DTOSS-10668: Amend postgresql-flexible Terraform module to parameterise prevent_destroy lifecycle

mrlockstar · mrlockstar · commit 0a8eba61fb37 · 2025-08-22T11:10:19.000+01:00
diff --git a/infrastructure/environments/review/variables.tfvars b/infrastructure/environments/review/variables.tfvars
@@ -7,3 +7,4 @@ postgres_geo_redundant_backup_enabled = false
 protect_keyvault                      = false
 vnet_address_space                    = "10.142.0.0/16"
 personas_enabled                      = true
+postgres_prevent_destroy              = false
diff --git a/infrastructure/modules/container-apps/postgres.tf b/infrastructure/modules/container-apps/postgres.tf
@@ -5,6 +5,15 @@ data "azurerm_private_dns_zone" "postgres" {
   resource_group_name = "rg-hub-${var.hub}-uks-private-dns-zones"
 }
 
+resource "azurerm_management_lock" "postgres_lock" {
+  count = var.postgres_prevent_destroy ? 1 : 0
+
+  name       = "lock-${module.postgres.database_names[0]}"
+  scope      = module.postgres.id
+  lock_level = "CanNotDelete"
+  notes      = "Lock applied to prevent accidental deletion of Postgres server."
+}
+
 module "postgres" {
   source = "../dtos-devops-templates/infrastructure/modules/postgresql-flexible"
 
@@ -26,9 +35,9 @@ module "postgres" {
   monitor_diagnostic_setting_postgresql_server_enabled_logs = ["PostgreSQLLogs", "PostgreSQLFlexSessions", "PostgreSQLFlexQueryStoreRuntime", "PostgreSQLFlexQueryStoreWaitStats", "PostgreSQLFlexTableStats", "PostgreSQLFlexDatabaseXacts"]
   monitor_diagnostic_setting_postgresql_server_metrics      = ["AllMetrics"]
 
-  sku_name     = var.postgres_sku_name
-  storage_mb   = var.postgres_storage_mb
-  storage_tier = var.postgres_storage_tier
+  sku_name        = var.postgres_sku_name
+  storage_mb      = var.postgres_storage_mb
+  storage_tier    = var.postgres_storage_tier
 
   server_version = "16"
   tenant_id      = data.azurerm_client_config.current.tenant_id
diff --git a/infrastructure/modules/container-apps/variables.tf b/infrastructure/modules/container-apps/variables.tf
@@ -72,6 +72,12 @@ variable "postgres_backup_retention_days" {
   type        = number
 }
 
+variable "postgres_prevent_destroy" {
+  type        = bool
+  default     = true
+  description = "If true, prevents the PostgreSQL flexible server from being destroyed."
+}
+
 variable "postgres_geo_redundant_backup_enabled" {
   description = "Whether geo-redundant backup is enabled for the PostgreSQL Flexible Server."
   type        = bool
diff --git a/infrastructure/terraform/main.tf b/infrastructure/terraform/main.tf
@@ -51,6 +51,7 @@ module "container-apps" {
   log_analytics_workspace_audit_id      = var.deploy_infra ? module.infra[0].log_analytics_workspace_audit_id : data.azurerm_log_analytics_workspace.audit[0].id
   postgres_backup_retention_days        = var.postgres_backup_retention_days
   postgres_geo_redundant_backup_enabled = var.postgres_geo_redundant_backup_enabled
+  postgres_prevent_destroy              = var.postgres_prevent_destroy
   postgres_sku_name                     = var.postgres_sku_name
   postgres_sql_admin_group              = "postgres_${var.app_short_name}_${var.env_config}_uks_admin"
   postgres_storage_mb                   = var.postgres_storage_mb
diff --git a/infrastructure/terraform/variables.tf b/infrastructure/terraform/variables.tf
@@ -72,6 +72,12 @@ variable "postgres_geo_redundant_backup_enabled" {
   default     = true
 }
 
+variable "postgres_prevent_destroy" {
+  type        = bool
+  default     = true
+  description = "If true, prevents the PostgreSQL flexible server from being destroyed."
+}
+
 variable "postgres_sku_name" {
   description = "Value of the PostgreSQL Flexible Server SKU name"
   default     = "B_Standard_B1ms"
