feat(infra): add user assigned identity to postgresql for apps

.azure/applications/graphql/main.bicep

@@ -52,6 +52,16 @@ param otelTraceSamplerRatio string
 @description('The workload profile name to use, defaults to "Consumption"')
 param workloadProfileName string = 'Consumption'
 
+@description('The name of the PostgreSQL server')
+@minLength(3)
+@secure()
+param postgresServerName string
+
+@description('The name of the virtual network')
+@minLength(3)
+@secure()
+param virtualNetworkName string
+
 var namePrefix = 'dp-be-${environment}'
 var baseImageUrl = 'ghcr.io/altinn/dialogporten-'
 
@@ -173,5 +183,18 @@ module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRole
   }
 }
 
+module addPostgresUser '../../modules/postgreSql/addDatabaseUser.bicep' = {
+  name: 'addPostgresUser-${containerAppName}'
+  params: {
+    postgresServerName: postgresServerName
+    managedIdentityName: managedIdentity.name
+    managedIdentityObjectId: managedIdentity.properties.principalId
+    location: location
+    tags: tags
+    virtualNetworkName: virtualNetworkName
+  }
+  dependsOn: [containerApp, keyVaultReaderAccessPolicy]
+}
+
 output name string = containerApp.outputs.name
 output revisionName string = containerApp.outputs.revisionName

.azure/applications/graphql/test.bicepparam

@@ -13,3 +13,5 @@ param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_V
 param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
 param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
 param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
+param postgresServerName = readEnvironmentVariable('AZURE_POSTGRES_SERVER_NAME')
+param virtualNetworkName = readEnvironmentVariable('AZURE_VIRTUAL_NETWORK_NAME')

.azure/applications/service/main.bicep

@@ -49,6 +49,16 @@ param otelTraceSamplerRatio string
 @description('The workload profile name to use, defaults to "Consumption"')
 param workloadProfileName string = 'Consumption'
 
+@description('The name of the PostgreSQL server')
+@minLength(3)
+@secure()
+param postgresServerName string
+
+@description('The name of the virtual network')
+@minLength(3)
+@secure()
+param virtualNetworkName string
+
 @description('Minimum number of replicas')
 @minValue(1)
 param minReplicas int = 1
@@ -192,5 +202,18 @@ module containerApp '../../modules/containerApp/main.bicep' = {
   ]
 }
 
+module addPostgresUser '../../modules/postgreSql/addDatabaseUser.bicep' = {
+  name: 'addPostgresUser-${containerAppName}'
+  params: {
+    postgresServerName: postgresServerName
+    managedIdentityName: managedIdentity.name
+    managedIdentityObjectId: managedIdentity.properties.principalId
+    location: location
+    tags: tags
+    virtualNetworkName: virtualNetworkName
+  }
+  dependsOn: [containerApp, keyVaultReaderAccessPolicy]
+}
+
 output name string = containerApp.outputs.name
 output revisionName string = containerApp.outputs.revisionName

.azure/applications/service/prod.bicepparam

@@ -8,6 +8,8 @@ param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_V
 param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
 param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
 param serviceBusNamespaceName = readEnvironmentVariable('AZURE_SERVICE_BUS_NAMESPACE_NAME')
+param postgresServerName = readEnvironmentVariable('AZURE_POSTGRES_SERVER_NAME')
+param virtualNetworkName = readEnvironmentVariable('AZURE_VIRTUAL_NETWORK_NAME')
 param minReplicas = 2
 
 param resources = {

.azure/applications/service/test.bicepparam

@@ -8,6 +8,8 @@ param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_V
 param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
 param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
 param serviceBusNamespaceName = readEnvironmentVariable('AZURE_SERVICE_BUS_NAMESPACE_NAME')
+param postgresServerName = readEnvironmentVariable('AZURE_POSTGRES_SERVER_NAME')
+param virtualNetworkName = readEnvironmentVariable('AZURE_VIRTUAL_NETWORK_NAME')
 
 param otelTraceSamplerRatio = '1'
 

.azure/applications/sync-resource-policy-information-job/main.bicep

@@ -37,6 +37,16 @@ param replicaTimeOutInSeconds int
 @description('The workload profile name to use, defaults to "Consumption"')
 param workloadProfileName string = 'Consumption'
 
