Feat: Azure Container Apps infrastructure (#3646)

Author: lalver1

.devcontainer/devcontainer.json

@@ -3,7 +3,7 @@
   "name": "cal-itp/benefits",
   "dockerComposeFile": ["../compose.yml"],
   "service": "dev",
-  "runServices": ["dev", "docs", "server", "postgres", "pgweb"],
+  "runServices": ["dev", "docs", "server", "postgres", "pgadmin"],
   "forwardPorts": ["docs:8001", "server:8000"],
   "otherPortsAttributes": { "onAutoForward": "ignore" },
   "workspaceFolder": "/calitp/app",

.env.sample

@@ -27,7 +27,7 @@ POSTGRES_PASSWORD=postgres
 POSTGRES_PORT=5432
 POSTGRES_SSLMODE=disable
 
-PGWEB_PORT=8081
+PGADMIN_PORT=8081
 
 # Email sending
 AZURE_COMMUNICATION_CONNECTION_STRING=

compose.yml

@@ -67,23 +67,30 @@ services:
     volumes:
       - pgdata:/var/lib/postgresql/data
     healthcheck:
-      test: pg_isready -U pgweb -h 127.0.0.1
+      test: pg_isready -U ${POSTGRES_USER:-postgres} -h 127.0.0.1
       interval: 5s
 
-  pgweb:
-    container_name: pgweb
-    image: sosedoff/pgweb
+  pgadmin:
+    image: dpage/pgadmin4:latest
     ports:
-      - "${PGWEB_PORT:-8081}:8081"
+      - "${PGADMIN_PORT:-8081}:80"
     depends_on:
       postgres:
         condition: service_healthy
-    healthcheck:
-      test: ["CMD", "nc", "-vz", "127.0.0.1", "8081"]
-      interval: 5s
     environment:
-      - PGWEB_DATABASE_URL=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOSTNAME}:${POSTGRES_PORT}/${DJANGO_DB_NAME}?sslmode=disable
+      - PGADMIN_DEFAULT_EMAIL=benefits-admin@calitp.org
+      - PGADMIN_DEFAULT_PASSWORD=admin
+      - PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED=false
+      - PGADMIN_CONFIG_SERVER_MODE=false
+      - PGHOST=${POSTGRES_HOSTNAME}
+      - PGUSER=${POSTGRES_USER}
+      - PGSSLMODE=${POSTGRES_SSLMODE}
+      - PGPASSWORD=${POSTGRES_PASSWORD}
+    volumes:
+      - pgadmin_data:/var/lib/pgadmin
 
 volumes:
   pgdata:
     driver: local
+  pgadmin_data:
+    driver: local

docs/reference/environment-variables.md

@@ -351,17 +351,13 @@ Comma-separated list of URIs. Configures the [`style-src`][mdn-csp-style-src] Co
 
     The official PostgreSQL Docker image has more on available [`postgres` environment variables][postgres]
 
-### `PGWEB_PORT`
-
-The port to serve a (local only) [`pgweb`](https://sosedoff.github.io/pgweb/) service on.
-
 ### `POSTGRES_DB`
 
 Used to define a different name for the default database that is created when the image is first started. If it is not specified, then the value of [`POSTGRES_USER`](#postgres_user) will be used.
 
 ### `POSTGRES_HOSTNAME`
 
-The hostname of the (local) PostgreSQL Docker service, which is usually just the name of the service itself (`postgres`). Used by e.g. `pgweb` to establish a connection. Or the hostname of a cloud-based PostgreSQL service for e.g. Django to establish a connection.
+The hostname of the (local) PostgreSQL Docker service, which is usually just the name of the service itself (`postgres`). Or the hostname of a cloud-based PostgreSQL service for e.g. Django to establish a connection.
 
 ### `POSTGRES_PASSWORD`
 

terraform/.terraform.lock.hcl

@@ -1,5 +1,10 @@
 locals {
   postgres_admin_password_secret_name = "postgres-admin-password"
+  postgres_admin_login                = "postgres_admin"
+  postgres_admin_db                   = "postgres"
+  pgadmin_admin_password_secret_name  = "pgadmin-admin-password"
+  pgadmin_config_db                   = "pgadmin_config"
+  pgadmin_config_db_uri_secret_name   = "pgadmin-config-db-uri"
 }
 
 # Manage an Azure Database for PostgreSQL Flexible Server
@@ -22,15 +27,15 @@ resource "azurerm_postgresql_flexible_server" "main" {
   public_network_access_enabled = false
   private_dns_zone_id           = azurerm_private_dns_zone.db.id # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_flexible_server#private_dns_zone_id-1
   delegated_subnet_id           = azurerm_subnet.main["DB"].id
-  administrator_login           = "postgres_admin"
+  administrator_login           = local.postgres_admin_login
   administrator_password        = azurerm_key_vault_secret.postgres_admin_password.value
 
