From 3ef5e6ca4ef11bfa72ec9d7e32535c85bca704a4 Mon Sep 17 00:00:00 2001
From: RMcVelia <rick.mcvelia@gmail.com>
Date: Mon, 15 Jan 2024 14:04:01 +0000
Subject: [PATCH] Add postgres password change doc

---
 documentation/postgres-faq.md | 45 +++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 documentation/postgres-faq.md

diff --git a/documentation/postgres-faq.md b/documentation/postgres-faq.md
new file mode 100644
index 00000000..57f2d1ab
--- /dev/null
+++ b/documentation/postgres-faq.md
@@ -0,0 +1,45 @@
+# Postgres FAQ
+
+FAQ for anything postgres related
+
+## Admin password change
+
+The Postgres admin user and password is created by the postgres terraform module.
+
+https://github.com/DFE-Digital/terraform-modules/tree/main/aks/postgres
+
+If you need to change the password for any reason, then use the following procedure which will trigger a new password on the next deployment.
+Note that make commands and directories may be slightly different for your service, so check within your Makefile before running.
+
+This example changes the postgres admin password for the development env of the service
+
+1. Set terraform env
+```
+$ make development terraform-init
+```
+
+2. Get the password resource (chdir directory may be different for your service)
+```
+$ terraform -chdir=terraform/aks state list |grep random_password
+module.postgres.random_password.password[0]
+```
+
+3. Taint the password resource so it will be regenerated on next terraform apply
+```
+$ terraform -chdir=terraform/aks taint module.postgres.random_password.password[0]
+```
+
+4. Terraform plan should show that the password will be recreated on next run, alongside updates to application secrets and app deployments (due to a change to the DATABASE_URL).
+```
+$ make development terraform-plan
+
+...
+  # module.postgres.random_password.password[0] is tainted, so must be replaced
+-/+ resource "random_password" "password" {
+      ~ bcrypt_hash = (sensitive value)
+      ~ id          = "none" -> (known after apply)
+      ~ result      = (sensitive value)
+        # (10 unchanged attributes hidden)
+    }
+...
+```