[BUG] ConflictingPublicNetworkAccessAndVirtualNetworkConfiguration

[adamevoila]

Community Note

When using the claranet/db-postgresql-flexible/azurerm module to deploy an Azure PostgreSQL Flexible Server with a virtual network configuration, a conflict arises due to the lack of an option to disable public network access.
The module requires the allowed_cidrs attribute to be specified, even when public access is not desired. Setting allowed_cidrs to an empty map {} does not resolve the issue, as the module still attempts to configure both public network access and virtual network integration, resulting in the following error:
Copy codeError: creating Flexible Server (Subscription: "28197c15-da6c-4e66-b241-cd23f9550102"
Resource Group Name: "rg-test-tsp1-acc"
Flexible Server Name: "psqlf-test-tsp1-gwc-acc"): performing Create: unexpected status 400 (400 Bad Request) with error: ConflictingPublicNetworkAccessAndVirtualNetworkConfiguration: Conflicting configuration is detected between Public Network Access and Virtual Network arguments. Public Network Access is not supported along with Virtual Network feature.
The documentation does not provide any information on how to disable public network access or resolve this conflict.

Please advise on how to resolve this issue or provide guidance on disabling public network access when using the claranet/db-postgresql-flexible/azurerm module with virtual network integration.

Terraform Version

1.7.2

AzureRM Provider Version

3.80

Affected Resource(s)/Data Source(s)

azurerm_postgresql_flexible_server.postgresql_flexible_server

Terraform Configuration Files

#https://github.com/claranet/terraform-azurerm-db-postgresql-flexible/tree/master/examples/delegated_subnet

module "azure_region" {
  source  = "claranet/regions/azurerm"
  version = "7.1.1"

  azure_region = var.location
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "6.1.1"

  location    = module.azure_region.location
  client_name = var.application
  environment = var.environment
  stack       = var.stack
}


resource "random_password" "admin_password" {
  special = "false"
  length  = 32
}



module "vnet" {
  source  = "claranet/vnet/azurerm"
  version = "7.0.0"

  environment    = var.environment
  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  client_name    = var.application
  stack          = var.stack

  resource_group_name = module.rg.resource_group_name

  vnet_cidr = [var.vnet_cidr]
}

module "subnet" {
  source  = "claranet/subnet/azurerm"
  version = "7.0.0"

  environment    = var.environment
  location_short = module.azure_region.location_short
  client_name    = var.application
  stack          = var.stack

  resource_group_name  = module.rg.resource_group_name
  virtual_network_name = module.vnet.virtual_network_name

  subnet_cidr_list = [var.subnet_cidr]

  service_endpoints = ["Microsoft.Storage"] # Beispielwert, passe ihn an deine Anforderungen an

  subnet_delegation = {
    postgresql-flexible = [
      {
        name    = "Microsoft.DBforPostgreSQL/flexibleServers"
        actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"]
      }
    ]
  }
}

resource "azurerm_private_dns_zone" "postgres" {
  name                = format("%s-%s.postgres.database.azure.com", var.environment, var.stack)
  resource_group_name = module.rg.resource_group_name
}

resource "azurerm_private_dns_zone_virtual_network_link" "postgres" {
  name                = format("%s_dns_zone_postgres_%s", var.stack, var.environment)
  resource_group_name = module.rg.resource_group_name

  private_dns_zone_name = azurerm_private_dns_zone.postgres.name
  virtual_network_id    = module.vnet.virtual_network_id
}
module "postgresql_flexible" {
  source  = "claranet/db-postgresql-flexible/azurerm"
  version = "7.3.1"

  client_name    = var.application
  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  environment    = var.environment
  stack          = var.stack

  resource_group_name = module.rg.resource_group_name

  depends_on = [
    azurerm_private_dns_zone_virtual_network_link.postgres, module.vnet
  ]

  tier               = "GeneralPurpose"
  size               = "D2s_v3"
  storage_mb         = 32768
  postgresql_version = 13

  allowed_cidrs = {}

  backup_retention_days        = 14
  geo_redundant_backup_enabled = true

  administrator_login    = "azureadmin"
  administrator_password = random_password.admin_password.result

  databases = {
    mydatabase = {
      collation = "en_US.utf8"
      charset   = "UTF8"
    }
  }

  maintenance_window = {
    day_of_week  = 3
    start_hour   = 3
    start_minute = 0
  }

  logs_destinations_ids = [
  ]

  private_dns_zone_id = azurerm_private_dns_zone.postgres.id
  delegated_subnet_id = module.subnet.subnet_id

  extra_tags = {
    foo = "bar"
  }
}

Debug Output/Panic Output

╷
│ Error: creating Flexible Server (Subscription: "28197c14-da6c-4e66-b241-cd23f9550102"
│ Resource Group Name: "rg-test-tsp1-acc"
│ Flexible Server Name: "psqlf-test-tsp1-gwc-acc"): performing Create: unexpected status 400 (400 Bad Request) with error: ConflictingPublicNetworkAccessAndVirtualNetworkConfiguration: Conflicting configuration is detected between Public Network Access and Virtual Network arguments. Public Network Access is not supported along with Virtual Network feature.
│ 
│   with module.postgresql_flexible.azurerm_postgresql_flexible_server.postgresql_flexible_server,
│   on .terraform/modules/postgresql_flexible/r-postgresql-flexible.tf line 1, in resource "azurerm_postgresql_flexible_server" "postgresql_flexible_server":
│    1: resource "azurerm_postgresql_flexible_server" "postgresql_flexible_server" {
│ 
╵

Expected Behaviour

The module should allow for the creation of an Azure PostgreSQL Flexible Server with virtual network integration and public network access disabled.

Actual Behaviour

The module encounters a conflict between the public network access and virtual network configuration, preventing the successful creation of the Azure PostgreSQL Flexible Server.

Steps to Reproduce

I mainly just used yor example deployment. https://github.com/claranet/terraform-azurerm-db-postgresql-flexible/tree/master/examples/delegated_subnet

1. Configure the claranet/db-postgresql-flexible/azurerm module with a delegated subnet ID (delegated_subnet_id) and an empty allowed_cidrs map.

terraform plan is no problem.
2. terraform apply --> the error will come up.

Important Factoids

No response

References

No response

[adamevoila]

Also when I tried to deploy everything at once from zero
this happens. So I first have to deploy the subnet module before I can run the postgres deployment.

╷
│ Error: Invalid for_each argument
│
│ on .terraform/modules/postgresql_flexible/r-firewall.tf line 2, in resource "azurerm_postgresql_flexible_server_firewall_rule" "firewall_rules":
│ 2: for_each = var.delegated_subnet_id == null ? var.allowed_cidrs : {}
│ ├────────────────
│ │ var.allowed_cidrs is empty map of string
│ │ var.delegated_subnet_id is a string, known only after apply
│
│ The "for_each" map includes keys derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full
│ set of keys that will identify the instances of this resource.
│
│ When working with unknown values in for_each, it's better to define the map keys statically in your configuration and place apply-time results only
│ in the map values.
│
│ Alternatively, you could use the -target planning option to first apply only the resources that the for_each value depends on, and then apply a
│ second time to fully converge.

[Shr3ps]

Thanks for this opened issue, we will try to reproduce and fix the module in this context.

[adamevoila]

I think this issue is the reason.
hashicorp/terraform-provider-azurerm#26098

[Shr3ps]

Can you please test the 7.4.0 version of the module?
I added public_network_access_enabled parameter.

[adamevoila]

Hello I just tested it and it's working fine :) thank you very much