azurerm_postgresql_flexible_server public_network_access_enabled error when not set

saliceti commented 1 month ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.4

AzureRM Provider Version

v3.105.0

Affected Resource(s)/Data Source(s)

azurerm_postgresql_flexible_server

Terraform Configuration Files

resource "azurerm_postgresql_flexible_server" "main" {
  name                   = local.azure_name
  location               = data.azurerm_resource_group.main[0].location
  resource_group_name    = data.azurerm_resource_group.main[0].name
  version                = var.server_version
  administrator_login    = local.database_username
  administrator_password = local.database_password
  create_mode            = "Default"
  storage_mb             = var.azure_storage_mb
  sku_name               = var.azure_sku_name
  delegated_subnet_id    = data.azurerm_subnet.main[0].id
  private_dns_zone_id    = data.azurerm_private_dns_zone.main[0].id
...
}

Debug Output/Panic Output

Terraform will perform the following actions:

  # module.postgres.azurerm_postgresql_flexible_server.main[0] will be updated in-place
  ~ resource "azurerm_postgresql_flexible_server" "main" ***
        id                            = "xxx"
        name                          = "xxx"
      ~ public_network_access_enabled = false -> true
        tags                          = xxx
        ***
        # (15 unchanged attributes hidden)

        # (1 unchanged block hidden)
    ***

Plan: 0 to add, 1 to change, 0 to destroy.
module.postgres.azurerm_postgresql_flexible_server.main[0]: Modifying... [id=xxx]
╷
│ Error: updating Flexible Server (Subscription: "***"
│ Resource Group Name: "xxx"
│ Flexible Server Name: "xxx"): performing Update: unexpected status 400 (400 Bad Request) with error: ConflictingPublicNetworkAccessAndVirtualNetworkConfiguration: Conflicting configuration is detected between Public Network Access and Virtual Network arguments. Public Network Access is not supported along with Virtual Network feature.
│ 
│   with module.postgres.azurerm_postgresql_flexible_server.main[0],
│   on .terraform/modules/postgres/aks/postgres/resources.tf line 39, in resource "azurerm_postgresql_flexible_server" "main":
│   39: resource "azurerm_postgresql_flexible_server" "main" ***
│ 
╵
Releasing state lock. This may take a few moments...

Expected Behaviour

As mentioned in https://github.com/hashicorp/terraform-provider-azurerm/pull/25812

Create the resource with delegated_subnet_id and private_dns_zone_id without public_network_access_enabled using old AzureRM version -> Upgrade to new AzureRM version -> Run tf plan when public_network_access_enabled isn't set in the tf config -> No TF difference occurs.

Actual Behaviour

plan shows the value of public_network_access_enabled will be changed to the new default Then apply fails

Steps to Reproduce

Run terraform apply with v3.104.2 successfully Upgrade to v3.105.0 Run terraform plan: it shows a difference Run terraform plan: it fails

Important Factoids

No response

References

https://github.com/hashicorp/terraform-provider-azurerm/pull/25812

faizan1990 commented 1 month ago

Now you need to explicitly pass public_network_access_enabled = false to you azurerm_postgresql_flexible_server if you are assigning a VNet configuration to your DB instance. public_network_access_enabled defaults to true

saliceti commented 1 month ago

Thanks @faizan1990 I understand that. But this is a breaking change for my 25 services using the same configuration. And this is not listed as a breaking change so I don't think this was intended.

Another complexity for me is they all rely on the same terraform module. So if I add public_network_access_enabled = false to the module, it will break all the services which have not yet updated to 3.105.0.

neil-yechenwei commented 1 month ago

Thanks for raising this issue. Unfortunately, it's expected behavior since it's by TF design. public_network_access_enabled has to be explicitly set to false in the tf config when delegated_subnet_id and private_dns_zone_id are set. See more details from https://github.com/hashicorp/terraform-provider-azurerm/pull/25812#discussion_r1593692637.

Actually, breaking change has been declared in the PR description.

saliceti commented 1 month ago

Hi @neil-yechenwei

Thanks for raising this issue. Unfortunately, it's expected behavior since it's by TF design. public_network_access_enabled has to be explicitly set to false in the tf config when delegated_subnet_id and private_dns_zone_id are set. See more details from #25812 (comment).

Could we automatically default to false when delegated_subnet_id and private_dns_zone_id are set? This would avoid the breaking change.

Actually, breaking change has been declared in the PR description.

Shouldn't it be added to the release changelog then?

saliceti commented 1 month ago

@neil-yechenwei @tombuildsstuff we can't upgrade to 3.105.0 as it will be a pain to update all our apps. I need to stop devs deploying on 25 repos, update the central module, then upgrade each repo.

Is there a chance the change will be reconsidered? Or should I take the pain.

goors commented 1 month ago

this really sucks. but it it what it is. thank you guys for clarification.

hashicorp / terraform-provider-azurerm