Closed hitty5 closed 1 year ago
@kratkyzobak what do you think? Did you test the code somehow?
I have tested it against MySQL Flexible as Single server (where documentation link points) is “on retirement path”.
@hitty5 can you please confirm, you are trying it against MySQL Single Server resource? If so, we need somehow detect it (probably by provider configuration flag/feature setting??) to call given SET statement before for this type of servers.
I have retested it against "Azure Database for MySQL Flexible Server" with two obsertvations:
First - you can use SET aad_auth_validate_oids_in_tenant = OFF
and it really turns off OIDs verification against Tenant.
Second - when you create user for Managed identity with SET aad_auth_validate_oids_in_tenant = ON
there is translation of Client ID into Object ID (Service principal ID) => It should be set to Service principal ID for Managed identities.
@hitty5 can you please try connecting from Function App as user, you created manually? I belive, token of this user would contain service principal ID in oid
field which is not registered in your MySQL instance? If so, please try to create user with providing service principal ID instead of client ID.
You can find service principal ID in managed identity blade in Azure portal or as output named principal_id
from azurerm_user_assigned_identity
or as identity.principal_id
from azurerm_function_app
.
@kratkyzobak yes, I can confirm that I have used MySQL single server resource.
User assigned identity
I have created an user assigned identity and attached it to the function app. neither principal id nor client id is working with create aaduser
statement.
@hitty5 Can you please do one more test - does this statement work when used manually?
SET aad_auth_validate_oids_in_tenant = OFF;
CREATE AADUSER 'func_pipeline'@'%' IDENTIFIED BY '<client_id>'
Just to be sure, there is not problem with passing hostname and it's really issue only with aad_auth_validate_oids_in_tenant
.
I will then send PR to call this statement as it does not hurt for MySQL Flexible if used properly so probably no problem with using it.
By digging in code and searching for place, where to modify this i found, that you should be able to extend provider configuration by
provider "mysql" {
endpoint = "azure://..."
username = "adminname"
conn_params = {
aad_auth_validate_oids_in_tenant = "OFF"
}
}
Can you please try if this solution is working for you?
@kratkyzobak setting the parameter within the provider configurations works. But now the AAD user gets re-created each time when TF plan is applied:
# mysql_user.aad_func_cps_feedback must be replaced
-/+ resource "mysql_user" "aad_user" {
~ id = "user@%" -> (known after apply)
# (4 unchanged attributes hidden)
+ aad_identity { # forces replacement
+ identity = "<client id>"
+ type = "service_principal"
}
- aad_identity { # forces replacement
- identity = "user" -> null
- type = "group" -> null
}
}
Here the TF code:
resource "mysql_user" "user" {
user = "user
auth_plugin = "aad_auth"
host = "%"
aad_identity {
type = "service_principal"
identity = "<cliend id>"
}
}
Somehow the type is not "service_principal" after creation. I've checked to mysql.user
table and the authentication_string
for the user is not changing after apply.
Can you please send output of SHOW CREATE USER 'user'@'%'
? Most important part is AAD auth data which are saved there. For Service principal, there is excepted to be AADSP:<client-id>:upn:user
. MySQL Single Server probably uses older version of aad_auth
plugin and auth string here would differ.
| CREATE USER 'user'@'%' IDENTIFIED WITH 'aad_auth' AS 'AADApp:<client id>:upn:user' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT |
You are right, the authentication string looks different.
Fix is released in 3.0.36
MySQL AAD user creation fails when using service principal. When using the AAD authenticated administrator to login to MySQL and performing the creation manually, it works:
According to the AZ documentation
aad_auth_validate_oids_in_tenant
must set toOFF
, that's not done by the provider.The MySQL server instance has set the AAD administrator by using
azurerm_mysql_active_directory_administrator
.Terraform Version
Affected Resource(s)
Please list the resources as a list, for example:
Terraform Configuration Files
Panic Output
Expected Behavior
Actual Behavior
Steps to Reproduce
terraform apply