Terraform should not allow creation of azurerm_postgresql_flexible_server_firewall_rule resource in private access of postgresql flexible server

[ccsandhanshive]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.0.0

AzureRM Provider Version

3.2.0

Affected Resource(s)/Data Source(s)

azurerm_postgresql_flexible_server_firewall_rule

Terraform Configuration Files

resource "azurerm_postgresql_flexible_server_firewall_rule" "example" {
  name             = "example-fw"
  server_id        = "/subscriptions/***************/resourceGroups/rg01/providers/Microsoft.DBforPostgreSQL/flexibleServers/postgresql-flexible-server-private-access" # server_id of server where only private access allowed
  start_ip_address = "122.122.0.0"
  end_ip_address   = "122.122.0.0"
}

Debug Output/Panic Output

$ terraform apply
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.POSTGRES_FLEX_SV_FW_RULE.azurerm_postgresql_flexible_server_firewall_rule will be created
  + resource "azurerm_postgresql_flexible_server_firewall_rule" "this" {
      + end_ip_address   = "122.122.0.0"
      + id               = (known after apply)
      + name             = "example-fw"
      + server_id        = 
"/subscriptions/***************/resourceGroups/rg01/providers/Microsoft.DBforPostgreSQL/flexibleServers/postgresql-flexible-server-private-access"
      + start_ip_address = "122.122.0.0"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions in workspace "JapanEast"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.POSTGRES_FLEX_SV_FW_RULE.azurerm_postgresql_flexible_server_firewall_rule: Creating...
module.POSTGRES_FLEX_SV_FW_RULE.azurerm_postgresql_flexible_server_firewall_rule: Still creating... [10s elapsed]
module.POSTGRES_FLEX_SV_FW_RULE.azurerm_postgresql_flexible_server_firewall_rule: Still creating... [20s elapsed]
module.POSTGRES_FLEX_SV_FW_RULE.azurerm_postgresql_flexible_server_firewall_rule: Still creating... [30s elapsed]
module.POSTGRES_FLEX_SV_FW_RULE.azurerm_postgresql_flexible_server_firewall_rule: Still creating... [40s elapsed]
module.POSTGRES_FLEX_SV_FW_RULE.azurerm_postgresql_flexible_server_firewall_rule: Still creating... [50s elapsed]
module.POSTGRES_FLEX_SV_FW_RULE.azurerm_postgresql_flexible_server_firewall_rule: Still creating... [1m0s elapsed]
module.POSTGRES_FLEX_SV_FW_RULE.azurerm_postgresql_flexible_server_firewall_rule: Creation complete after 1m1s [id=/subscriptions/****************/resourceGroups/rg01/providers/Microsoft.DBforPostgreSQL/flexibleServers/postgresql-flexible-server-private-access/firewallRules/example-fw]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
$

Expected Behaviour

Terraform should not allow creation of azurerm_postgresql_flexible_server_firewall_rule resource in private access of postgresql flexible server rather it should throw a validation error saying postgresql flexible server firewall rule resource can be created only where public access is allowed

Actual Behaviour

• Terraform is creating azurerm_postgresql_flexible_server_firewall_rule successfully where Private access (VNet Integration) is allowed in postgresql flexible server
• Also, when verified from Azure portal and Azure CLI we cannot create a firewall rule in private access (vnet integration).

Steps to Reproduce

terraform apply

Important Factoids

No response

References

[neil-yechenwei]

Thanks for raising this issue. Though the firewall rule is created, but actually the server cannot be accessed with that IP. This issue will be fixed at service side since the expected behavior should fail as you mentioned. So filed an issue on https://github.com/Azure/azure-rest-api-specs/issues/20616 for tracking.