+@description('The name of the PostgreSQL server')
+@minLength(3)
+@secure()
+param postgresServerName string
+
+@description('The name of the virtual network')
+@minLength(3)
+@secure()
+param virtualNetworkName string
+
 var namePrefix = 'dp-be-${environment}'
 var baseImageUrl = 'ghcr.io/altinn/dialogporten-'
 var tags = {
@@ -58,6 +68,26 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2024-
   tags: tags
 }
 
+module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep' = {
+  name: 'keyVaultReaderAccessPolicy-${name}'
+  params: {
+    keyvaultName: environmentKeyVaultName
+    principalIds: [managedIdentity.id]
+  }
+}
+
+module addPostgresUser '../../modules/postgreSql/addDatabaseUser.bicep' = {
+  name: 'addPostgresUser-${name}'
+  params: {
+    postgresServerName: postgresServerName
+    managedIdentityName: managedIdentity.name
+    managedIdentityObjectId: managedIdentity.properties.principalId
+    location: location
+    tags: tags
+    virtualNetworkName: virtualNetworkName
+  }
+}
+
 var containerAppEnvVars = [
   {
     name: 'Infrastructure__DialogDbConnectionString'
@@ -114,14 +144,7 @@ module migrationJob '../../modules/containerAppJob/main.bicep' = {
     replicaTimeOutInSeconds: replicaTimeOutInSeconds
     workloadProfileName: workloadProfileName
   }
-}
-
-module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep' = {
-  name: 'keyVaultReaderAccessPolicy-${name}'
-  params: {
-    keyvaultName: environmentKeyVaultName
-    principalIds: [migrationJob.outputs.identityPrincipalId]
-  }
+  dependsOn: [keyVaultReaderAccessPolicy, addPostgresUser]
 }
 
 output identityPrincipalId string = migrationJob.outputs.identityPrincipalId

.azure/applications/sync-subject-resource-mappings-job/main.bicep

@@ -37,6 +37,16 @@ param replicaTimeOutInSeconds int
 @description('The workload profile name to use, defaults to "Consumption"')
 param workloadProfileName string = 'Consumption'
 
+@description('The name of the PostgreSQL server')
+@minLength(3)
+@secure()
+param postgresServerName string
+
+@description('The name of the virtual network')
+@minLength(3)
+@secure()
+param virtualNetworkName string
+
 var namePrefix = 'dp-be-${environment}'
 var baseImageUrl = 'ghcr.io/altinn/dialogporten-'
 var tags = {
@@ -124,5 +134,18 @@ module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep'
   }
 }
 
+module addPostgresUser '../../modules/postgreSql/addDatabaseUser.bicep' = {
+  name: 'addPostgresUser-${name}'
+  params: {
+    postgresServerName: postgresServerName
+    managedIdentityName: managedIdentity.name
+    managedIdentityObjectId: managedIdentity.properties.principalId
+    location: location
+    tags: tags
+    virtualNetworkName: virtualNetworkName
+  }
+  dependsOn: [migrationJob, keyVaultReaderAccessPolicy]
+}
+
 output identityPrincipalId string = managedIdentity.properties.principalId
 output name string = migrationJob.outputs.name

.azure/applications/web-api-eu/main.bicep

@@ -52,6 +52,16 @@ param otelTraceSamplerRatio string
 @description('The workload profile name to use, defaults to "Consumption"')
 param workloadProfileName string = 'Consumption'
 
+@description('The name of the PostgreSQL server')
+@minLength(3)
+@secure()
+param postgresServerName string
+
+@description('The name of the virtual network')
+@minLength(3)
+@secure()
+param virtualNetworkName string
+
 var namePrefix = 'dp-be-${environment}'
 var baseImageUrl = 'ghcr.io/altinn/dialogporten-'
 var tags = {
@@ -176,5 +186,18 @@ module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRole
   }
 }
 
