Closed jgreat closed 2 years ago
I see the same behavior with bicep so this is not a Terraform specific issue.
I have the same issue in terraform, when creating a database in replica mode it fails..
One possible way around this that I found was to create the primary and the replica databases without the customer managed key initially then update the primary and secondary databases with the customer managed key.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
I'm stuck. It doesn't seem possible to use a Terraform workflow to create working PostgreSQL replica when you define a KeyVault (BYOK) key. The server remains in an
Inaccessible
state until the identity is created, the identity is given access to the Key Vault, and the key is "re-validated".I can accomplish some of theses tasks with Terraform.
az postgres server update --assign-identity
as workaround)The
az
cli workflow is here. Revalidating the key is done by running aaz postgres server key create
command for the already associated key.The
azurerm_postgresql_server_key
resource sees that a key is already been associated with the postgres server and error out withA resource with the ID ... already exists - to be managed via Terraform this resource needs to be imported into the State.
If you import this resource, it appears to be in a valid state (but not the parent database) so Terraform doesn't do anything with it.This does feel like an upstream (Azure) problem.
Community Note
Terraform (and AzureRM Provider) Version
Affected Resource(s)
azurerm_postgresql_server_key
Terraform Configuration Files
Debug Output
Expected Behaviour
I should be able to create a PostgreSQL server Replica that uses a Key Vault key with a pure Terraform workflow.
Actual Behaviour
Azure makes this really hard since their API doesn't handle the re-validation of keys or provide a consumable state of the key.
Steps to Reproduce
terraform apply
References
10480 - Missing Identity block after