   lifecycle {
     ignore_changes = [tags]
   }
 }
 
-# Generate a random password for PostgreSQL
+# Generate a random password for the PostgreSQL Admin
 resource "random_password" "postgres_admin_password" {
   length           = 32
   min_lower        = 4
@@ -51,3 +56,44 @@ resource "azurerm_key_vault_secret" "postgres_admin_password" {
     random_password.postgres_admin_password # Ensure password is generated first
   ]
 }
+
+# Generate a random password for the pgAdmin Admin
+resource "random_password" "pgadmin_admin_password" {
+  length           = 32
+  min_lower        = 4
+  min_upper        = 4
+  min_numeric      = 4
+  min_special      = 4
+  special          = true
+  override_special = "_%@!-"
+}
+
+# Create the secret for pgAdmin Admin Password using the generated password
+resource "azurerm_key_vault_secret" "pgadmin_admin_password" {
+  name         = local.pgadmin_admin_password_secret_name
+  value        = random_password.pgadmin_admin_password.result
+  key_vault_id = azurerm_key_vault.main.id
+  content_type = "password"
+  depends_on = [
+    random_password.pgadmin_admin_password # Ensure password is generated first
+  ]
+}
+
+# Create a dedicated database for pgAdmin's configuration
+resource "azurerm_postgresql_flexible_server_database" "pgadmin_config" {
+  name      = local.pgadmin_config_db
+  server_id = azurerm_postgresql_flexible_server.main.id
+  charset   = "UTF8"
+  collation = "en_US.utf8"
+}
+
+# Create a connection string URI for pgAdmin's configuration DB
+resource "azurerm_key_vault_secret" "pgadmin_config_db_uri" {
+  name         = local.pgadmin_config_db_uri_secret_name
+  value        = "'postgresql://${local.postgres_admin_login}:${urlencode(random_password.postgres_admin_password.result)}@${azurerm_postgresql_flexible_server.main.fqdn}:5432/${azurerm_postgresql_flexible_server_database.pgadmin_config.name}'"
+  key_vault_id = azurerm_key_vault.main.id
+  content_type = "password"
+  depends_on = [
+    random_password.postgres_admin_password
+  ]
+}

terraform/database.tf

@@ -42,10 +42,13 @@ locals {
     "Backup",
     "Restore",
   ]
+
+  key_vault_name              = "KV-CDT-PUB-CALITP-${local.env_letter}-001"
+  key_vault_secret_uri_prefix = "https://${local.key_vault_name}.vault.azure.net/secrets"
 }
 
 resource "azurerm_key_vault" "main" {
-  name                     = "KV-CDT-PUB-CALITP-${local.env_letter}-001"
+  name                     = local.key_vault_name
   location                 = data.azurerm_resource_group.main.location
   resource_group_name      = data.azurerm_resource_group.main.name
   sku_name                 = "standard"
@@ -100,3 +103,27 @@ resource "azurerm_key_vault_access_policy" "webapp" {
   # This ensures the Key Vault itself is created before trying to attach a policy.
   depends_on = [azurerm_key_vault.main]
 }
+
+# Standalone Access Policy for the Benefits (web) Container App's Managed Identity
+resource "azurerm_key_vault_access_policy" "web_container_app" {
+  key_vault_id = azurerm_key_vault.main.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = module.application.web_principal_id
+
+  secret_permissions = ["Get"]
+
+  # This ensures the Key Vault itself is created before trying to attach a policy.
+  depends_on = [azurerm_key_vault.main]
+}
+
+# Standalone Access Policy for the pgAdmin Container App's Managed Identity
+resource "azurerm_key_vault_access_policy" "pgadmin_container_app" {
+  key_vault_id = azurerm_key_vault.main.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = module.application.pgadmin_principal_id
+
+  secret_permissions = ["Get"]
+
+  # This ensures the Key Vault itself is created before trying to attach a policy.
+  depends_on = [azurerm_key_vault.main]
+}

terraform/key_vault.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 4.0"
+      version = "~> 4.67"
     }
   }
 

terraform/main.tf

@@ -0,0 +1,44 @@
+module "application" {
+  source = "./modules/application"
+
+  # Terraform Environment
+  resource_group_name = data.azurerm_resource_group.main.name
+  location            = data.azurerm_resource_group.main.location
+  env_letter          = local.env_letter
+  env_name            = local.env_name
+  is_dev              = local.is_dev
+  is_prod             = local.is_prod
+
+  # Monitoring
+  log_analytics_workspace_id = azurerm_log_analytics_workspace.main.id
+
+  # Network
+  subnet_ca_id = azurerm_subnet.main["CA"].id
+
+  # Storage
+  storage_account_name       = azurerm_storage_account.main.name
+  storage_account_access_key = azurerm_storage_account.main.primary_access_key
+  storage_share_web_name     = azurerm_storage_share.web.name
+  storage_share_pgadmin_name = azurerm_storage_share.pgadmin.name
+
+  # Benefits Container App Image Details
+  container_registry   = var.CONTAINER_REGISTRY
+  container_repository = var.CONTAINER_REPOSITORY
+  container_tag        = var.CONTAINER_TAG
+
+  # Key Vault
+  key_vault_secret_uri_prefix = local.key_vault_secret_uri_prefix
+
+  # App Config
+  azure_communication_connection_string_name = local.azure_communication_connection_string_name
+  django_db_password_secret_name             = azurerm_key_vault_secret.django_db_password.name
+  postgres_admin_password_secret_name        = azurerm_key_vault_secret.postgres_admin_password.name
+  sender_email                               = local.sender_email
+  postgres_fqdn                              = azurerm_postgresql_flexible_server.main.fqdn
+  postgres_admin_login                       = local.postgres_admin_login
+  postgres_admin_db                          = local.postgres_admin_db
+
+  # pgAdmin Config
+  pgadmin_admin_password_secret_name = azurerm_key_vault_secret.pgadmin_admin_password.name
+  pgadmin_config_db_uri_secret_name  = azurerm_key_vault_secret.pgadmin_config_db_uri.name
+}