Merge pull request #338 from NHSDigital/feat/DTOSS-10700-Use-a-docker-image-for-the-postgres-database-for-the-review-apps-testing

[DTOSS-10700] use a docker image for the postgres database for the review apps testing

Author: mrlockstar

infrastructure/environments/dev/variables.tfvars

@@ -7,3 +7,4 @@ postgres_geo_redundant_backup_enabled = false
 protect_keyvault                      = false
 vnet_address_space                    = "10.128.0.0/16"
 personas_enabled                      = true
+seed_demo_data                        = true

infrastructure/environments/review/variables.tfvars

@@ -7,3 +7,5 @@ postgres_geo_redundant_backup_enabled = false
 protect_keyvault                      = false
 vnet_address_space                    = "10.142.0.0/16"
 personas_enabled                      = true
+deploy_database_as_container          = true
+seed_demo_data                        = true

infrastructure/modules/container-apps/main.tf

@@ -11,11 +11,7 @@ module "shared_config" {
   application = var.app_short_name
 }
 
-# create the database
-# prod  : make migrate seed [default]
-# dev   : make migrate seed [default]
-# review: make migrate seed example_data
-# put "example_data" once the PR has been merged in.
+# populate the database
 module "db_setup" {
   source = "../dtos-devops-templates/infrastructure/modules/container-app-job"
 
@@ -26,29 +22,23 @@ module "db_setup" {
   # Run everything through /bin/sh
   container_command = ["/bin/sh", "-c"]
 
-  # Build the full command string, conditionally including example_data
-  # && python manage.py example_data"
   container_args = [
-    var.env_config == "prod"
-    ? "python manage.py migrate"
-    : "python manage.py migrate && python manage.py seed_demo_data --noinput"
+    var.seed_demo_data
+    ? "python manage.py migrate && python manage.py seed_demo_data --noinput"
+    : "python manage.py migrate"
   ]
-
+  secret_variables           = var.deploy_database_as_container ? { DATABASE_PASSWORD = resource.random_password.admin_password[0].result } : {}
   docker_image               = var.docker_image
-  user_assigned_identity_ids = [module.db_connect_identity.id]
+  user_assigned_identity_ids = var.deploy_database_as_container ? [] : [module.db_connect_identity[0].id]
+  environment_variables = merge(
+    local.common_env,
+    var.deploy_database_as_container ? local.container_db_env : local.azure_db_env
+  )
 
-  environment_variables = {
-    DATABASE_HOST    = module.postgres.host
-    DATABASE_NAME    = module.postgres.database_names[0]
-    DATABASE_USER    = module.db_connect_identity.name
-    SSL_MODE         = "require"
-    AZURE_CLIENT_ID  = module.db_connect_identity.client_id
-    PERSONAS_ENABLED = var.personas_enabled ? "1" : "0"
-    DJANGO_ENV       = var.env_config
-  }
 }
 
 module "webapp" {
+
   providers = {
     azurerm     = azurerm
     azurerm.hub = azurerm.hub
@@ -63,15 +53,15 @@ module "webapp" {
   enable_auth                      = var.enable_auth
   app_key_vault_id                 = var.app_key_vault_id
   docker_image                     = var.docker_image
-  user_assigned_identity_ids       = [module.db_connect_identity.id]
-  environment_variables = {
-    ALLOWED_HOSTS   = "${var.app_short_name}-web-${var.environment}.${var.default_domain}"
-    DATABASE_HOST   = module.postgres.host
-    DATABASE_NAME   = module.postgres.database_names[0]
-    DATABASE_USER   = module.db_connect_identity.name
-    SSL_MODE        = "require"
-    AZURE_CLIENT_ID = module.db_connect_identity.client_id
-  }
-  is_web_app = true
-  http_port  = 8000
+  user_assigned_identity_ids       = var.deploy_database_as_container ? [] : [module.db_connect_identity[0].id]
+  environment_variables = merge(
+    local.common_env,
+    {
+      ALLOWED_HOSTS = "${var.app_short_name}-web-${var.environment}.${var.default_domain}"
+    },
+    var.deploy_database_as_container ? local.container_db_env : local.azure_db_env
+  )
+  secret_variables = var.deploy_database_as_container ? { DATABASE_PASSWORD = resource.random_password.admin_password[0].result } : {}
+  is_web_app       = true
+  port             = 8000
 }

infrastructure/modules/container-apps/postgres.tf

@@ -5,7 +5,10 @@ data "azurerm_private_dns_zone" "postgres" {
   resource_group_name = "rg-hub-${var.hub}-uks-private-dns-zones"
 }
 
+# Don't deploy if deploy_database_as_container is true
 module "postgres" {
+  count = var.deploy_database_as_container ? 0 : 1
+
   source = "../dtos-devops-templates/infrastructure/modules/postgresql-flexible"
 
   # postgresql Server
@@ -18,8 +21,8 @@ module "postgres" {
   postgresql_admin_object_id      = data.azuread_group.postgres_sql_admin_group.object_id
   postgresql_admin_principal_name = var.postgres_sql_admin_group
   postgresql_admin_principal_type = "Group"
-  administrator_login             = "admin"
-  admin_identities                = [module.db_connect_identity]
+  administrator_login             = local.database_user
+  admin_identities                = [module.db_connect_identity[0]]
 
