update variables for database and vault, and add access_policy for pe…

…rmissions

ops/terraform/main.tf

@@ -72,6 +72,7 @@ module "middleware_api" {
   vnet         = module.networking.network_name
   sku_name     = var.sku_name
   https_only   = true
+  depends_on   = [module.networking.middlewaresubnet_id, module.networking.lbsubnet_id]
 }
 
 module "ocr_api" {
@@ -86,6 +87,7 @@ module "ocr_api" {
   vnet           = module.networking.network_name
   sku_name       = var.sku_name
   https_only     = true
+  depends_on     = [module.networking.ocrsubnet_id, module.networking.middlewaresubnet_id]
 }
 
 module "ocr_autoscale" {
@@ -119,4 +121,5 @@ module "vault" {
   object_id           = var.object_id
   subscription_id     = var.subscription_id
   postgres_server_id  = module.database.postgres_server_id
+  service_plan_id     = module.middleware_api.service_plan_id
 }

ops/terraform/modules/database/main.tf

@@ -20,10 +20,17 @@ resource "azurerm_postgresql_flexible_server" "postgres_flexible_server" {
 
   lifecycle {
     prevent_destroy = true
+    ignore_changes  = [zone]
   }
 }
 
 resource "azurerm_postgresql_flexible_server_database" "postgres_db" {
   name      = "${azurerm_postgresql_flexible_server.postgres_flexible_server.name}-db"
   server_id = azurerm_postgresql_flexible_server.postgres_flexible_server.id
 }
+
+# Random string resource for the postgres password
+resource "random_string" "postgres_password" {
+  length           = 16
+  override_special = "_!@#-$%^&*()[]{}" # excluded characters
+}

ops/terraform/modules/database/outputs.tf

@@ -1,3 +1,8 @@
+# output "postgres_admin_password" {
+#   value     = azurerm_postgresql_flexible_server.postgres_flexible_server.administrator_login
+#   sensitive = true
+# }
+
 output "postgres_server_id" {
   value = azurerm_postgresql_flexible_server.postgres_flexible_server.id
 }

ops/terraform/modules/vault/iam.tf

@@ -1,5 +1,5 @@
 resource "azurerm_role_assignment" "key_vault_access" {
-  principal_id         = var.object_id
+  principal_id         = var.service_plan_id
   role_definition_name = azurerm_role_definition.postgres_key_vault_role_definition.name # Custom role name
   scope                = azurerm_key_vault.this.id
 }
@@ -8,10 +8,27 @@ resource "azurerm_role_assignment" "key_vault_access" {
 resource "azurerm_role_assignment" "postgres_key_vault_secrets_user_access" {
   #   scope                = azurerm_key_vault.this.id
   scope                = var.postgres_server_id
-  role_definition_name = "Postgres Key Vault Secrets User"
+  role_definition_name = azurerm_role_definition.postgres_key_vault_role_definition.name
   principal_id         = var.object_id
 }
 
+# resource "azurerm_role_definition" "postgres_key_vault_role_definition" {
+#   name        = "Postgres Key Vault Secrets User"
+#   description = "Custom role to allow access to Key Vault secrets for PostgreSQL"
+
+#   permissions {
+#     actions = [
+#       "Microsoft.KeyVault/vaults/secrets/read",
+#       "Microsoft.KeyVault/vaults/secrets/list"
+#     ]
+#     not_actions = []
+#   }
+
+#   assignable_scopes = [
+#     azurerm_key_vault.this.id  # Ensure you're targeting the Key Vault
+#   ]
+# }
+
 
 resource "azurerm_key_vault_access_policy" "key_vault_db_access_policy" {
   key_vault_id = azurerm_key_vault.this.id
@@ -23,30 +40,30 @@ resource "azurerm_key_vault_access_policy" "key_vault_db_access_policy" {
     "List",
     "Set", # This allows creating/updating secrets
   ]
+
+  key_permissions = [
+    "Get",
+    "List"
+  ]
 }
 
 resource "azurerm_role_definition" "postgres_key_vault_role_definition" {
   name = "Postgres Key Vault Role Definition"
-  #   scope       = "/subscriptions/${var.subscription_id}/${azurerm_key_vault.this.id}/resourceGroups/${var.resource_group_name}"
+  # Custom role is created at the scope of a specific Key Vault 
   scope       = "/subscriptions/${var.subscription_id}/resourceGroups/${var.resource_group_name}/providers/Microsoft.KeyVault/vaults/${azurerm_key_vault.this.name}"
   description = "Custom role to allow access to Key Vault secrets for PostgreSQL"
   permissions {
-    actions = [
-      "Microsoft.KeyVault/vaults/secrets/read",
-      "Microsoft.KeyVault/vaults/secrets/list"
-    ]
-    not_actions = []
+    #     actions = [
+    #       "Microsoft.KeyVault/vaults/secrets/read",
+    #       "Microsoft.KeyVault/vaults/secrets/list"
+    #     ]
+    #     not_actions = []
   }
 
-  # TODO: Review terraform version and documentation.
-  # Hashicorp documentation shows only assignable_scopes but error requires scope.
+  # Custom Role Assigned Only to Key Vault
   assignable_scopes = [
     azurerm_key_vault.this.id
   ]
-  #   assignable_scopes = [
-  #     "/subscriptions/${var.subscription_id}/${azurerm_key_vault.this.id}/resourceGroups/${var.resource_group_name}" # Use a direct subscription/resource group scope
-  #     # azurerm_key_vault.this.id
-  #   ]
 }
 
 

ops/terraform/modules/vault/main.tf

@@ -5,6 +5,24 @@ resource "azurerm_key_vault" "this" {
   sku_name                 = "standard"
   tenant_id                = var.tenant_id
   purge_protection_enabled = true
+
+  access_policy {
+    tenant_id = var.tenant_id
+    object_id = var.object_id
+
+    key_permissions = [
+      "Create",
+      "Get",
+      "List",
+    ]
+
+    secret_permissions = [
+      "Set",
+      "Get",
+      "Recover"
+    ]
+
+  }
 }
 
 # Random string resource for the postgres password

ops/terraform/modules/vault/outputs.tf

@@ -1,3 +1,4 @@
+# Make the postgres password sensitive to mask the value
 output "postgres_password" {
   value     = random_string.postgres_password.result
   sensitive = true

ops/terraform/modules/vault/variables.tf

@@ -8,5 +8,6 @@ variable "postgres_server_id" {
 }
 variable "resource_group_name" {}
 variable "subscription_id" {}
+variable "service_plan_id" {}
 variable "tenant_id" {}