Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_postgresql_flexible_server public_network_access_enabled error when not set #26098

Open
1 task done
saliceti opened this issue May 24, 2024 · 8 comments
Open
1 task done

azurerm_postgresql_flexible_server public_network_access_enabled error when not set #26098

saliceti opened this issue May 24, 2024 · 8 comments
Labels
service/postgresql v/3.x

Comments

@saliceti
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.4

AzureRM Provider Version

v3.105.0

Affected Resource(s)/Data Source(s)

azurerm_postgresql_flexible_server

Terraform Configuration Files

resource "azurerm_postgresql_flexible_server" "main" {
  name                   = local.azure_name
  location               = data.azurerm_resource_group.main[0].location
  resource_group_name    = data.azurerm_resource_group.main[0].name
  version                = var.server_version
  administrator_login    = local.database_username
  administrator_password = local.database_password
  create_mode            = "Default"
  storage_mb             = var.azure_storage_mb
  sku_name               = var.azure_sku_name
  delegated_subnet_id    = data.azurerm_subnet.main[0].id
  private_dns_zone_id    = data.azurerm_private_dns_zone.main[0].id
...
}

Debug Output/Panic Output

Terraform will perform the following actions:

  # module.postgres.azurerm_postgresql_flexible_server.main[0] will be updated in-place
  ~ resource "azurerm_postgresql_flexible_server" "main" ***
        id                            = "xxx"
        name                          = "xxx"
      ~ public_network_access_enabled = false -> true
        tags                          = xxx
        ***
        # (15 unchanged attributes hidden)

        # (1 unchanged block hidden)
    ***

Plan: 0 to add, 1 to change, 0 to destroy.
module.postgres.azurerm_postgresql_flexible_server.main[0]: Modifying... [id=xxx]
╷
│ Error: updating Flexible Server (Subscription: "***"
│ Resource Group Name: "xxx"
│ Flexible Server Name: "xxx"): performing Update: unexpected status 400 (400 Bad Request) with error: ConflictingPublicNetworkAccessAndVirtualNetworkConfiguration: Conflicting configuration is detected between Public Network Access and Virtual Network arguments. Public Network Access is not supported along with Virtual Network feature.
│ 
│   with module.postgres.azurerm_postgresql_flexible_server.main[0],
│   on .terraform/modules/postgres/aks/postgres/resources.tf line 39, in resource "azurerm_postgresql_flexible_server" "main":
│   39: resource "azurerm_postgresql_flexible_server" "main" ***
│ 
╵
Releasing state lock. This may take a few moments...

Expected Behaviour

As mentioned in #25812

  1. Create the resource with delegated_subnet_id and private_dns_zone_id without public_network_access_enabled using old AzureRM version -> Upgrade to new AzureRM version -> Run tf plan when public_network_access_enabled isn't set in the tf config -> No TF difference occurs.

Actual Behaviour

plan shows the value of public_network_access_enabled will be changed to the new default
Then apply fails

Steps to Reproduce

Run terraform apply with v3.104.2 successfully
Upgrade to v3.105.0
Run terraform plan: it shows a difference
Run terraform plan: it fails

Important Factoids

No response

References

#25812
@faizan1990
Copy link

Now you need to explicitly pass public_network_access_enabled = false to you azurerm_postgresql_flexible_server if you are assigning a VNet configuration to your DB instance.
public_network_access_enabled defaults to true

@saliceti
Copy link
Author

saliceti commented May 26, 2024
edited
Loading

Thanks @faizan1990 I understand that. But this is a breaking change for my 25 services using the same configuration. And this is not listed as a breaking change so I don't think this was intended.

Another complexity for me is they all rely on the same terraform module. So if I add public_network_access_enabled = false to the module, it will break all the services which have not yet updated to 3.105.0.

@neil-yechenwei
Copy link
Contributor

Thanks for raising this issue. Unfortunately, it's expected behavior since it's by TF design. public_network_access_enabled has to be explicitly set to false in the tf config when delegated_subnet_id and private_dns_zone_id are set. See more details from #25812 (comment).

Actually, breaking change has been declared in the PR description.
image

@saliceti
Copy link
Author

Hi @neil-yechenwei

Thanks for raising this issue. Unfortunately, it's expected behavior since it's by TF design. public_network_access_enabled has to be explicitly set to false in the tf config when delegated_subnet_id and private_dns_zone_id are set. See more details from #25812 (comment).

Could we automatically default to false when delegated_subnet_id and private_dns_zone_id are set? This would avoid the breaking change.

Actually, breaking change has been declared in the PR description.

Shouldn't it be added to the release changelog then?

@elceebee elceebee mentioned this issue May 28, 2024
Merged
6 tasks
@charlesluokb charlesluokb mentioned this issue May 28, 2024
Merged
1 task
@saliceti
Copy link
Author

@neil-yechenwei @tombuildsstuff we can't upgrade to 3.105.0 as it will be a pain to update all our apps. I need to stop devs deploying on 25 repos, update the central module, then upgrade each repo.

Is there a chance the change will be reconsidered? Or should I take the pain.

@goors
Copy link

goors commented Jun 1, 2024

this really sucks. but it it what it is. thank you guys for clarification.

@adamevoila adamevoila mentioned this issue Jun 13, 2024
Closed
dramac-planet added a commit to weareplanet/terraform-azure-caf that referenced this issue Jul 1, 2024
@dramac-planet
added public network access to the module
c57354a 
hashicorp/terraform-provider-azurerm#26098
@dramac-planet dramac-planet mentioned this issue Jul 1, 2024
Merged
6 tasks
saliceti added a commit to DFE-Digital/terraform-modules that referenced this issue Aug 13, 2024
@saliceti
Ignore changes to public_network_access_enabled
779ab63 
Related to issue hashicorp/terraform-provider-azurerm#26098

We must ignore changes to the argument as it becomes enforced from
azurerm version v3.105.0.
This will allow us to upgrade azurerm in all the repositories. Then we
will be able to set public_network_access_enabled to false and remove
this ignore_changes.
@saliceti saliceti mentioned this issue Aug 13, 2024
Merged
4 tasks
@hiankov
Copy link

hiankov commented Aug 21, 2024

Hello everyone! Is there any expected time for resolution on this? We can't integrate Postgre Flexible Server in a "Hub and Spoke" topology with a Service Endpoint due to it's limitation that it doesn't support communication over peered networks. It has to be with a Private Endpoint instead, because the server has to be on a spoke network. Seems like this Microsoft documentation is not accurate and is misleading so far: https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-private-link
Hope this is getting resolved soon.

@saliceti saliceti mentioned this issue Aug 21, 2024
Merged
4 tasks
@sdwerwed
Copy link

sdwerwed commented Dec 2, 2024

Forcing us setting public_network_access_enabled to true or false conficts with azure api , it gives this error.

Can't configure a value for "public_network_access_enabled": its value will be decided automatically based on the result of applying this configuration.

We use the 3.117.0

I would expect azurerm to follow the azure api standards, also I would expect NOTE documentation on this topic.

FYI: faizan1990 is this comment here relevant or to create another issue?

@sdwerwed sdwerwed mentioned this issue Dec 2, 2024
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
service/postgresql v/3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@goors @saliceti @faizan1990 @neil-yechenwei @sdwerwed @hiankov