Support for azurerm_cosmosdb_postgresql_cluster entra id roles

fredx30 commented 1 month ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

Im using azurerm_cosmosdb_postgresql_cluster & i want to implement aad authentication.

cosmo-for-psql

Im looking for a "authentication" like key the way its implemented in for instance flexible postgres. There however appears to be no such option for the cosmos postgres.

There are roles that can be added however these require password to be set. This turns them into postgres accounts and not entra id accounts. The login i want to use is documented by microsoft here.

New or Affected Resource(s)/Data Source(s)

azurerm_cosmosdb_postgresql_cluster, azurerm_cosmosdb_postgresql_role

Potential Terraform Configuration

The implementation here seems a bit different from for instance the flexible PostgreSQL servers which can do this with a `authentication {...}` block. The flexible servers have this as part of the creation parameters which cosmos for postgresql does not. 

Without having checked specifics I assume a reasonable way to do this would be to implement a new resource ex. `azurerm_cosmosdb_postgresql_cluster_auth_config` which sets this specific settings parameter. And a new role resource ex. `azurerm_cosmosdb_postgresql_cluster_entra_role` that uses entra id parameters to create an entra id role.

References

Included as links above where relevant.

aaron-odenweller commented 4 weeks ago

This would be a great feature but I don't believe MIcrosoft offers this ability through an API yet so this might not be possible until that happens

herquan-docusign commented 1 week ago

This would be a great feature but I don't believe MIcrosoft offers this ability through an API yet so this might not be possible until that happens

The feature flag can be found here and the api to add roles can be found here

hashicorp / terraform-provider-azurerm