[AVM Module Issue]: PSQL Deployment often fails when enabling EntraID Auth

[GregorLauritz]

Check for previous/existing GitHub issues

• I have checked for previous/existing GitHub issues

Issue Type?

Bug

Module Name

avm/res/db-for-postgre-sql/flexible-server

(Optional) Module Version

0.3.0

Description

For us, the Bicep deployment often fails when enabling Password Auth and EntraID Auth on our PSQL Server.
4 out of 5 times it will fail with The server '<<server_name>>' is not in an accessible state to perform Azure AD Principal operation. Please make sure the server is accessible before executing Azure AD Principal operations. (Code: AadAuthOperationCannotBePerformedWhenServerIsNotAccessible).
I tried playing around with the deployment order locally but couldn't find a reliable order that resolves this issue...

Code Snippet:

module flexiServer 'br/public:avm/res/db-for-postgre-sql/flexible-server:0.3.0' = {
  name: 'psql-flexi-${deploymentNameVar}'
  scope: resourceGroup
  params: {
    name: names.outputs.psqlName
    location:'westeurope'
    administratorLogin: names.outputs.psqlAdminUserName
    administratorLoginPassword: psqlAdminPassword
    administrators: [
      {
        objectId: managedIdentityContainerInstance.outputs.principalId
        principalName: managedIdentityContainerInstance.outputs.name
        principalType: 'ServicePrincipal'
      }
      {
        objectId: adminGroupPrincipalId
        principalName: 'sg-pace-resource-access-smc-admin'
        principalType: 'Group'
      }
    ]
    tier: psqlTier
    skuName:'Standard_D2s_v3'
    availabilityZone: '2'
    backupRetentionDays: 7
    geoRedundantBackup: 'Disabled'
    createMode: 'Create'
    highAvailability: 'Disabled'
    passwordAuth: 'Enabled'
    activeDirectoryAuth: 'Enabled'
    delegatedSubnetResourceId: psqlSubnetId
    privateDnsZoneArmResourceId: getPrivateDnsZoneResourceId(
      connectivityHubSubscriptionId,
      connectivityHubResourceGroupName,
      postgresPrivateDnsZoneName
    )
    storageSizeGB: 512
    version: '14'
    configurations: [
      {
        name: 'lock_timeout'
        value: '1500'
        source: 'user-override'
      }
      {
        name: 'shared_preload_libraries'
        value: 'pg_stat_statements'
        source: 'user-override'
      }
      {
        name: 'temp_tablespaces'
        value: 'temptblspace'
        source: 'user-override'
      }
      {
        name: 'log_line_prefix'
        value: '%t-%c %d'
        source: 'user-override'
      }
      {
        name: 'max_wal_size'
        value: '32768'
        source: 'user-override'
      }
    ]
    diagnosticSettings: [
      {
        storageAccountResourceId: dseStorageAccountResourceId
        logCategoriesAndGroups: [
          {
            categoryGroup: 'audit'
            enabled: true
          }
          {
            categoryGroup: 'allLogs'
            enabled: true
          }
        ]
        metricCategories: [
          {
            category: 'AllMetrics'
            enabled: false
          }
        ]
      }
    ]
    enableTelemetry: true
  }
}

(Optional) Correlation Id

80fb0d4c-d51d-4803-9be3-d79be922e709

[microsoft-github-policy-service]

Important

The "Needs: Triage 🔍" label must be removed once the triage process is complete!

Tip

For additional guidance on how to triage this issue/PR, see the BRM Issue Triage documentation.

[avm-team-linter]

@GregorLauritz, thanks for submitting this issue for the avm/res/db-for-postgre-sql/flexible-server module!

Important

A member of the @Azure/avm-res-dbforpostgresql-flexibleserver-module-owners-bicep or @Azure/avm-res-dbforpostgresql-flexibleserver-module-contributors-bicep team will review it soon!

[arnoldna]

Thanks @GregorLauritz for submitting the issue. Let me take a look to see if I can identify an issue.

[arnoldna]

Contacted product group concerning issue and they were able to recreate in their environment.