administrator_login_password should be optional for azurerm_cosmosdb_postgresql_cluster when it's a read replica

[leilifremont]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.2.9

AzureRM Provider Version

3.76.0

Affected Resource(s)/Data Source(s)

azurerm_cosmosdb_postgresql_cluster

Terraform Configuration Files

resource "azurerm_resource_group" "rg" {
  name     = "testrg"
  location = "eastus"
}

resource "random_password" "cosmosdb_postgresql_passwords" {
  length           = 24
  min_upper        = 6
  min_lower        = 4
  min_numeric      = 6
  special          = false

  depends_on = [
    resource.azurerm_resource_group.rg
  ]
}

resource "azurerm_cosmosdb_postgresql_cluster" "primary_replica" {
  name                            = "primary"
  location                        = "eastus"
  resource_group_name             = azurerm_resource_group.rg.name
  administrator_login_password    = random_password.cosmosdb_postgresql_passwords.result
  coordinator_storage_quota_in_mb = 131072
  coordinator_vcore_count         = 2
  node_count                      = 2
  node_storage_quota_in_mb        = 131072
  node_vcores                     = 2
  node_server_edition             = "MemoryOptimized"

  coordinator_public_ip_access_enabled = false
  citus_version                        = "12.1"
  sql_version                          = "16"

  depends_on = [
    random_password.cosmosdb_postgresql_passwords
  ]
}

resource "time_sleep" "wait_20_minutes" {
  create_duration = "1200s"
  triggers = {
    postgresql_cluster_id  = azurerm_cosmosdb_postgresql_cluster.primary_replica.id
  }
}

resource "azurerm_cosmosdb_postgresql_cluster" "read_replica" {
  name                            = "secondary"
  resource_group_name             = azurerm_resource_group.rg.name
  location                        = "westus3"
  source_location      = azurerm_cosmosdb_postgresql_cluster.primary_replica.location
  source_resource_id   = azurerm_cosmosdb_postgresql_cluster.primary_replica.id
  administrator_login_password    = random_password.cosmosdb_postgresql_passwords.result
  coordinator_storage_quota_in_mb = 131072
  coordinator_vcore_count         = 2
  node_count                      = 2
  node_storage_quota_in_mb        = 131072
  node_vcores                     = 2
  node_server_edition             = "MemoryOptimized"

  coordinator_public_ip_access_enabled = true
  citus_version                        = "12.1"
  sql_version                          = "16"

  depends_on = [
    time_sleep.wait_20_minutes
  ]
}

Debug Output/Panic Output

Now we try to change the password of the cluster.

We will encounter two possible errors:

1.
We leave the administrator_login_password of read replica to be null, (wait for this password is changed in primary replica and propagated to read replica), terraform plan will fail with:
The argument "administrator_login_password" is required, but no definition was found.

2.
We change the password of primary replica and read replica at the same time, terraform apply will fail with:
performing Update: unexpected status 400 with error: bad_request: Administrator login password cannot be updated on read replicas. 

3.
We have to change only the administrator_login_password in primary replica, but leave the administrator_login_password of read replica untouched, but this will cause weird code and inconsistency between terraform state and actual settings.

If we use Azure API to create/update the CosmosDB postgresql cluster, this problem doesn't exist because administrator_login_password is an optional value for Azure API, it can be set to null.
https://learn.microsoft.com/en-us/rest/api/postgresqlhsc/#cluster-create-and-update

Expected Behaviour

administrator_login_password should be optional for azurerm_cosmosdb_postgresql_cluster, at least for read replica

Actual Behaviour

No response

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[rcskosir]

Thank you for taking the time to open this issue. Please subscribe to PR #23750 created by @neil-yechenwei for this issue.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.