{"id":22535569,"url":"https://github.com/hmcts/cnp-module-postgres","last_synced_at":"2025-04-14T17:49:09.076Z","repository":{"id":37835658,"uuid":"100478937","full_name":"hmcts/cnp-module-postgres","owner":"hmcts","description":"Module that creates a Postgres paas instance","archived":false,"fork":false,"pushed_at":"2025-04-09T14:55:26.000Z","size":15161,"stargazers_count":1,"open_issues_count":4,"forks_count":1,"subscribers_count":174,"default_branch":"postgresql_tf","last_synced_at":"2025-04-14T17:49:02.736Z","etag":null,"topics":["jenkins-cft","jenkins-cft-a-c","team-platform"],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hmcts.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-08-16T10:47:06.000Z","updated_at":"2024-11-19T15:46:50.000Z","dependencies_parsed_at":"2023-02-02T20:00:35.008Z","dependency_job_id":"431381ae-adce-401f-9b00-a25844bc39e4","html_url":"https://github.com/hmcts/cnp-module-postgres","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hmcts%2Fcnp-module-postgres","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hmcts%2Fcnp-module-postgres/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hmcts%2Fcnp-module-postgres/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hmcts%2Fcnp-module-postgres/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hmcts","download_url":"https://codeload.github.com/hmcts/cnp-module-postgres/tar.gz/refs/heads/postgresql_tf","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248930880,"owners_count":21185100,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jenkins-cft","jenkins-cft-a-c","team-platform"],"created_at":"2024-12-07T10:07:52.622Z","updated_at":"2025-04-14T17:49:09.056Z","avatar_url":"https://github.com/hmcts.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cnp-module-postgres (deprecated)\n\n\u003e **Warning** do not use for new services.\n\nAll new teams are to deploy [PostgreSQL Flexible server](https://github.com/hmcts/terraform-module-postgresql-flexible). \n\nThis module will be archived once all teams have migrated.\n\n## Description\n\nA module that lets you create an Azure Database for PostgreSQL.\nRefer to the following links for a detailed explanation of the Azure Database for PostgreSQL.\n\n[Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/overview) \u003cbr /\u003e\n\n## Usage\n\nThe following example shows how to use the module to create an Azure Database for PostgreSQL instance and expose the host and port as environment variables in another module.\n\n```terraform\nmodule \"database\" {\n  source                = \"git@github.com:hmcts/cnp-module-postgres?ref=postgresql_tf\"\n  product               = var.product\n  component             = var.component\n  location              = var.location\n  env                   = var.env\n  postgresql_user       = var.postgresql_user\n  database_name         = myproduct\n  postgresql_version    = 11\n  common_tags           = var.common_tags\n  subscription          = var.subscription\n}\n```\n\n### Additional databases in PostgreSQL instance\n\nThe following example shows how to create additional databases within the PostgreSQL instance\n\n```terraform\nmodule \"database\" {\n  source                = \"git@github.com:hmcts/cnp-module-postgres?ref=master\"\n  product               = var.product\n  component             = var.component\n  location              = var.location\n  env                   = var.env\n  postgresql_user       = var.postgresql_user\n  database_name         = myproduct\n  postgresql_version    = 10\n  common_tags           = var.common_tags\n  subscription          = var.subscription\n  additional_databases  = var.additional_databases\n}\n```\n\nExample of the variable `additional_databases` being referenced\n\n```terraform\nadditional_databases = [\n    \"postgresql-db2\",\n    \"postgresql-db3\",\n]\n```\n\n## Variables\n\n### Configuration\n\nThe following parameters are required by this module\n\n- `product` the name of the product or project i.e. probate, divorce etc\n- `component` the name of the component, i.e. data-store-api\n- `location` the azure region for this service. _Note:_ Check to ensure the service is available in the region.\n- `env` this is used to differentiate the environments e.g dev, prod, test etc\n- `postgresql_user` the username for the admin database login. Cannot be 'azure_superuser', 'azure_pg_admin', 'admin', 'administrator', 'postgres', 'root', 'guest', or 'public'. It can't start with 'pg_'.\n- `database_name` the name of the database to create within the Postgres server.  Please note currently, hyphens are NOT allowed in the database name and will be removed automatically to ensure a successful deployment.\n- `common_tags` tags that need to be applied to every resource group, passed through by the jenkins-library\n- `subscription` the subscription this module is currently being run in\n- `postgresql_version` the postgres version. Currently 10 and 11.\n\n**If you are using the SDS platform then you will need to add Key Vault parameters as per below**\n```terraform\n  key_vault_rg       = \"genesis-rg\"\n  key_vault_name     = \"dtssharedservices${var.environment}kv\"\n```\n\nThe following parameters are optional\n\n- `sku_name` the size of the postgres instance, specifically cores. Default is \"GP_Gen5_2\".