Merge pull request #291 from aztfmod/refactor-sql-server-kv

Refactor sql server kv

.github/workflows/master-100-tf14.yaml

@@ -104,7 +104,10 @@ jobs:
             "mariadb_server/102-private-endpoint-mariadb",
             "mariadb_server/103-private-endpoint-with-fw-rule-mariadb",
             "monitoring/100-service-health-alerts",
-            "mssql_server/elastic_pools",
+            "mssql_server/101-sqlserver-simple",
+            "mssql_server/102-sqlserver-extend",
+            "mssql_server/104-sqlserver-elastic_pools",
+            "mssql_server/105-sqlserver-failover_groups",
             "mysql_server/100-simple-mysql",
             "mysql_server/101-vnet-rule-mysql",
             "mysql_server/102-private-endpoint-mysql",

.github/workflows/master-100-tf15.yaml

@@ -104,7 +104,10 @@ jobs:
             "mariadb_server/102-private-endpoint-mariadb",
             "mariadb_server/103-private-endpoint-with-fw-rule-mariadb",
             "monitoring/100-service-health-alerts",
-            "mssql_server/elastic_pools",
+            "mssql_server/101-sqlserver-simple",
+            "mssql_server/102-sqlserver-extend",
+            "mssql_server/104-sqlserver-elastic_pools",
+            "mssql_server/105-sqlserver-failover_groups",
             "mysql_server/100-simple-mysql",
             "mysql_server/101-vnet-rule-mysql",
             "mysql_server/102-private-endpoint-mysql",

.github/workflows/master-100.yaml

@@ -111,7 +111,10 @@ jobs:
             "mariadb_server/102-private-endpoint-mariadb",
             "mariadb_server/103-private-endpoint-with-fw-rule-mariadb",
             "monitoring/100-service-health-alerts",
-            "mssql_server/elastic_pools",
+            "mssql_server/101-sqlserver-simple",
+            "mssql_server/102-sqlserver-extend",
+            "mssql_server/104-sqlserver-elastic_pools",
+            "mssql_server/105-sqlserver-failover_groups",
             "mysql_server/100-simple-mysql",
             "mysql_server/101-vnet-rule-mysql",
             "mysql_server/102-private-endpoint-mysql",

.github/workflows/master-standalone-tf14.yaml

@@ -57,8 +57,8 @@ jobs:
             "mariadb_server/102-private-endpoint-mariadb",
             "mariadb_server/103-private-endpoint-with-fw-rule-mariadb",
             "monitoring/100-service-health-alerts",
-            "mssql_server/elastic_pools",
-            "mssql_server/failover_groups",
+            "mssql_server/104-sqlserver-elastic_pools",
+            "mssql_server/105-sqlserver-failover_groups",
             "mysql_server/100-simple-mysql",
             "mysql_server/101-vnet-rule-mysql",
             "mysql_server/102-private-endpoint-mysql",

.github/workflows/master-standalone-tf15.yaml

@@ -57,8 +57,8 @@ jobs:
             "mariadb_server/102-private-endpoint-mariadb",
             "mariadb_server/103-private-endpoint-with-fw-rule-mariadb",
             "monitoring/100-service-health-alerts",
-            "mssql_server/elastic_pools",
-            "mssql_server/failover_groups",
+            "mssql_server/104-sqlserver-elastic_pools",
+            "mssql_server/105-sqlserver-failover_groups",
             "mysql_server/100-simple-mysql",
             "mysql_server/101-vnet-rule-mysql",
             "mysql_server/102-private-endpoint-mysql",

.github/workflows/master-standalone.yaml

@@ -65,8 +65,8 @@ jobs:
             "mariadb_server/102-private-endpoint-mariadb",
             "mariadb_server/103-private-endpoint-with-fw-rule-mariadb",
             "monitoring/100-service-health-alerts",
-            "mssql_server/elastic_pools",
-            "mssql_server/failover_groups",
+            "mssql_server/104-sqlserver-elastic_pools",
+            "mssql_server/105-sqlserver-failover_groups",
             "mysql_server/100-simple-mysql",
             "mysql_server/101-vnet-rule-mysql",
             "mysql_server/102-private-endpoint-mysql",

examples/mssql_server/101-sqlserver-simple/configuration.tfvars

@@ -0,0 +1,57 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "southeastasia"
+  }
+}
+
+resource_groups = {
+  sql_region1 = {
+    name   = "sql-rg1"
+    region = "region1"
+  }
+}
+
+mssql_servers = {
+  sql_rg1 = {
+    name                          = "sql-rg1"
+    region                        = "region1"
+    resource_group_key            = "sql_region1"
+    administrator_login           = "sqladmin"
+  }
+}
+
+keyvaults = {
+  sql_rg1 = {
+    name               = "sqlrg1"
+    resource_group_key = "sql_region1"
+    sku_name           = "standard"
+
+    creation_policies = {
+      logged_in_user = {
+        secret_permissions = ["Set", "Get", "List", "Delete", "Purge"]
+      }
+      logged_in_aad_app = {
+        secret_permissions = ["Set", "Get", "List", "Delete", "Purge"]
+      }
+    }
+  }
+}
+
+#need to place dynamic secrets module outside caf module to pass the objects
+# dynamic_keyvault_secrets = {
+#   sql_rg1 = {
+#     sql_username = {
+#       output_key    = "mssql_servers"
+#       resource_key  = "sql_rg1"
+#       attribute_key = "administrator_login"
+#       secret_name   = "sql-rg1-username"
+#     }
+#     sql_password = {
+#       output_key    = "mssql_servers"
+#       resource_key  = "sql_rg1"
+#       attribute_key = "administrator_login_password"
+#       secret_name   = "sql-rg1-password"
+#     }
+#   }
+# }

examples/mssql_server/elastic_pools/standalone/readme.md → examples/mssql_server/104-sqlserver-elastic_pools/standalone/readme.md

