Terraform configuration for deploying the entropy-data workload on Azure with:

• Azure Container Apps
• Azure Database for PostgreSQL Flexible Server (private networking)
• Azure Log Analytics workspace
• Virtual network and subnets for app and database isolation

• Resource group named after application_name
• Virtual network 10.0.0.0/16
• Container Apps subnet 10.0.0.0/23
• PostgreSQL subnet 10.0.2.0/24 with Flexible Server delegation
• Private DNS zone for PostgreSQL and VNet link
• Log Analytics workspace
• Container App Environment
• Container App with:
  • external HTTPS ingress on port 8080
  • liveness/readiness/startup probes
  • scaling from 1 to 10 replicas
  • optional registry auth (for private registries)
  • user-assigned managed identity
• PostgreSQL Flexible Server (v16) with:
  • private access only
  • generated admin password
  • extension and monitoring configuration
  • prevent_destroy = true

• Terraform >= 1.5 (recommended)
• Azure CLI logged into the target subscription
• Permissions to create networking, Container Apps, PostgreSQL, and monitoring resources

Required Terraform providers (configured in this repo):

• hashicorp/azurerm ~> 4.0
• hashicorp/random ~> 3.7.1

1. Initialize Terraform:

terraform init

2. Copy the example vars file and fill in real values:

cp terraform.tfvars.example terraform.tfvars

3. Preview changes:

terraform plan

4. Apply:

terraform apply

This repository includes terraform.tfvars.example as a starting point. Copy it to terraform.tfvars and replace placeholder values before running terraform plan or terraform apply.

Based on Entropy Data configuration docs, this module exposes dedicated inputs for common mail and host settings:

• application_host_web
• mail_host
• mail_port
• mail_username
• mail_properties_mail_smtp_auth
• mail_properties_mail_smtp_starttls_enable
• application_mail_from

Use additional_env_vars for extra optional settings such as APPLICATION_SUPERADMINS.

This module requires an SMTP server for sending transactional emails (account verification, notifications, etc.). If you do not have an existing SMTP provider, Azure Communication Services (ACS) can be used as an SMTP relay. ACS is not managed by this Terraform module — you will need to set up the Communication Service, Email Service, and email domain manually in the Azure Portal, then provide the SMTP credentials:

mail_host     = "smtp.azurecomm.net"
mail_port     = "587"
mail_username = "<ACS-Resource-Name>.<Entra-App-ID>.<Entra-Tenant-ID>"
smtp_password = "<Entra-App-Client-Secret>"

application_mail_from = "DoNotReply@<guid>.azurecomm.net"

Azure SSO (Microsoft Entra ID) is supported via optional variables that map to the official Entropy Data SSO environment variables from https://docs.entropy-data.com/sso:

• sso_azure_enabled
• sso_azure_issuer_uri
• sso_azure_client_id
• sso_azure_client_secret
• sso_azure_hosts

When sso_azure_enabled = true, this module injects all required SPRING_SECURITY_OAUTH2_* Azure SSO env vars plus APPLICATION_SSO_AZURE_HOSTS.

• The Container App image field is ignored in lifecycle changes, which helps avoid Terraform drift during image-only deployments.
• Public images (for example Docker Hub) can be deployed anonymously by leaving registry variables unset.
• When sso_azure_enabled is true, sso_azure_issuer_uri, sso_azure_client_id, and sso_azure_client_secret are required by Terraform precondition checks.
• spring-actuator-password is always auto-generated by Terraform.
• application-encryption-keys is always auto-generated by Terraform as a 64-character hex key.
• PostgreSQL is protected by prevent_destroy; destroy operations will fail unless this lifecycle setting is changed.
• The database is private-only; connectivity must come from within the VNet or via private networking.