chore: add virtual network for private connectivity between containerapps and postgresql

Author: EstopaceMA

infra/main.tf

@@ -13,18 +13,34 @@ resource "azurerm_resource_group" "rg" {
   tags     = local.tags
 }
 
+# ------------------------------------------------------------------------------------------------------
+# Deploy Virtual Network
+# ------------------------------------------------------------------------------------------------------
+
+module "vnet" {
+  source   = "./modules/vnet"
+  prefix   = var.prefix
+  location = var.location
+  rg_name  = azurerm_resource_group.rg.name
+  tags     = local.tags
+}
+
 # ------------------------------------------------------------------------------------------------------
 # Deploy PostgresSQL Database
 # ------------------------------------------------------------------------------------------------------
 
 module "postgres" {
-  source         = "./modules/postgres"
-  prefix         = var.prefix
-  location       = var.location
-  tags           = local.tags
-  rg_name        = azurerm_resource_group.rg.name
-  admin_username = var.admin_username
-  admin_password = var.admin_password
+  source               = "./modules/postgres"
+  prefix               = var.prefix
+  location             = var.location
+  tags                 = local.tags
+  rg_name              = azurerm_resource_group.rg.name
+  admin_username       = var.admin_username
+  admin_password       = var.admin_password
+  postgres_subnet_id   = module.vnet.postgres_subnet_id
+  postgres_dns_zone_id = module.vnet.postgres_dns_zone_id
+
+  depends_on = [module.vnet]
 }
 
 # ------------------------------------------------------------------------------------------------------
@@ -50,17 +66,18 @@ module "keyvault" {
 # Deploy Container App
 # ------------------------------------------------------------------------------------------------------
 module "containerapp" {
-  source           = "./modules/containerapp"
-  prefix           = var.prefix
-  location         = var.location
-  rg_name          = azurerm_resource_group.rg.name
-  tags             = local.tags
-  container_image  = var.container_image
-  container_port   = var.container_port
-  container_cpu    = var.container_cpu
-  container_memory = var.container_memory
-  min_replicas     = var.min_replicas
-  max_replicas     = var.max_replicas
+  source                 = "./modules/containerapp"
+  prefix                 = var.prefix
+  location               = var.location
+  rg_name                = azurerm_resource_group.rg.name
+  tags                   = local.tags
+  container_image        = var.container_image
+  container_port         = var.container_port
+  container_cpu          = var.container_cpu
+  container_memory       = var.container_memory
+  min_replicas           = var.min_replicas
+  max_replicas           = var.max_replicas
+  containerapp_subnet_id = module.vnet.containerapp_subnet_id
 
   # Pass the database connection string as a secret
   secrets = [
@@ -79,5 +96,5 @@ module "containerapp" {
     }
   ]
 
-  depends_on = [module.postgres, module.keyvault]
+  depends_on = [module.postgres, module.keyvault, module.vnet]
 }

infra/modules/containerapp/containerapp.tf

@@ -14,11 +14,13 @@ resource "azurerm_log_analytics_workspace" "logs" {
 # DEPLOY CONTAINER APP ENVIRONMENT
 # ------------------------------------------------------------------------------------------------------
 resource "azurerm_container_app_environment" "env" {
-  name                       = "${var.prefix}-env"
-  location                   = var.location
-  resource_group_name        = var.rg_name
-  log_analytics_workspace_id = azurerm_log_analytics_workspace.logs.id
-  tags                       = var.tags
+  name                           = "${var.prefix}-env"
+  location                       = var.location
+  resource_group_name            = var.rg_name
+  log_analytics_workspace_id     = azurerm_log_analytics_workspace.logs.id
+  infrastructure_subnet_id       = var.containerapp_subnet_id
+  internal_load_balancer_enabled = false
+  tags                           = var.tags
 }
 
 # ------------------------------------------------------------------------------------------------------

infra/modules/containerapp/containerapp_variables.tf

@@ -79,3 +79,8 @@ variable "acr_sku" {
   type        = string
   default     = "Basic"
 }
+
+variable "containerapp_subnet_id" {
+  description = "The subnet ID for Container App Environment VNet integration"
+  type        = string
+}

infra/modules/postgres/postgres.tf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------------------------------------
-# DEPLOY POSTGRESQL SERVER
+# DEPLOY POSTGRESQL FLEXIBLE SERVER WITH PRIVATE NETWORKING
 # ------------------------------------------------------------------------------------------------------
 resource "azurerm_postgresql_flexible_server" "pg" {
   name                   = "${var.prefix}-pgflex"
@@ -10,5 +10,14 @@ resource "azurerm_postgresql_flexible_server" "pg" {
   administrator_password = var.admin_password
   sku_name               = var.sku_name
   storage_mb             = 32768
+
+  # Private networking configuration
+  delegated_subnet_id = var.postgres_subnet_id
+  private_dns_zone_id = var.postgres_dns_zone_id
+
+  # Disable public network access for security
+  public_network_access_enabled = false
+
+  tags = var.tags
 }
 

