This repository has been archived by the owner on Nov 30, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
db-read-access.tf
61 lines (54 loc) · 2.6 KB
/
db-read-access.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
locals {
db_reader_user = local.is_prod ? "DTS JIT Access ${var.product} DB Reader SC" : "DTS ${var.business_area} DB Access Reader"
}
resource "null_resource" "set-user-permissions" {
triggers = {
script_hash = filesha256("${path.module}/set-postgres-permissions.bash")
name = local.name
db_reader_user = local.db_reader_user
}
provisioner "local-exec" {
command = "${path.module}/set-postgres-permissions.bash"
environment = {
DB_NAME = replace(var.database_name, "-", "")
DB_HOST_NAME = azurerm_postgresql_server.postgres-paas.fqdn
DB_USER = "${local.escaped_admin_group}@${azurerm_postgresql_server.postgres-paas.name}"
DB_READER_USER = local.db_reader_user
AZURE_SUBSCRIPTION_SHORT_NAME = var.subscription
DB_MANAGER_USER_NAME = data.azurerm_key_vault_secret.db_manager_username.value
DB_MANAGER_PASSWORD = data.azurerm_key_vault_secret.db_manager_password.value
TENANT_ID = data.azurerm_client_config.current.tenant_id
}
}
depends_on = [
azurerm_postgresql_active_directory_administrator.admin
]
# only run if component or name override is set
# due to legacy reasons people put var.product and var.component in product
# but we only want the product so introduced a new field which allowed teams to move over to this format
count = (var.component != "" || var.name != "") ? 1 : 0
}
resource "null_resource" "set-user-permissions-additionaldbs" {
for_each = toset(var.additional_databases)
triggers = {
script_hash = filesha256("${path.module}/set-postgres-permissions.bash")
name = local.name
db_reader_user = local.db_reader_user
}
provisioner "local-exec" {
command = "${path.module}/set-postgres-permissions.bash"
environment = {
DB_NAME = replace("${each.key}", "-", "")
DB_HOST_NAME = azurerm_postgresql_server.postgres-paas.fqdn
DB_USER = "${local.escaped_admin_group}@${azurerm_postgresql_server.postgres-paas.name}"
DB_READER_USER = local.db_reader_user
AZURE_SUBSCRIPTION_SHORT_NAME = var.subscription
DB_MANAGER_USER_NAME = data.azurerm_key_vault_secret.db_manager_username.value
DB_MANAGER_PASSWORD = data.azurerm_key_vault_secret.db_manager_password.value
TENANT_ID = data.azurerm_client_config.current.tenant_id
}
}
depends_on = [
azurerm_postgresql_active_directory_administrator.admin
]
}