Using mssql_user without a client_id and client_secret

[linak-lukasmendez]

Hi.

I'm using the resource "mssql_user" as it should give me the possibility to grant SQL permission for one of my security groups in Azure and this way allowing them to access the SQL database using Managed Identity.

The goal in general is to have as few passwords/secrets as possible throughout the entire project. However I can't really figure out if this is supported by your terraform provider.

What I would assume is that it could use my Default Azure Credentials (The ones that I'm using for az login) and then perform the given actions with my personal account.

This is what I'm doing exactly:

resource "mssql_user" "portal" {

  server {
    host = data.azurerm_mssql_server.global.fully_qualified_domain_name

    azuread_default_chain_auth {
      # Should just use DefaultAzureCredential to authorize. So if the current user has access to the SQL server, this should work
    }
  }
  object_id = azuread_group.sql_application_contributors.object_id 
  database  = data.azurerm_mssql_database.global.name
  username  = "OneConnect SQL Contributor"
  roles     = ["db_datareader", "db_datawriter"]
}

But whenever I run it I get the following error:

╷
│ Error: unable to create user [sqldb-moc-global-weu-dev-7jky].[OneConnect SQL Contributor]: db connection failed after 30s timeout
│
│   with mssql_user.portal,
│   on sql_user.tf line 1, in resource "mssql_user" "portal":
│    1: resource "mssql_user" "portal" {
│
╵

Am I doing something wrong?

Thanks in advance

[mkusmiy]

one of the reasons for timeout - not opened access on SQL server firewall; make sure your IP(range) is allowed on SQL server - assuming you run it from your PC, or IP address of CI/CD agent where this TF code is executed

[nazirakz]

@linak-lukasmendez @mkusmiy hello! How does "azuread_default_chain_auth" work? I set as AD SQL admin an application and will "azuread_default_chain_auth" use its credentials by default?