infra/modules/postgres/postgres_variables.tf

@@ -41,3 +41,13 @@ variable "sku_name" {
   type        = string
   default     = "B_Standard_B1ms"
 }
+
+variable "postgres_subnet_id" {
+  description = "The subnet ID for PostgreSQL private networking"
+  type        = string
+}
+
+variable "postgres_dns_zone_id" {
+  description = "The private DNS zone ID for PostgreSQL"
+  type        = string
+}

infra/modules/vnet/vnet.tf

@@ -0,0 +1,65 @@
+# ------------------------------------------------------------------------------------------------------
+# DEPLOY VIRTUAL NETWORK
+# ------------------------------------------------------------------------------------------------------
+resource "azurerm_virtual_network" "vnet" {
+  name                = "${var.prefix}-vnet"
+  location            = var.location
+  resource_group_name = var.rg_name
+  address_space       = ["10.0.0.0/16"]
+  tags                = var.tags
+}
+
+# ------------------------------------------------------------------------------------------------------
+# SUBNET FOR CONTAINER APPS ENVIRONMENT
+# ------------------------------------------------------------------------------------------------------
+resource "azurerm_subnet" "containerapp_subnet" {
+  name                 = "${var.prefix}-containerapp-subnet"
+  resource_group_name  = var.rg_name
+  virtual_network_name = azurerm_virtual_network.vnet.name
+  address_prefixes     = ["10.0.0.0/23"]
+
+  # NOTE: Container Apps Environment does NOT require delegation
+  # The environment itself manages the subnet - no delegation needed
+}
+
+# ------------------------------------------------------------------------------------------------------
+# SUBNET FOR POSTGRESQL FLEXIBLE SERVER
+# ------------------------------------------------------------------------------------------------------
+resource "azurerm_subnet" "postgres_subnet" {
+  name                 = "${var.prefix}-postgres-subnet"
+  resource_group_name  = var.rg_name
+  virtual_network_name = azurerm_virtual_network.vnet.name
+  address_prefixes     = ["10.0.2.0/24"]
+
+  # Delegation required for PostgreSQL Flexible Server
+  delegation {
+    name = "Microsoft.DBforPostgreSQL.flexibleServers"
+
+    service_delegation {
+      name = "Microsoft.DBforPostgreSQL/flexibleServers"
+      actions = [
+        "Microsoft.Network/virtualNetworks/subnets/join/action",
+      ]
+    }
+  }
+
+  # Service endpoints for PostgreSQL
+  service_endpoints = ["Microsoft.Storage"]
+}
+
+# ------------------------------------------------------------------------------------------------------
+# PRIVATE DNS ZONE FOR POSTGRESQL
+# ------------------------------------------------------------------------------------------------------
+resource "azurerm_private_dns_zone" "postgres_dns" {
+  name                = "${var.prefix}.postgres.database.azure.com"
+  resource_group_name = var.rg_name
+  tags                = var.tags
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "postgres_dns_link" {
+  name                  = "${var.prefix}-postgres-dns-link"
+  resource_group_name   = var.rg_name
+  private_dns_zone_name = azurerm_private_dns_zone.postgres_dns.name
+  virtual_network_id    = azurerm_virtual_network.vnet.id
+  tags                  = var.tags
+}

infra/modules/vnet/vnet_output.tf

@@ -0,0 +1,29 @@
+output "vnet_id" {
+  description = "Virtual Network ID"
+  value       = azurerm_virtual_network.vnet.id
+}
+
+output "vnet_name" {
+  description = "Virtual Network name"
+  value       = azurerm_virtual_network.vnet.name
+}
+
+output "containerapp_subnet_id" {
+  description = "Container App subnet ID"
+  value       = azurerm_subnet.containerapp_subnet.id
+}
+
+output "postgres_subnet_id" {
+  description = "PostgreSQL subnet ID"
+  value       = azurerm_subnet.postgres_subnet.id
+}
+
+output "postgres_dns_zone_id" {
+  description = "PostgreSQL Private DNS Zone ID"
+  value       = azurerm_private_dns_zone.postgres_dns.id
+}
+
+output "postgres_dns_zone_name" {
+  description = "PostgreSQL Private DNS Zone name"
+  value       = azurerm_private_dns_zone.postgres_dns.name
+}

infra/modules/vnet/vnet_variables.tf

@@ -0,0 +1,20 @@
+variable "prefix" {
+  description = "Resource naming prefix"
+  type        = string
+}
+
+variable "location" {
+  description = "Azure region"
+  type        = string
+}
+
+variable "rg_name" {
+  description = "Resource group name"
+  type        = string
+}
+
+variable "tags" {
+  description = "Resource tags"
+  type        = map(string)
+  default     = {}
+}