Updating azure infra build to move Products to Postgres#144
Open
spruit-avanade wants to merge 14 commits into
Open
Updating azure infra build to move Products to Postgres#144spruit-avanade wants to merge 14 commits into
spruit-avanade wants to merge 14 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the Azure deployment infrastructure (azd/Bicep primary, Terraform mirrored) to run the Contoso Products domain on Azure Database for PostgreSQL Flexible Server, while keeping other domains on Azure SQL. This aligns app-service configuration, secrets, and predeploy migration hooks with the new split-provider model.
Changes:
- Provision PostgreSQL Flexible Server + database (Products) and wire its connection string into Products-related App Services.
- Update predeploy migration hook scripts to run Products migrations against PostgreSQL and other domains against Azure SQL.
- Extend Key Vault secret storage and docs to include PostgreSQL credentials/connection string.
Reviewed changes
Copilot reviewed 21 out of 21 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| azure/terraform/variables.tf | Adds Terraform variables for PostgreSQL server/database configuration. |
| azure/terraform/dev.tfvars | Supplies dev PostgreSQL settings (SKU/version/storage/db name). |
| azure/terraform/test.tfvars | Supplies test PostgreSQL settings (SKU/version/storage/db name). |
| azure/terraform/prod.tfvars | Supplies prod PostgreSQL settings (SKU/version/storage/db name). |
| azure/terraform/outputs.tf | Exposes PostgreSQL server/database names as Terraform outputs. |
| azure/terraform/main.tf | Provisions PostgreSQL resources, stores secrets, and switches Products app settings to Npgsql connection string. |
| azure/scripts/run-products-db-migrations.sh | Runs domain-specific DbEx migrations (Products → Postgres; others → SQL), including the Products ResetAndAll workaround sequence. |
| azure/scripts/run-products-db-migrations.ps1 | PowerShell equivalent of the domain-specific migration flow. |
| azure/README.md | Documents PostgreSQL addition, required ports, optional password env var, and new KV secrets. |
| azure/infra/scripts/use-dev-params.sh | Injects PostgreSQL password and firewall client IP into generated parameters.json. |
| azure/infra/scripts/use-dev-params.ps1 | PowerShell equivalent of PostgreSQL parameter injection. |
| azure/infra/scripts/store-secrets.sh | Stores PostgreSQL password/connection string in Key Vault and builds Postgres conn string from env/azd outputs. |
| azure/infra/scripts/store-secrets.ps1 | Stores PostgreSQL password/connection string in Key Vault (currently uses discovery via az CLI). |
| azure/infra/modules/postgres-database.bicep | New Bicep module to deploy PostgreSQL Flexible Server, firewall rules, and database. |
| azure/infra/modules/app-services.bicep | Adds postgres connection string input and applies it only to Products-related services. |
| azure/infra/main.test.bicepparam | Adds PostgreSQL parameters for test deployments (admin creds/db/sku/version/storage). |
| azure/infra/main.prod.bicepparam | Adds PostgreSQL parameters for prod deployments (admin creds/db/sku/version/storage). |
| azure/infra/main.dev.parameters.json | Adds PostgreSQL parameters (password placeholder + firewall client IP, etc.) to the dev template. |
| azure/infra/main.dev.bicepparam | Adds PostgreSQL parameters for dev bicepparam usage. |
| azure/infra/main.bicep | Wires the new postgres module and outputs postgres server/database names. |
| azure/AGENTS.md | Updates Azure agent guidance to reflect PostgreSQL + SQL split and new secrets, and lists the new module. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 23 out of 23 changed files in this pull request and generated 12 comments.
Comments suppressed due to low confidence (1)
azure/infra/scripts/store-secrets.ps1:56
- The Postgres connection string sets
Trust Server Certificate=true, which disables certificate validation and weakens TLS security. Prefer omitting it (default false) or setting it to false.
$postgresConn = "Server=$postgresServer.postgres.database.azure.com;Port=5432;Database=$postgresDb;User Id=$postgresLogin;Password=$postgresPassword;Ssl Mode=Require;Trust Server Certificate=true;"
Co-authored-by: Copilot <copilot@github.com> Signed-off-by: Aaron Spruit <aaron.spruit@avanade.com>
Signed-off-by: Aaron Spruit <aaron.spruit@avanade.com>
…ig setup Signed-off-by: Aaron Spruit <aaron.spruit@avanade.com>
Signed-off-by: Aaron Spruit <aaron.spruit@avanade.com>
spruit-avanade
force-pushed
the
azure/psql
branch
from
8c81fe4 to
194bb3a
Compare
Collaborator
Author
|
Looking into terraform items now. Still no dice on running the migration from E2E, pretty sure it's blowing up on psql. Could be due to the connection string not being superuser after the DB was already setup. |
Signed-off-by: Aaron Spruit <aaron.spruit@avanade.com>
…lidation. Signed-off-by: Aaron Spruit <aaron.spruit@avanade.com>
it was infra only anyways without any code deploy Signed-off-by: Aaron Spruit <aaron.spruit@avanade.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 31 out of 31 changed files in this pull request and generated 4 comments.
