azurerm_postgresql_server public_network_access_enabled setting on replica not respected on create

[NillsF]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.14.9
+ provider registry.terraform.io/hashicorp/azurerm v2.55.0

Your version of Terraform is out of date! The latest version
is 0.14.10. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

• azurerm_postgresql_server

Terraform Configuration Files

Two files:

postgres.tf

resource "azurerm_resource_group" "rg" {
  name     = var.resource_group
  location = var.main_location
}


resource "azurerm_postgresql_server" "postgres_master" {
  name                             = var.main_db_name
  location                         = var.main_location
  resource_group_name              = azurerm_resource_group.rg.name
  sku_name                         = var.sku_name
  administrator_login              = var.administrator_login
  administrator_login_password     = var.administrator_login_password
  version                          = var.postgres_version
  ssl_enforcement_enabled          = true
  ssl_minimal_tls_version_enforced = "TLS1_2"
  backup_retention_days            = var.retention_days
  geo_redundant_backup_enabled     = var.replicas_count != 0 ? true : false
  storage_mb                       = var.storage_mb
  public_network_access_enabled    = var.public_access_enabled
  auto_grow_enabled                = true

  lifecycle {
    ignore_changes = [
      # Autogrow is enabled
      storage_mb,
    ]
  }

}

resource "azurerm_postgresql_server" "postgres_standby" {
  count                            = var.replicas_count
  name                             = "${azurerm_postgresql_server.postgres_master.name}-r-${var.replicas_count}"
  location                         = var.replicas_location
  resource_group_name              = var.resource_group
  sku_name                         = var.sku_name
  version                          = var.postgres_version
  ssl_enforcement_enabled          = true
  ssl_minimal_tls_version_enforced = "TLS1_2"
  storage_mb                       = var.storage_mb
  public_network_access_enabled    = var.public_access_enabled
  create_mode                      = "Replica"
  creation_source_server_id        = azurerm_postgresql_server.postgres_master.id
  auto_grow_enabled                = true

  lifecycle {
    ignore_changes = [
      # Autogrow is enabled
      storage_mb,
    ]
  }

}

var.tf

provider "azurerm" {
  features {}
}

variable "main_db_name" {
    default = "nfpgtst"
}

variable "main_location" {
    default = "westus2"
}
variable "resource_group" {
    default = "pg-test-diff-reg"
}
variable "sku_name" {
    default = "GP_Gen5_4"
}
variable "administrator_login" {
    default = "nilfranadmin"
}
variable "administrator_login_password" {
    default = "superSecure123$"
}
variable "postgres_version" {
    default = 9.6
}
variable "retention_days" {
    default = 7
}
variable "replicas_count" {
    default = 1
}
variable "storage_mb" {
    default = 5120
}
variable "replicas_location" {
    default = "eastus2"
}
variable "public_access_enabled" {
    default = false
    }

Debug Output

https://gist.github.com/NillsF/be2b1d564fa20844f7e59a98c8dc8379

Panic Output

Expected Behaviour

• Replica's public_network_access_enabled should be kept false when creating.

Actual Behaviour

When creating a postgresSQL replica, the public_network_access_enabled setting is set to true. In the master, it is kept the right way.

However, the terraform plan shows TF trying to set it to false:

# azurerm_postgresql_server.postgres_standby[0] will be created
  + resource "azurerm_postgresql_server" "postgres_standby" {
      + administrator_login              = (known after apply)
      + auto_grow_enabled                = true
      + backup_retention_days            = (known after apply)
      + create_mode                      = "Replica"
      + creation_source_server_id        = (known after apply)
      + fqdn                             = (known after apply)
      + geo_redundant_backup_enabled     = (known after apply)
      + id                               = (known after apply)
      + location                         = "westus2"
      + name                             = "nfpgsame-r-1"
      + public_network_access_enabled    = false
      + resource_group_name              = "pg-test-same-reg"
      + sku_name                         = "GP_Gen5_2"
      + ssl_enforcement                  = (known after apply)
      + ssl_enforcement_enabled          = true
      + ssl_minimal_tls_version_enforced = "TLS1_2"
      + storage_mb                       = 5120
      + version                          = "9.6"

      + storage_profile {
          + auto_grow             = (known after apply)
          + backup_retention_days = (known after apply)
          + geo_redundant_backup  = (known after apply)
          + storage_mb            = (known after apply)
        }
    }

This can be resolved by running terraform plan and terraform apply a second time.

Steps to Reproduce

1. Run terraform plan and terraform apply using the files provided above. This will result in the bad config
2. Running terraform plan and terraform apply again will update the configuration correctly.

Important Factoids

References

@aristosvo did some great work implementing locking in the following issue/PR:

• azurerm_postgresql_server scaling with replica in different region results in error #11318
• azurerm_postgresql_server doesn't disable replication when create_mode is changed. #11330

[aristosvo]

Hi @NillsF!

Short analysis/hypothesis of the problem: As you are replicating to a different region, there should be a way for the other Azure region to reach your Replica databases. Therefore public access is enabled on creation

Docs say that

When you create a replica, it doesn't inherit the firewall rules or VNet service endpoint of the primary server. These rules must be set up independently for the replica.

Nothing found on necessity of the public availability of the database. I'll check the order of application of public access in the code and check if this can be done differently to enable this workflow.

[aristosvo]

It's a tough problem, although not hard to fix. I believe it is a problem which should probably be fixed on the Azure API side.

I've reproduced it in the acctests by adding public_network_access_enabled = true to the replica in TestAccPostgreSQLServer_createReplica, resulting in a test failure:

❯ make acctests SERVICE='postgres' TESTARGS='-run=createReplica'
==> Checking that code complies with gofmt requirements...
==> Checking that Custom Timeouts are used...
==> Checking that acceptance test packages are used...
TF_ACC=1 go test -v ./azurerm/internal/services/postgres -run=createReplica -timeout 180m -ldflags="-X=github.com/terraform-providers/terraform-provider-azurerm/version.ProviderVersion=acc"
2021/04/24 15:29:08 [DEBUG] not using binary driver name, it's no longer needed
2021/04/24 15:29:09 [DEBUG] not using binary driver name, it's no longer needed
=== RUN   TestAccPostgreSQLServer_createReplica
=== PAUSE TestAccPostgreSQLServer_createReplica
=== CONT  TestAccPostgreSQLServer_createReplica
    testing.go:620: Step 3/4 error: After applying this test step, the plan was not empty.
        stdout:
        
        
        An execution plan has been generated and is shown below.
        Resource actions are indicated with the following symbols:
          ~ update in-place
        
        Terraform will perform the following actions:
        
          # azurerm_postgresql_server.replica will be updated in-place
          ~ resource "azurerm_postgresql_server" "replica" {
                id                                = "/subscriptions/***/resourceGroups/acctestRG-psql-210424152910410484/providers/Microsoft.DBforPostgreSQL/servers/acctest-psql-server-210424152910410484-replica"
                name                              = "acctest-psql-server-210424152910410484-replica"
              ~ public_network_access_enabled     = true -> false
                # (16 unchanged attributes hidden)
        
                # (1 unchanged block hidden)
            }
        
        Plan: 0 to add, 1 to change, 0 to destroy.
--- FAIL: TestAccPostgreSQLServer_createReplica (665.28s)
FAIL
FAIL    github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/postgres  668.338s
FAIL
make: *** [acctests] Error 1

[ghost]

This has been released in version 2.57.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.57.0"
}
# ... other configuration ...

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.