+module addPostgresUser '../../modules/postgreSql/addDatabaseUser.bicep' = {
+  name: 'addPostgresUser-${containerAppName}'
+  params: {
+    postgresServerName: postgresServerName
+    managedIdentityName: managedIdentity.name
+    managedIdentityObjectId: managedIdentity.properties.principalId
+    location: location
+    tags: tags
+    virtualNetworkName: virtualNetworkName
+  }
+  dependsOn: [containerApp, keyVaultReaderAccessPolicy]
+}
+
 output name string = containerApp.outputs.name
 output revisionName string = containerApp.outputs.revisionName

.azure/applications/web-api-migration-job/main.bicep

@@ -28,6 +28,16 @@ param replicaTimeOutInSeconds int
 @description('The workload profile name to use, defaults to "Consumption"')
 param workloadProfileName string = 'Consumption'
 
+@description('The name of the PostgreSQL server')
+@minLength(3)
+@secure()
+param postgresServerName string
+
+@description('The name of the virtual network')
+@minLength(3)
+@secure()
+param virtualNetworkName string
+
 var namePrefix = 'dp-be-${environment}'
 var baseImageUrl = 'ghcr.io/altinn/dialogporten-'
 var tags = {
@@ -92,5 +102,18 @@ module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep'
   }
 }
 
+module addPostgresUser '../../modules/postgreSql/addDatabaseUser.bicep' = {
+  name: 'addPostgresUser-${name}'
+  params: {
+    postgresServerName: postgresServerName
+    managedIdentityName: managedIdentity.name
+    managedIdentityObjectId: managedIdentity.properties.principalId
+    location: location
+    tags: tags
+    virtualNetworkName: virtualNetworkName
+  }
+  dependsOn: [migrationJob, keyVaultReaderAccessPolicy]
+}
+
 output identityPrincipalId string = managedIdentity.properties.principalId
 output name string = migrationJob.outputs.name

.azure/applications/web-api-so/main.bicep

@@ -52,6 +52,16 @@ param otelTraceSamplerRatio string
 @description('The workload profile name to use, defaults to "Consumption"')
 param workloadProfileName string = 'Consumption'
 
+@description('The name of the PostgreSQL server')
+@minLength(3)
+@secure()
+param postgresServerName string
+
+@description('The name of the virtual network')
+@minLength(3)
+@secure()
+param virtualNetworkName string
+
 @description('Minimum number of replicas')
 @minValue(1)
 param minReplicas int = 1
@@ -176,5 +186,18 @@ module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRole
   }
 }
 
+module addPostgresUser '../../modules/postgreSql/addDatabaseUser.bicep' = {
+  name: 'addPostgresUser-${containerAppName}'
+  params: {
+    postgresServerName: postgresServerName
+    managedIdentityName: managedIdentity.name
+    managedIdentityObjectId: managedIdentity.properties.principalId
+    location: location
+    tags: tags
+    virtualNetworkName: virtualNetworkName
+  }
+  dependsOn: [containerApp, keyVaultReaderAccessPolicy]
+}
+
 output name string = containerApp.outputs.name
 output revisionName string = containerApp.outputs.revisionName

.azure/applications/web-api-so/prod.bicepparam

@@ -22,3 +22,5 @@ param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_V
 param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
 param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
 param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
+param postgresServerName = readEnvironmentVariable('AZURE_POSTGRES_SERVER_NAME')
+param virtualNetworkName = readEnvironmentVariable('AZURE_VIRTUAL_NETWORK_NAME')

.azure/applications/web-api-so/test.bicepparam

@@ -13,3 +13,5 @@ param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_V
 param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
 param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
 param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
+param postgresServerName = readEnvironmentVariable('AZURE_POSTGRES_SERVER_NAME')
+param virtualNetworkName = readEnvironmentVariable('AZURE_VIRTUAL_NETWORK_NAME')

.azure/infrastructure/main.bicep

@@ -338,3 +338,5 @@ module redisConnectionStringAppConfig '../modules/appConfiguration/upsertKeyValu
 output resourceGroupName string = resourceGroup.name
 output containerAppEnvId string = containerAppEnv.outputs.containerAppEnvId
 output environmentKeyVaultName string = environmentKeyVault.outputs.name
+output postgresServerName string = postgresql.outputs.postgresServerName
+output virtualNetworkName string = vnet.outputs.virtualNetworkName