Comments suppressed due to low confidence (1)
azure/scripts/setup-e2e-runner.ps1:53
- This script always uses
-SkipCertificateCheckfor endpoint validation, but the bash equivalent only disables TLS verification when--insecureis explicitly passed. For security and parity, add an-Insecureswitch (default false) and only skip certificate checks when requested.
try {
$response = Invoke-WebRequest -Uri $Url -Method $Method -SkipCertificateCheck -UseBasicParsing -ErrorAction Stop
$code = [int]$response.StatusCode
Signed-off-by: Aaron Spruit <aaron.spruit@avanade.com>
Signed-off-by: Aaron Spruit <aaron.spruit@avanade.com>
…and servicebus Signed-off-by: Aaron Spruit <aaron.spruit@avanade.com>
Signed-off-by: Aaron Spruit <aaron.spruit@avanade.com>
| [string[]] $AppName, | ||
|
|
||
| [Alias('w')] | ||
| [ValidateRange(0, 600)] |
Comment on lines
+1152
to
+1175
| "appInsightsInstrumentationKey": { | ||
| "type": "string" | ||
| }, | ||
| "sqlConnectionString": { | ||
| "type": "string" | ||
| }, | ||
| "postgresConnectionString": { | ||
| "type": "string" | ||
| }, | ||
| "redisConnectionString": { | ||
| "type": "string" | ||
| }, | ||
| "serviceBusConnectionString": { | ||
| "type": "string" | ||
| }, | ||
| "otlpGrpcEndpoint": { | ||
| "otlpHttpEndpoint": { | ||
| "type": "string" | ||
| } | ||
| }, | ||
| "variables": { | ||
| "keyVaultSecretsUserRoleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", | ||
| "sqlConnectionStringKeyVaultReference": "[format('@Microsoft.KeyVault(SecretUri={0}secrets/sql-connection-string/)', parameters('keyVaultUri'))]", | ||
| "postgresConnectionStringKeyVaultReference": "[format('@Microsoft.KeyVault(SecretUri={0}secrets/postgres-connection-string/)', parameters('keyVaultUri'))]", | ||
| "serviceBusConnectionStringKeyVaultReference": "[format('@Microsoft.KeyVault(SecretUri={0}secrets/service-bus-connection-string/)', parameters('keyVaultUri'))]", |
Comment on lines
+1233
to
+1239
| "value": "[parameters('sqlConnectionString')]" | ||
| } | ||
| ], | ||
| "postgresDbAppSettings": [ | ||
| { | ||
| "name": "Aspire__Npgsql__ConnectionString", | ||
| "value": "[parameters('postgresConnectionString')]" |
Comment on lines
6
to
+14
| rg="${AZURE_RESOURCE_GROUP:?AZURE_RESOURCE_GROUP is not set}" | ||
| sql_password="${AZURE_SQL_ADMIN_PASSWORD:?AZURE_SQL_ADMIN_PASSWORD is not set}" | ||
| postgres_password="${AZURE_POSTGRES_ADMIN_PASSWORD:-${AZURE_SQL_ADMIN_PASSWORD}}" | ||
| sql_server="${AZURE_SQL_SERVER:-${sqlServerName:-}}" | ||
| sql_login="${AZURE_SQL_ADMIN_LOGIN:-coreexadmin}" | ||
| sql_db="${AZURE_SQL_DB_NAME:-${sqlDatabaseName:-}}" | ||
| postgres_server="${AZURE_POSTGRES_SERVER:-${postgresServerName:-}}" | ||
| postgres_login="${AZURE_POSTGRES_ADMIN_LOGIN:-coreexpgadmin}" | ||
| postgres_db="${AZURE_POSTGRES_DB_NAME:-${postgresDatabaseName:-}}" |
…n Bicep and scripts Signed-off-by: Aaron Spruit <aaron.spruit@avanade.com>
Signed-off-by: Aaron Spruit <aaron.spruit@avanade.com>
Comment on lines
81
to
89
| $sqlServer = (azd env get-value sqlServerName).Trim() | ||
| $postgresServer = (azd env get-value postgresServerName).Trim() | ||
| $azureResourceGroup = (azd env get-value AZURE_RESOURCE_GROUP).Trim() | ||
| $azureSubscriptionId = (azd env get-value AZURE_SUBSCRIPTION_ID).Trim() | ||
| $azureEnvName = (azd env get-value AZURE_ENV_NAME).Trim() | ||
|
|
||
| if ([string]::IsNullOrWhiteSpace($sqlServer) -or [string]::IsNullOrWhiteSpace($azureResourceGroup)) { | ||
| throw 'Unable to resolve sqlServerName/AZURE_RESOURCE_GROUP from the active azd environment.' | ||
| if (([string]::IsNullOrWhiteSpace($sqlServer) -and [string]::IsNullOrWhiteSpace($postgresServer)) -or [string]::IsNullOrWhiteSpace($azureResourceGroup)) { | ||
| throw 'Unable to resolve sqlServerName and/or postgresServerName and AZURE_RESOURCE_GROUP from the active azd environment.' | ||
| } |
Comment on lines
+186
to
+190
| '.E2E.Products.BaseAddress = $productsBase | ||
| | .E2E.Products.ConnectionString = $productsConnectionString | ||
| | .E2E.Shopping.BaseAddress = $shoppingBase | ||
| | .E2E.Shopping.ConnectionString = $shoppingConnectionString' \ | ||
| "${appsettings_path}" > "${temp_path}" |
Comment on lines
+146
to
+151
| if (-not $settings['E2E'].ContainsKey('Shopping')) { $settings['E2E']['Shopping'] = @{} } | ||
|
|
||
| $settings['E2E']['Products']['BaseAddress'] = "https://${productsHost}" | ||
| $settings['E2E']['Products']['ConnectionString'] = $postgresConnectionString | ||
| $settings['E2E']['Shopping']['BaseAddress'] = "https://${shoppingHost}" | ||
| $settings['E2E']['Shopping']['ConnectionString'] = $sqlConnectionString |
Signed-off-by: Aaron Spruit <aaron.spruit@avanade.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
E2E Runner migration still doesn't work. Unsure why, but want this as a PR for the time being.
Co-authored-by: Copilot copilot@github.com