure.com'
   location: 'global'
