PostgreSQL Flexible Server

azure-postgresql-flexible

PostgreSQL Flexible Server with HA option, private VNet delegation, Entra auth, firewall and tuned server parameters. Works with Terraform and OpenTofu (>= 1.6), azurerm provider >= 4.0, < 5.0.

What you get beyond azurerm_postgresql_flexible_server alone:

• The delegated-subnet + private DNS zone link ordering handled correctly — the module creates the zone, links it to your VNet, and forces the server to wait on the link (the classic mid-provisioning failure)
• Tuned, security-minded server parameters by default (log_connections, log_disconnections, log_checkpoints, connection_throttle.enable) — override or extend via server_configurations
• Entra (Azure AD) authentication and administrators wired with preconditions that catch invalid combinations at plan time
• HA failovers won't cause perpetual diffs (zone / standby zone are ignored after create)

Usage

module "postgres" {
  source              = "./azure-postgresql-flexible"
  name                = "myapp-prod-pg"
  resource_group_name = "rg-myapp-prod"
  location            = "westeurope"

  administrator_login    = "pgadmin"
  administrator_password = var.pg_password

  network = {
    delegated_subnet_id = azurerm_subnet.db.id # delegated to Microsoft.DBforPostgreSQL/flexibleServers
    virtual_network_id  = azurerm_virtual_network.main.id
  }

  high_availability = { mode = "ZoneRedundant" }

  databases = { appdb = {} }

  tags = { Environment = "prod" }
}

Inputs

Name	Type	Default	Description
name	string	—	Server name, globally unique (required)
resource_group_name	string	—	Existing resource group (required)
location	string	—	Azure region (required)
postgresql_version	string	"16"	Major version 11-17
sku_name	string	"B_Standard_B1ms"	B_/GP_/MO_Standard_* SKU
storage_mb	number	32768	Provisioned storage (Azure-supported sizes)
auto_grow_enabled	bool	true	Storage auto-grow
backup_retention_days	number	7	7-35 days
geo_redundant_backup_enabled	bool	false	Paired-region backups (immutable)
zone	string	null	Primary availability zone
administrator_login / administrator_password	string	null	Required while password auth is on (password sensitive)
authentication	object	password on	active_directory_auth_enabled, password_auth_enabled, tenant_id
entra_administrators	map(object)	{}	Entra admins (tenant/object/principal)
network	object	null	VNet delegation: subnet, VNet, optional existing DNS zone
firewall_rules	map(object)	{}	IP rules (public-access servers only)
high_availability	object	null	ZoneRedundant or SameZone standby
maintenance_window	object	null	Custom maintenance window
databases	map(object)	{}	Databases keyed by name (charset/collation)
server_configurations	map(string)	{}	Server parameters, merged over tuned defaults
tags	map(string)	{}	Tags applied to all resources

Outputs

server_id, server_name, server_fqdn, administrator_login, database_ids, private_dns_zone_id, public_network_access_enabled.

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/azurerm >= 4.0, < 5.0 (built against 4.76)
• For private networking the subnet must be delegated to Microsoft.DBforPostgreSQL/flexibleServers and must not host other resource types.
• HA is not available on Burstable (B_) SKUs; geo-redundant backup cannot be toggled after create.

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).