Open marcoboffi opened 1 year ago
me too
any possible solution?
Any progress? AD support for the flexible server is in GA now
any progress on AD support ?
It could be good to add the AAD support for flexible server quickly given that Azure Database for MySQL single server is on the retirement path and people will start to use flexible as a preferred solution
+1
Has there been any update on this as I find myself now needing to start the migration process over from single server to flexible server and this does need to be set
Any update?
Taking a look at the ARM template, Microsoft.DBforMySQL flexibleServers/administrators, it looks like a reasonable request for implementation in AzureRM provider.
@sigv IIRC, AzureRM provider depends on Azure GO SDK, which depends on Microsoft extending API, which is sthg Microsoft does when planning go from preview to GA with feature. There is AzAPI terraform provider, which can utilize given resource template.
As configuring AAD auth is separate resource from server itself, it is very easy to mix AzAPI with AzureRM providers in this case.
My approach for example:
resource "azapi_resource" "mysql_flexible_server_administrator" {
count = var.aad_auth != null ? 1 : 0
type = "Microsoft.DBforMySQL/flexibleServers/administrators@2021-12-01-preview"
name = "ActiveDirectory"
parent_id = azurerm_mysql_flexible_server.primary.id
body = jsonencode({
properties = {
administratorType = "ActiveDirectory"
# this identity needs to have Directory Reader Azure AD role ssigned
# if not, this will fail with "AzureKeyVaultNoServerIdentity"
# we're not running Terraform as Azure Global admins, so identity is created in advance
identityResourceId = var.aad_auth.identity_id
# this will be username to use to login as server admin. Portal would set here name of identity bellow
# this is not needed
login = "aad-superuser"
# group id of users which will be able to access the server as administrators
sid = var.aad_auth.admin_object_id
tenantId = var.aad_auth.tenant_id
}
})
}
Used identity (in example var.aad_auth.identity_id
) has to be assigned to server using azurerm_mysql_flexible_server
's identity
block and has to have Directory Read
role as stated in Azure documentation.
Creating this resource would enable mixed auth (password and AAD). You can disable password users access by setting configuration aad_auth_only
to on
(for example by azurerm_mysql_flexible_server_configuration
)
It looks like AD support was added for mysql flex back in v3.58.0 with this MR: https://github.com/hashicorp/terraform-provider-azurerm/pull/21786 However I am not seeing support for AD only, can support be added to mysql flex server so I can enable only AD login and completely disable local auth?
If you want AD only, you should set aad_only server parameter using azurerm_mysql_flexible_server_configuration.
IIRC, Azure Portal does exactly same thing when you select “AD only”. There is still admin with standard password, but just disabled by this parameter.
Ok thanks for that information, will try out that parameter. Is that really what azure portal does when selecting "Azure Active Directory authentication only" for the Auth method?
As stated in documentation:
Only Azure AD authentication - MySQL native authentication is disabled, and users are able to authenticate using only their Azure AD user and token. To enable this mode, the server parameter aad_auth_only is set to enabled.
Can this issue be closed with the existence of the azurerm_mysql_flexible_server_active_directory_administrator
resource?
yes
On Wed, 27 Dec 2023 at 8:23 PM, Oliver Wiebeck @.***> wrote:
Can this issue be closed with the existence of the azurerm_mysql_flexible_server_active_directory_administrator https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_flexible_server_aad_administrator resource?
— Reply to this email directly, view it on GitHub https://github.com/hashicorp/terraform-provider-azurerm/issues/19272#issuecomment-1870377485, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFZGW5RT2HSKK2VIS2VHD6TYLQY5ZAVCNFSM6AAAAAAR7S354SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZQGM3TONBYGU . You are receiving this because you commented.Message ID: @.***>
Is there an existing issue for this?
Community Note
Description
Azure Active Directory authentication for Azure Database for MySQL - Flexible Server allows to improve database security by delegating credential management and authentication to a centralized identity provider. Azure Active Directory supports advanced security features such as second factor authentication options, password lifecycle management, applications and managed identities and conditional access. Azure Active Directory for Azure Database for MySQL – Flexible Server now provides full support for managed identities, improved group roles and support for invited users and Azure Active Directory-only authentication mode with ability to disable local user support.
New or Affected Resource(s)/Data Source(s)
azurerm_mysql_flexible_server_active_directory_administrator
Potential Terraform Configuration
References
https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-azure-ad-authentication