Public network access enabled for PostgreSQL Flexible Server

[kmehkeri]

Is there any reason why public_network_access_enabled can be set for PostgreSQL Server (here), but not for PostgreSQL Flexible Server (it's just an attribute - could this mean that it is inferred based on some other parameters)?

[neil-yechenwei]

@kmehkeri , thanks for raising this issue. At service API side, this property in Postgresql Flexible Server is marked as read-only but this property in Postgresql Server is marked as optional. I assume it's by API design.

[StepanKuksenko]

When i create flexible PostgreSQL in UI it is possible to choose between Public access or Private access
also it is possible to configure this with Azure CLI, there is parameter --public-access here.
So the question is how to configure Public access or Private access modes with terraform since it is possible in UI/CLI. I suppose azure cli uses the same API which terraform azure provider does.

[StepanKuksenko]

i figured out how it works with PostgreSQL Flexible Server
if you don't specify delegated_subnet_id and private_dns_zone_id the server will be configured with Public access, but you also need to configure firewall rules because by default everything is denied
example to configure firewall rules for azure IPs and all public ips

resource "azurerm_postgresql_flexible_server_firewall_rule" "azure" {
  count = var.public_network_access_enabled ? 1 : 0

  name             = "allow-access-from-azure-services"
  server_id        = azurerm_postgresql_flexible_server.main.id
  start_ip_address = "0.0.0.0"
  end_ip_address   = "0.0.0.0"
}

resource "azurerm_postgresql_flexible_server_firewall_rule" "all" {
  count = var.public_network_access_enabled && var.firewall_allow_all_ips ? 1 : 0

  name             = "allow-all-ips"
  server_id        = azurerm_postgresql_flexible_server.main.id
  start_ip_address = "0.0.0.0"
  end_ip_address   = "255.255.255.255"
}

So if you need to configure Private access you also should deploy virtual network, subnet, private dns zone and private dns zone virtual network link as it shown in basic example here

I think this issue can be closed.

[dss010101]

i figured out how it works with PostgreSQL Flexible Server if you don't specify delegated_subnet_id and private_dns_zone_id the server will be configured with Public access, but you also need to configure firewall rules because by default everything is denied example to configure firewall rules for azure IPs and all public ips

resource "azurerm_postgresql_flexible_server_firewall_rule" "azure" {
  count = var.public_network_access_enabled ? 1 : 0

  name             = "allow-access-from-azure-services"
  server_id        = azurerm_postgresql_flexible_server.main.id
  start_ip_address = "0.0.0.0"
  end_ip_address   = "0.0.0.0"
}

resource "azurerm_postgresql_flexible_server_firewall_rule" "all" {
  count = var.public_network_access_enabled && var.firewall_allow_all_ips ? 1 : 0

  name             = "allow-all-ips"
  server_id        = azurerm_postgresql_flexible_server.main.id
  start_ip_address = "0.0.0.0"
  end_ip_address   = "255.255.255.255"
}

So if you need to configure Private access you also should deploy virtual network, subnet, private dns zone and private dns zone virtual network link as it shown in basic example here

I think this issue can be closed.

Been looking all over, at the far ends of the internet, and suprisingly this is the only post i have found thus far addressing how to use terraform to set up a public flexible server. I do have a question. I have several developers that work from home that i need to set add to the firewall rule. is there a firewal resouce that supports a list of ips, or do i need to loop w/ azurerm_postgresql_flexible_server_firewall_rule?

[ArielWoode-TomTom]

If you know the I.P addresses of your team, then yes, you can loop through a list of them and create a firewall rule for Azure services in the following way:

...
// variables.tf
...

variable "az_config" {
  description = "configurations for azure service access"
  type        = object({
     allow_azure_access  = bool
  })
  default     = false
}

variable "allowed_ip_list" {
  description = "List of I.P addresses allowed to through firewall"
  type        = list(string)
  default     = []
}

...
vars.tfvars
...

// database config
az_config = {
 allow_azure_access = true
}

// allowed I.P addresses list
allowed_ip_list = [ <developer ips> ]

...
main.tf
...

// Create server firewall rules for azure service internal access
resource "azurerm_postgresql_flexible_server_firewall_rule" "azure_access" {
  count            = var.az_config.allow_azure_access ? 1 : 0
  name             = "AllowAllWindowsAzureIps"
  server_id        = azurerm_postgresql_flexible_server.default.id
  start_ip_address = "0.0.0.0" // IP address of azure services
  end_ip_address   = "0.0.0.0"
}

// Create server firewall rules for allowed I.P addresses
resource "azurerm_postgresql_flexible_server_firewall_rule" "allowed_ips" {
  count            = length(var.allowed_ip_list)
  name             = "allowed_ip_${count.index}"
  server_id        = azurerm_postgresql_flexible_server.default.id
  start_ip_address = var.allowed_ip_list[count.index]
  end_ip_address   = var.allowed_ip_list[count.index]
}

Documentation from Azure on the firewall rule for Azure services can be found here.

[gilShin]

The only problem with this solution is that now I'm not using the subnet I have prepared for the DB but for now it is good enough for me :-)
Thanks

[User7845]

Hi,

I want to setup a flexible postgres database with the settings:

Connectivity Method: Public Access
Allow public access to this resource through the internet using a public IP address: False
Private endpoint: Configured
VNET intgration: off

with Terraform it is only possible to setup Public access or Private with VNET intgration, but i would like to setup:
"Public Access" but only through the Private Endpoint

[NCarter3]

Same here. With private endpoint support launched, it now makes sense to allow setting public_network_access_enabled=False even when the DB was not vnet injected.
Please make public_network_access_enabled an argument now.

[PhiRie]

Same here. With private endpoint support launched, it now makes sense to allow setting public_network_access_enabled=False even when the DB was not vnet injected. Please make public_network_access_enabled an argument now.

We also already setup a Postgres Flex Server without vnet injection by creating our own vnet manually and connected through a private endpoint. The only part missing is now to disable the public endpoint via public_network_access_enabled as terraform azure provider offers it for other azure resource. This could already be disabled/enabled on the azure portal

So really looking forward of having this property as well!

[debaatanalytics]

Another engineer here running into the exact same problem! Looking forward to having this property.

[clowa]

Also see #24641

[Dwiti-P]

Hi team,

I'm experiencing a similar problem when trying to deploy the PGflexi server. When I attempt to disable public access, it requests the subnet_id and private_dns_zone_id even though we already have a private endpoint enabled.

[mjpapad2-coles]

Currently dealing with the fallout of this issue - an undeployed flexible server instance. Yes, it can be fixed using an azapi resource to quickly check the public network checkbox, but I'd prefer to just use Terraform IaaC rather than resulting to use an API.

Is there a timeline for the issue to be fixed? It seems to be synonymous with an issue affecting mysql resources as well.