azurerm_postgresql_flexible_server doesn't have TLS options

[Condabas]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

azurerm_postgresql_flexible_server does not have the options for TLS setting like the azure CLI does.

Missing:

az postgres server create [--admin-password] [--admin-user] [--assign-identity] [--auto-grow {Disabled, Enabled}] [--backup-retention] [--geo-redundant-backup {Disabled, Enabled}] [--infrastructure-encryption {Disabled, Enabled}] [--location] [--minimal-tls-version {TLS1_0, TLS1_1, TLS1_2, TLSEnforcementDisabled}] [--name] [--public] [--resource-group] [--sku-name] [--ssl-enforcement {Disabled, Enabled}] [--storage-size] [--tags] [--version]

Terraform Version

1.9

AzureRM Provider Version

4.9

Affected Resource(s)/Data Source(s)

azurerm_postgresql_flexible_server

Terraform Configuration Files

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_virtual_network" "example" {
  name                = "example-vn"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  address_space       = ["10.0.0.0/16"]
}

resource "azurerm_subnet" "example" {
  name                 = "example-sn"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.2.0/24"]
  service_endpoints    = ["Microsoft.Storage"]
  delegation {
    name = "fs"
    service_delegation {
      name = "Microsoft.DBforPostgreSQL/flexibleServers"
      actions = [
        "Microsoft.Network/virtualNetworks/subnets/join/action",
      ]
    }
  }
}
resource "azurerm_private_dns_zone" "example" {
  name                = "example.postgres.database.azure.com"
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_private_dns_zone_virtual_network_link" "example" {
  name                  = "exampleVnetZone.com"
  private_dns_zone_name = azurerm_private_dns_zone.example.name
  virtual_network_id    = azurerm_virtual_network.example.id
  resource_group_name   = azurerm_resource_group.example.name
  depends_on            = [azurerm_subnet.example]
}

resource "azurerm_postgresql_flexible_server" "example" {
  name                          = "example-psqlflexibleserver"
  resource_group_name           = azurerm_resource_group.example.name
  location                      = azurerm_resource_group.example.location
  version                       = "12"
  delegated_subnet_id           = azurerm_subnet.example.id
  private_dns_zone_id           = azurerm_private_dns_zone.example.id
  public_network_access_enabled = false
  administrator_login           = "psqladmin"
  administrator_password        = "H@Sh1CoR3!"
  zone                          = "1"

  storage_mb   = 32768
  storage_tier = "P30"

  sku_name   = "GP_Standard_D4s_v3"
  depends_on = [azurerm_private_dns_zone_virtual_network_link.example]

Debug Output/Panic Output

lexible Server Name: "pgsql-wws-icsr-dp-dev-001"): performing Create: unexpected status 403 (403 Forbidden) with error: RequestDisallowedByPolicy: Resource 'pgsql-wws-icsr-dp-dev-001' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"pfe-DatabasePostgreSQL-AzureEntraAuth-audit","id":"/providers/Microsoft.Management/managementGroups/internal/providers/Microsoft.Authorization/policyAssignments/045ad587269b448e98563eb3"},"policyDefinition":{"name":"pfe-DatabasePostgreSQL-AzureEntraAuth-Audit","id":"/providers/Microsoft.Management/managementGroups/1664f284-b456-4e85-a30d-807a6e131558/providers/Microsoft.Authorization/policyDefinitions/c323f506-4f18-4fc7-9029-bd55b4c59712"}},{"policyAssignment":{"name":"pfe-DatabasePostgreSQL-TLS-deny","id":"/providers/Microsoft.Management/managementGroups/internal/providers/Microsoft.Authorization/policyAssignments/ccbcfd2893d14af1b0591d2b"},"policyDefinition":{"name":"pfe-DatabasePostgreSQL-TLS-deny","id":"/providers/Microsoft.Management/managemen
     tf_provider_addr=provider diagnostic_detail="" tf_proto_version=5.6 tf_resource_type=azurerm_postgresql_flexible_server timestamp=2024-11-11T16:03:38.695Z

Expected Behaviour

No response

Actual Behaviour

No response

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[ziyeqf]

Hi @Condabas, thanks for opening the issue.

The cli command az postgres server create is creating postgresql server instead of flexible server, in AzureRM provider, it's azurerm_postgresql_server and it has a ssl_minimal_tls_version_enforced property.

For any further questions please leave comments.