\n- `sku_tier` Basic, Generanl Purpose or Memory Optimised.  Note that the sku_name chosen must belong to the sku_tier. Default is \"GeneralPurpose\"\n- `sku_capacity` The number of vCores. Default is 2, note the database is charged per vCore/month\n- `storage_mb` the amount of storage available to the DB instance.  Default is \"51200\".\n- `ssl_enforcement` specifies whether SSL is enabled on the DB endpoint, options are \"true\" and \"false\"  Default is \"true\".\n- `backup_retention_days` number of days to retain a backup. Default is 35.\n- `georedundant_backup` specifies whether to use geo-redundant backup over local. Default is \"Enabled\".\n- `auto_grow_enabled` specifies whether to grow underlying storage automatically. Default is \"true\"\n- `business_area` Business area. Either CFT or SDS. Default is \"CFT\".\n- `additional_databases` if additional databases are required within the postgres server\n\n### Output\n\nThe following variables are provided by the module for use in other modules\n\n- `host_name` the host name which can be used to connect to PostgreSQL\n- `postgresql_listen_port` the port to connect to\n- `user_name` the username given in `postgresql_user` combined with the server name in the format postgresql_user@postgres-paas.name\n- `postgresql_database`\n- `postgresql_password` the randomly generated password for the admin login. It will be 16 characters and contain characters from three of the following categories: English uppercase letters, English lowercase letters, numbers (0 through 9), and nonalphanumeric characters (!, $, #, %, etc.).\n- `resource_group_name` the resource group name of the PostgreSQL database resource\n- `name` the server name of the PostgreSQL database resource\n\n\n## Access to databases\n\nDatabases are restricted to access from specific subnets, these can be updated in the [cnp-database-subnet-whitelisting](https://github.com/hmcts/cnp-database-subnet-whitelisting)\nGitHub repo.\n\nTypically, you will need to set up an SSH tunnel to access the database you want to.\n\nAll developers can access non production databases with reader access.\n\nSecurity cleared developers can access production DBs using just in time access and an approved business justification.\n\n_Note: access is only granted on a case by case basis, and is removed automatically_\n\nMore process details to follow, it's currently being worked out.\n\n### Non production:\n\n#### First time setup\n\n1. Join either  'DTS CFT Developers' or 'DTS SDS Developers'  AAD group via [GitHub pull request](https://github.com/hmcts/devops-azure-ad/blob/master/users/prod_users.yml)\n\n\u003cdetails\u003e\n\n\u003csummary\u003eBastion configuration\u003c/summary\u003e\n\nEnsure you have Azure CLI version 2.22.1 or later installed\n\nRun `az login`\n\nEnsure ssh extension for the Azure CLI is installed: 'az extension add --name ssh'\n\nRun `az ssh config --ip \\*.platform.hmcts.net --file ~/.ssh/config`\n\n\u003c/details\u003e\n\n#### Steps to access\n\n1. Connect to the VPN\n2. Request access to the non production bastion via [JIT](https://myaccess.microsoft.com/@HMCTS.NET#/access-packages/4894e58f-920e-404d-9db4-dc2ab8513794),\nthis will be automatically approved, and lasts for 24 hours.\n3. Copy below script, update the variables (search for all references to draft-store and replace with your DB) and run it\n\n```bash\n# If you haven't logged in before you may need to login, uncomment the below line:\n# az login\n# this should give you a long JWT token, you will need this later on\naz account get-access-token --resource-type oss-rdbms --query accessToken -o tsv\n\nssh bastion-nonprod.platform.hmcts.net\n\nexport PGPASSWORD=\u003cresult-from-earlier\u003e\n\n# you can get this from the portal, or determine it via the inputs your pass to this module in your code\nPOSTGRES_HOST=rpe-draft-store-aat.postgres.database.azure.com\n\n# this matches the `database_name` parameter you pass in the module\nDB_NAME=draftstore\n\n# Update the suffix after the @ to the server name\nDB_USER=\"DTS\\ CFT\\ DB\\ Access\\ Reader@rpe-draft-store-aat\" # read access\n#DB_USER=\"DTS\\ Platform\\ Operations@rpe-draft-store-aat\" # operations team administrative access\n\npsql \"sslmode=require host=${POSTGRES_HOST} dbname=${DB_NAME} user=${DB_USER}\"\n```\n\n_Note: it's also possible to tunnel the connection to your own machine and use other tools to log in, IntelliJ database tools works, pgAdmin 4 works with a workaround for the password field length limit, when creating a new connection untick the \"Connect now?