Fix Postgres infrastructure and JWT token issuer configuration

[tjementum]

Summary & Motivation

Clean up PostgreSQL infrastructure provisioning and fix JWT token signing to use the actual deployment domain.

• Move Entra ID admin provisioning for PostgreSQL into Bicep, replacing the separate add-postgres-admin.sh shell script that ran as a post-deployment step. The admin is now declared as a resource on the flexible server, removing the need for a separate post-deployment script
• Fix cosmetic type mismatch for the tenant id column in the account initial migration where the C# generic type was string but the column type is bigint, corrected to long
• Use the custom domain (e.g., https://your-domain.com) as the JWT token issuer and audience instead of a hardcoded value. The previous iss and aud claims were not a valid URL, which caused JWT signature verification to fail on tools like jwt.io. The domain is now passed from the cluster deployment into the Key Vault module, falling back to a hardcoded value when no custom domain is configured

Downstream projects

The JWT issuer/audience change only takes effect when a custom domain is configured before the first deployment. Bicep does not overwrite existing Key Vault secrets, so existing deployments will keep the old values. To update an existing deployment, run the following from the Azure Portal Cloud Shell (Bash):

az account set --subscription <subscription-id>

VAULT_NAME="<key-vault-name>"
DOMAIN="https://your-domain.com"
USER_ID=$(az ad signed-in-user show --query id -o tsv)
VAULT_ID=$(az keyvault show --name "$VAULT_NAME" --query id -o tsv)
MY_IP=$(curl -s ifconfig.me)

az role assignment create --role "Key Vault Secrets Officer" --assignee "$USER_ID" --scope "$VAULT_ID"
az keyvault network-rule add --name "$VAULT_NAME" --ip-address "$MY_IP/32"

echo "Waiting 60 seconds for RBAC propagation..."
sleep 60

az keyvault secret set --vault-name "$VAULT_NAME" --name authentication-token-issuer --value "$DOMAIN"
az keyvault secret set --vault-name "$VAULT_NAME" --name authentication-token-audience --value "$DOMAIN"

az keyvault network-rule remove --name "$VAULT_NAME" --ip-address "$MY_IP/32"
az role assignment delete --role "Key Vault Secrets Officer" --assignee "$USER_ID" --scope "$VAULT_ID"

The Key Vault name matches the cluster resource group name.

Checklist

• I have added tests, or done manual regression tests
• I have updated the documentation, if necessary

[linear]

PP-1091 Move Postgres Entra ID admin to Bicep

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud