From 9c429e35daead8a986d15b2fa0d940db06ac8104 Mon Sep 17 00:00:00 2001
From: Rob Gil <dds@rem5.com>
Date: Fri, 17 Jan 2020 13:30:00 -0500
Subject: [PATCH] 170237669 - Converts postgres secrets to use keyvault

This changes the configuration of the postgres master username and
password. Instead of committing to source (short term hack), this now
sources those secrets from KeyVault. Those secrets are generated and
populated via secrets-tool.
---
 terraform/modules/postgres/variables.tf |  2 --
 terraform/providers/dev/postgres.tf     | 26 ++++++++++++++++++-------
 terraform/providers/dev/secrets.tf      | 10 ++++++++++
 3 files changed, 29 insertions(+), 9 deletions(-)
 create mode 100644 terraform/providers/dev/secrets.tf

diff --git a/terraform/modules/postgres/variables.tf b/terraform/modules/postgres/variables.tf
index 3dc19af2..2ee62685 100644
--- a/terraform/modules/postgres/variables.tf
+++ b/terraform/modules/postgres/variables.tf
@@ -75,13 +75,11 @@ variable "storage_auto_grow" {
 variable "administrator_login" {
   type        = string
   description = "Administrator login"
-  default     = "atat_master" # FIXME - Remove with wrapper using KeyVault
 }
 
 variable "administrator_login_password" {
   type        = string
   description = "Administrator password"
-  default     = "eI0l7yswwtuhHpwzoVjwRKdAcuGNsg" # FIXME - Remove with wrapper using KeyVault
 }
 
 variable "postgres_version" {
diff --git a/terraform/providers/dev/postgres.tf b/terraform/providers/dev/postgres.tf
index 89f06e0d..53031f85 100644
--- a/terraform/providers/dev/postgres.tf
+++ b/terraform/providers/dev/postgres.tf
@@ -1,8 +1,20 @@
-module "sql" {
-  source      = "../../modules/postgres"
-  name        = var.name
-  owner       = var.owner
-  environment = var.environment
-  region      = var.region
-  subnet_id   = module.vpc.subnets # FIXME - Should be a map of subnets and specify private
+data "azurerm_key_vault_secret" "postgres_username" {
+  name         = "postgres-root-user"
+  key_vault_id = module.operator_keyvault.id
+}
+
+data "azurerm_key_vault_secret" "postgres_password" {
+  name         = "postgres-root-password"
+  key_vault_id = module.operator_keyvault.id
+}
+
+module "sql" {
+  source                       = "../../modules/postgres"
+  name                         = var.name
+  owner                        = var.owner
+  environment                  = var.environment
+  region                       = var.region
+  subnet_id                    = module.vpc.subnets # FIXME - Should be a map of subnets and specify private
+  administrator_login          = data.azurerm_key_vault_secret.postgres_username.value
+  administrator_login_password = data.azurerm_key_vault_secret.postgres_password.value
 }
diff --git a/terraform/providers/dev/secrets.tf b/terraform/providers/dev/secrets.tf
new file mode 100644
index 00000000..5ef43a81
--- /dev/null
+++ b/terraform/providers/dev/secrets.tf
@@ -0,0 +1,10 @@
+module "operator_keyvault" {
+  source           = "../../modules/keyvault"
+  name             = "operator"
+  region           = var.region
+  owner            = var.owner
+  environment      = var.environment
+  tenant_id        = var.tenant_id
+  principal_id     = ""
+  admin_principals = var.admin_users
+}