@@ -1,7 +1,7 @@
 You can test this module outside of a landingzone using
 
 ```bash
-cd /tf/caf/examples/mssql_server/elastic_pools/standalone
+cd /tf/caf/examples/mssql_server/104-sqlserver-elastic_pools/standalone
 
 terraform init
 
@@ -16,7 +16,7 @@ To test this deployment in the example landingzone. Make sure the launchpad has
 
 rover \
   -lz /tf/caf/aztfmod/examples \
-  -var-folder  /tf/caf/examples/mssql_server/elastic_pools/ \
+  -var-folder  /tf/caf/examples/mssql_server/104-sqlserver-elastic_pools/ \
   -level level1 \
   -a plan
 

examples/mssql_server/failover_groups/standalone/readme.md → examples/mssql_server/105-sqlserver-failover_groups/standalone/readme.md

@@ -1,7 +1,7 @@
 You can test this module outside of a landingzone using
 
 ```bash
-cd /tf/caf/examples/mssql_server/failover_groups/standalone
+cd /tf/caf/examples/mssql_server/105-sqlserver-failover_groups/standalone
 
 terraform init
 
@@ -16,7 +16,7 @@ To test this deployment in the example landingzone. Make sure the launchpad has
 
 rover \
   -lz /tf/caf/aztfmod/examples \
-  -var-folder  /tf/caf/examples/mssql_server/failover_groups/ \
+  -var-folder  /tf/caf/examples/mssql_server/105-sqlserver-failover_groups/ \
   -level level1 \
   -a plan
 

modules/databases/mssql_server/output.tf

@@ -24,4 +24,12 @@ output resource_group_name {
 
 output location {
   value = var.location
+}
+
+output administrator_login {
+  value = var.settings.administrator_login
+}
+
+output administrator_login_password {
+  value = try(var.settings.administrator_login_password, random_password.sql_admin.0.result)
 }

modules/databases/mssql_server/server.tf

@@ -5,7 +5,7 @@ resource "azurerm_mssql_server" "mssql" {
   location                      = var.location
   version                       = try(var.settings.version, "12.0")
   administrator_login           = var.settings.administrator_login
-  administrator_login_password  = try(var.settings.administrator_login_password, azurerm_key_vault_secret.sql_admin_password.0.value)
+  administrator_login_password  = try(var.settings.administrator_login_password, random_password.sql_admin.0.result)
   public_network_access_enabled = try(var.settings.public_network_access_enabled, true)
   connection_policy             = try(var.settings.connection_policy, null)
   minimum_tls_version           = try(var.settings.minimum_tls_version, null)
@@ -51,27 +51,4 @@ resource "random_password" "sql_admin" {
   override_special = "$#%"
 }
 
-# Store the generated password into keyvault
-resource "azurerm_key_vault_secret" "sql_admin_password" {
-  count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
-
-  name         = format("%s-password", azurecaf_name.mssql.result)
-  value        = random_password.sql_admin.0.result
-  key_vault_id = var.keyvault_id
-
-  lifecycle {
-    ignore_changes = [
-      value
-    ]
-  }
-}
-
-resource "azurerm_key_vault_secret" "sql_admin" {
-  count = try(var.settings.administrator_login_password, null) == null ? 1 : 0
-
-  name         = format("%s-username", azurecaf_name.mssql.result)
-  value        = var.settings.administrator_login
-  key_vault_id = var.keyvault_id
-}
-
 

modules/databases/mssql_server/variables.tf

@@ -13,7 +13,6 @@ variable location {
   description = "(Required) Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created."
   type        = string
 }
-variable keyvault_id {}
 variable storage_accounts {}
 variable azuread_groups {}
 variable vnets {}

modules/webapps/appservice/storage_account.tf

@@ -5,8 +5,6 @@ data "azurerm_storage_account_blob_container_sas" "backup" {
   container_name    = local.backup_storage_account.containers[var.settings.backup.container_key].name
   https_only        = true
 
-  #ip_address = "168.1.5.65"
-
   start  = time_rotating.sas[0].id
   expiry = timeadd(time_rotating.sas[0].id, format("%sh", var.settings.backup.sas_policy.expire_in_days * 24))
 
@@ -18,12 +16,6 @@ data "azurerm_storage_account_blob_container_sas" "backup" {
     delete = true
     list   = true
   }
-
-  # cache_control       = "max-age=5"
-  # content_disposition = "inline"
-  # content_encoding    = "deflate"
-  # content_language    = "en-US"
-  # content_type        = "application/json"
 }
 
 resource "time_rotating" "sas" {

mssql_servers.tf

@@ -14,7 +14,6 @@ module "mssql_servers" {
   settings            = each.value
   resource_group_name = module.resource_groups[each.value.resource_group_key].name
   location            = lookup(each.value, "region", null) == null ? module.resource_groups[each.value.resource_group_key].location : local.global_settings.regions[each.value.region]
-  keyvault_id         = try(each.value.administrator_login_password, null) != null ? null : try(each.value.lz_key, null) == null ? local.combined_objects_keyvaults[local.client_config.landingzone_key][each.value.keyvault_key].id : local.combined_objects_keyvaults[each.value.lz_key][each.value.keyvault_key].id
   storage_accounts    = module.storage_accounts
   azuread_groups      = local.combined_objects_azuread_groups
   vnets               = local.combined_objects_networking