\" option and don't set the password, save the connection, afterwards when trying to connect a newly created db connection, the password pop up will accept the long password token generated._\n\n\u003cdetails\u003e\n\n\u003csummary\u003eTunnel version of the script\u003c/summary\u003e\n\n```shell\n# you can get this from the portal, or determine it via the inputs your pass to this module in your code\nPOSTGRES_HOST=rpe-draft-store-aat.postgres.database.azure.com\n\nssh -N bastion-nonprod.platform.hmcts.net -L 5440:${POSTGRES_HOST}:5432\n# expect no more output in this terminal you won't get an interactive prompt\n\n# in a separate terminal run:\nexport PGPASSWORD=$(az account get-access-token --resource-type oss-rdbms --query accessToken -o tsv)\n# this matches the `database_name` parameter you pass in the module\nDB_NAME=draftstore\n\n# Update the suffix after the @ to the server name\nDB_USER=\"DTS\\ CFT\\ DB\\ Access\\ Reader@rpe-draft-store-aat\" # read access\n#DB_USER=\"DTS\\ Platform\\ Operations@rpe-draft-store-aat\" # operations team administrative access\n\npsql \"sslmode=require host=localhost port=5440 dbname=${DB_NAME} user=${DB_USER}\"\n```\n\n\u003c/details\u003e\n\n### Production\n\n#### First time setup\n\n1. Join either 'DTS CFT Developers' or 'DTS SDS Developers' AAD group via [GitHub pull request](https://github.com/hmcts/devops-azure-ad/blob/master/users/prod_users.yml)\n2. Request access to production via [JIT](https://myaccess.microsoft.com/@HMCTS.NET#/access-packages/738a7496-7ad4-4004-8b05-0e98677f4a9f), this requires SC clearance, or an approved exception.\n   _Note: after this is approved it can take some time for the other packages to show up, try logging out and back in._\n\n\u003cdetails\u003e\n\nEnsure you have Azure CLI version 2.22.1 or later installed\n\nRun `az login`\n\nEnsure ssh extension for the Azure CLI is installed: 'az extension add --name ssh'\n\nRun `az ssh config --ip \\*.platform.hmcts.net --file ~/.ssh/config`\n\n\u003c/details\u003e\n\n#### Steps to access\n\n1. Request access to the database that you need via [JIT](https://myaccess.microsoft.com/@CJSCommonPlatform.onmicrosoft.com#/access-packages),\n   the naming convention is `Database - \u003cproduct\u003e (read|write) access`.\n2. Wait till it's approved, you can also message in #db-self-service on slack.\n3. Connect to the VPN\n4. Copy below script, update the variables (search for all references to draft-store and replace with your DB), and run it\n\n```bash\n# If you haven't logged in before you may need to login, uncomment the below line:\n# az login\n# this should give you a long JWT token, you will need this later on\naz account get-access-token --resource-type oss-rdbms --query accessToken -o tsv\n\n# follow the prompts to login\nssh bastion-prod.platform.hmcts.net\n\nexport PGPASSWORD=\u003cresult-from-earlier\u003e\n\n# you can get this from the portal, or determine it via the inputs your pass to this module in your code\nPOSTGRES_HOST=rpe-draft-store-prod.postgres.database.azure.com\n\n# this matches the `database_name` parameter you pass in the module\nDB_NAME=draftstore\n\n# make sure you update the product name in the middle to your product\n# and also update the suffix after the @ to the server name\nDB_USER=\"DTS\\ JIT\\ Access\\ draft-store\\ DB\\ Reader\\ SC@rpe-draft-store-prod\" # read access\n#DB_USER=\"DTS\\ Platform\\ Operations\\ SC@rpe-draft-store-prod\" # operations team administrative access\n\npsql \"sslmode=require host=${POSTGRES_HOST} dbname=${DB_NAME} user=${DB_USER}\"\n# note: some users have experienced caching issues with their AAD token:\n# psql: error: FATAL:  Azure AD access token not valid for role DTS JIT Access send-letter DB Reader SC (does not contain group ID c9e865ee-bc88-40d9-a5c1-23831f0ce255)\n# the fix is to clear the cache and login again: rm -rf ~/.azure \u0026\u0026 az login\n```\n\n_Note: it's also possible to tunnel the connection to your own machine and use other tools to log in, IntelliJ database tools works, pgAdmin 4 works with a workaround for the password field length limit, when creating a new connection untick the \"Connect now?\" option and don't set the password, save the connection, afterwards when trying to connect a newly created db connection, the password pop up will accept the long password token generated._\n\n\u003cdetails\u003e\n\n\u003csummary\u003eTunnel version of the script\u003c/summary\u003e\n\n```shell\n# you can get this from the portal, or determine it via the inputs your pass to this module in your code\nPOSTGRES_HOST=rpe-draft-store-prod.postgres.database.azure.com\n\nssh bastion-prod.platform.hmcts.net -L 5440:${POSTGRES_HOST}:5432\n# expect no more output in this terminal you won't get an interactive prompt\n\n# in a separate terminal run:\nexport PGPASSWORD=$(az account get-access-token --resource-type oss-rdbms --query accessToken -o tsv)\n\n# this matches the `database_name` parameter you pass in the module\nDB_NAME=draftstore\n\n# make sure you update the product name in the middle to your product\n# and also update the suffix after the @ to the server name\nDB_USER=\"DTS\\ JIT\\ Access\\ draft-store\\ DB\\ Reader\\ SC@rpe-draft-store-prod\" # read access\n#DB_USER=\"DTS\\ Platform\\ Operations\\ SC@rpe-draft-store-prod\" # operations team administrative access\n\npsql \"sslmode=require host=localhost port=5440 dbname=${DB_NAME} user=${DB_USER}\"\n```\n\n\u003c/details\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhmcts%2Fcnp-module-postgres","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhmcts%2Fcnp-module-postgres","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhmcts%2Fcnp-module-postgres/lists"}