   # Diagnostic Settings
   log_analytics_workspace_id                                = var.log_analytics_workspace_audit_id
@@ -47,16 +50,52 @@ module "postgres" {
       collation   = "en_US.utf8"
       charset     = "UTF8"
       max_size_gb = 10
-      name        = "manage_breast_screening"
+      name        = local.database_name
     }
   }
 
   tags = {}
 }
 
 module "db_connect_identity" {
+  count = var.deploy_database_as_container ? 0 : 1
+
   source              = "../dtos-devops-templates/infrastructure/modules/managed-identity"
   resource_group_name = azurerm_resource_group.main.name
   location            = var.region
   uai_name            = "mi-${var.app_short_name}-${var.environment}-db-connect"
 }
+
+resource "random_password" "admin_password" {
+  count = var.deploy_database_as_container ? 1 : 0
+
+  length           = 30
+  special          = true
+  override_special = "!@#$%^&*()-_=+"
+}
+
+module "database_container" {
+  count = var.deploy_database_as_container ? 1 : 0
+
+  providers = {
+    azurerm     = azurerm
+    azurerm.hub = azurerm.hub
+  }
+  app_key_vault_id             = var.app_key_vault_id
+  source                       = "../dtos-devops-templates/infrastructure/modules/container-app"
+  name                         = "${var.app_short_name}-db-${var.environment}"
+  container_app_environment_id = var.container_app_environment_id
+  docker_image                 = "postgres:16"
+  enable_auth                  = false
+  secret_variables             = var.deploy_database_as_container ? { POSTGRES_PASSWORD = resource.random_password.admin_password[0].result } : {}
+  environment_variables = {
+    POSTGRES_USER = local.database_user
+    POSTGRES_DB   = local.database_name
+  }
+  resource_group_name              = azurerm_resource_group.main.name
+  fetch_secrets_from_app_key_vault = var.fetch_secrets_from_app_key_vault
+  infra_key_vault_name             = "kv-${var.app_short_name}-${var.env_config}-inf"
+  infra_key_vault_rg               = "rg-${var.app_short_name}-${var.env_config}-infra"
+  is_tcp_app                       = true
+  port                             = 5432
+}

infrastructure/modules/container-apps/variables.tf

@@ -67,6 +67,11 @@ variable "log_analytics_workspace_audit_id" {
   type        = string
 }
 
+variable "deploy_database_as_container" {
+  description = "Whether to deploy the database as a container or as an Azure postgres flexible server."
+  type        = bool
+}
+
 variable "postgres_backup_retention_days" {
   description = "The number of days to retain backups for the PostgreSQL Flexible Server."
   type        = number
@@ -113,6 +118,12 @@ variable "personas_enabled" {
   default     = false
 }
 
+variable "seed_demo_data" {
+  description = "Whether or not to seed the demo data in the database."
+  type        = bool
+  default     = false
+}
+
 variable "use_apex_domain" {
   description = "Use apex domain for the Front Door endpoint. Set to true for production."
   type        = bool
@@ -122,4 +133,26 @@ locals {
   resource_group_name = "rg-${var.app_short_name}-${var.environment}-container-app-uks"
 
   hostname = var.use_apex_domain ? var.dns_zone_name : "${var.environment}.${var.dns_zone_name}"
+
+  database_user = "admin"
+  database_name = "manage_breast_screening"
+
+  common_env = {
+    SSL_MODE         = "require"
+    PERSONAS_ENABLED = var.personas_enabled ? "1" : "0"
+    DJANGO_ENV       = var.env_config
+  }
+
+  container_db_env = {
+    DATABASE_HOST = var.deploy_database_as_container ? module.database_container[0].container_app_fqdn : null
+    DATABASE_NAME = local.database_name
+    DATABASE_USER = local.database_user
+  }
+
+  azure_db_env = {
+    AZURE_CLIENT_ID = var.deploy_database_as_container ? null : module.db_connect_identity[0].client_id
+    DATABASE_HOST   = var.deploy_database_as_container ? null : module.postgres[0].host
+    DATABASE_NAME   = var.deploy_database_as_container ? null : module.postgres[0].database_names[0]
+    DATABASE_USER   = var.deploy_database_as_container ? null : module.db_connect_identity[0].name
+  }
 }

infrastructure/terraform/main.tf

@@ -42,6 +42,7 @@ module "container-apps" {
   default_domain                        = var.deploy_infra ? module.infra[0].default_domain : data.azurerm_container_app_environment.this[0].default_domain
   dns_zone_name                         = var.dns_zone_name
   docker_image                          = var.docker_image
+  deploy_database_as_container          = var.deploy_database_as_container
   enable_auth                           = var.enable_auth
   environment                           = var.environment
   env_config                            = var.env_config
@@ -56,5 +57,6 @@ module "container-apps" {
   postgres_storage_mb                   = var.postgres_storage_mb
   postgres_storage_tier                 = var.postgres_storage_tier
   postgres_subnet_id                    = var.deploy_infra ? module.infra[0].postgres_subnet_id : data.azurerm_subnet.postgres[0].id
+  seed_demo_data                        = var.seed_demo_data
   use_apex_domain                       = var.use_apex_domain
 }

infrastructure/terraform/variables.tf

@@ -72,6 +72,12 @@ variable "postgres_geo_redundant_backup_enabled" {
   default     = true
 }
 
+variable "deploy_database_as_container" {
+  description = "Whether to deploy the database as a container or as an Azure postgres flexible server."
+  type        = bool
+  default     = false
+}
+
 variable "postgres_sku_name" {
   description = "Value of the PostgreSQL Flexible Server SKU name"
   default     = "B_Standard_B1ms"
@@ -116,6 +122,12 @@ variable "personas_enabled" {
   default     = false
 }
 
+variable "seed_demo_data" {
+  description = "Whether or not to seed the demo data in the database."
+  type        = bool
+  default     = false
+}
+
 locals {
   region = "uksouth"