search

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.6k stars 4.65k forks source link

Mysql Flexible Server private_service_connection subresource name #15575

Open seppmaier99 opened 2 years ago

seppmaier99 commented 2 years ago

Hi,

1.) I have an issue with the Azure Mysql Flexible Server private_service_connection. According the documentation the subresources_names are only available for

Azure Database for MySQL | Microsoft.DBforMySQL/servers | mysqlServer

and the subresources_names is "mysqlServer".

Is there an equivalent for the Mysql Flexible Server, like "flexibleServers" or similar?

What could be another way to connect a azure spring cloud to the flexible server? The old "azurerm_spring_cloud_app_mysql_association" does not work.

2.) The I tried to set up it manually. It worked but only when I fully opened the firewall and let all azure services have access to the flexible server, just to see if it ever works at all. As I want to have it secure and to be automatically created with terraform I tried the proposed solution from the documentation see point 3.

3.) I tried the example with service delegation according to the documentation https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_flexible_server

This did not work and my script needed over an hour an ran into an error. It could not delete the existing subnet and recreate it with the delegation. Now I have been stuck beeing not able to delete the subnet, see also https://docs.microsoft.com/en-us/answers/questions/140197/unable-to-delete-vnet-due-to-serviceassociationlin.html

I think this maybe has nothing to do with the flexible server, maybe it would work from scratch if reset the whole environment and build it new, but this takes a lot of time and is out of scope.

Thanks

neil-yechenwei commented 2 years ago

  1. Per the doc description, azurerm_private_endpoint.private_service_connection.subresource_names only supports mysql server.

  2. After tested with below tf config and latest provider version, azurerm_spring_cloud_app_mysql_association works fine from our side. My tf config:

    
provider "azurerm" {
features {}
}

resource "azurerm_resource_group" "test" { name = "acctestRG-spring-test01" location = "West Europe" }

resource "azurerm_spring_cloud_service" "test" { name = "acctest-sc-test01" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name }

resource "azurerm_spring_cloud_app" "test" { name = "acctest-sca-test01" resource_group_name = azurerm_spring_cloud_service.test.resource_group_name service_name = azurerm_spring_cloud_service.test.name }

resource "azurerm_mysql_server" "test" { name = "acctestmysqlsvr-test01" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name sku_name = "GP_Gen5_2" administrator_login = "acctestun" administrator_login_password = "B@Sh1CoR3!" ssl_enforcement_enabled = true ssl_minimal_tls_version_enforced = "TLS1_1" storage_mb = 51200 version = "5.7" }

resource "azurerm_mysql_database" "test" { name = "acctest-db-test01" resource_group_name = azurerm_resource_group.test.name server_name = azurerm_mysql_server.test.name charset = "utf8" collation = "utf8_unicode_ci" }

resource "azurerm_spring_cloud_app_mysql_association" "test" { name = "acctestscamb-test01" spring_cloud_app_id = azurerm_spring_cloud_app.test.id mysql_server_id = azurerm_mysql_server.test.id database_name = azurerm_mysql_database.test.name username = azurerm_mysql_server.test.administrator_login password = azurerm_mysql_server.test.administrator_login_password }


3. After tested, the [example](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_flexible_server) in the doc of mysql fs works fine on my local.

4. The serviceAssociationLink issue you mentioned has been fixed from service side. See more details from https://github.com/hashicorp/terraform-provider-azurerm/issues/15032.
Below is the example that works fine on my local:

provider "azurerm" { features {} }

resource "azurerm_resource_group" "test" { name = "acctestRG-mysqlfs-test03" location = "eastus" }

resource "azurerm_virtual_network" "test" { name = "acctest-dbvn-test03" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name address_space = ["10.0.0.0/16"] }

resource "azurerm_subnet" "test" { name = "acctest-subnettest03" resource_group_name = azurerm_resource_group.test.name virtual_network_name = azurerm_virtual_network.test.name address_prefixes = ["10.0.2.0/24"] service_endpoints = ["Microsoft.Storage"]

delegation {
    name = "acctest-sndel"

    service_delegation {
        name    = "Microsoft.DBforMySQL/flexibleServers"
        actions = ["Microsoft.Network/virtualNetworks/subnets/join/action",]
    }
}

}

resource "azurerm_private_dns_zone" "test" { name = "acctestVnetZonetest03.mysql.database.azure.com" resource_group_name = azurerm_resource_group.test.name }

resource "azurerm_private_dns_zone_virtual_network_link" "test" { name = "acctestVnetZonetest03.com" resource_group_name = azurerm_resource_group.test.name private_dns_zone_name = azurerm_private_dns_zone.test.name virtual_network_id = azurerm_virtual_network.test.id }

resource "azurerm_mysql_flexible_server" "test" { name = "acctest-mysqlfs-test03" location = azurerm_resource_group.test.location resource_group_name = azurerm_resource_group.test.name backup_retention_days = 7 geo_redundant_backup_enabled = false sku_name = "GP_Standard_D2ds_v4" version = "8.0.21" administrator_login = "adminTerraform" administrator_password = "BGZwsx123"

storage { 
    auto_grow_enabled = false
    size_gb           = 32
} 

delegated_subnet_id = azurerm_subnet.test.id 
private_dns_zone_id = azurerm_private_dns_zone.test.id 

depends_on = [azurerm_private_dns_zone_virtual_network_link.test]

}



For more usage problem, suggest leave message on https://discuss.hashicorp.com/c/terraform-providers/tf-azure/34. Thanks.
seppmaier99 commented 2 years ago

Thank you very much for the detailled response!

I think I have found the main mistake in my project. As we have defined the virtual networks + subnets in a separate parent project, which is executed separately in the pipeline, I don't have access to the azurerm_private_dns_zone + azurerm_subnet within the subproject, where the flexible server is defined (with the single server, this was not an issue as we used the azurerm_spring_cloud_app_mysql_association). Propably it is possible to import those resources and then use them in the subproject.

Still one question here for the delegation: Is it possible to define the delegation in the parent project and use it for multiple subprojects and if yes, can there be several delegations, eg. one for mysql flexible and one postgresql flexible in one subnet?

Thank you and have a nice weekend

neil-yechenwei commented 2 years ago

Yes. I think you can define the subnet with delegation in parent project. See more usage from terraform doc. Per doc, one or more delegations can be added but I didn't try the scenario of "one for mysql flexible and one postgresql flexible in one subnet". For more usage problem, suggest leave message on https://discuss.hashicorp.com/c/terraform-providers/tf-azure/34. Thanks.