New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
postgres flexible server does not destroy when AD Authentication is selected present #24736
Comments
Thanks for raising this issue. Seems I can't reproduce this issue. Could you try latest azurerm provider and below tf config that is similar with yours to see if the issue still exists? Thanks. tf config:
|
Sure, will try it and report. I'm not spotting the difference though? As a ponder: I wonder if it matters if there are existing DBs or not or if non-admins have been given rights in those DBs. |
Hi there, I'm the one who initiated the forum post, I did not test it again since this summer (August 2023) but now the problem seems to be gone. I've checked within the different module update changelogs since August and did not notice any bugfix relating this. I did test it again, trying to deploy a database with all three security principals type (User, group and service principal). I did not face any issues, either for deployment nor for destroying. provider "azurerm" {
features {}
}
provider "azuread" {}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "test" {
name = "acctestRG-postgresql-test03"
location = "eastus"
}
resource "azurerm_postgresql_flexible_server" "test" {
name = "acctest-fs-test03"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
sku_name = "B_Standard_B1ms"
version = "15"
storage_mb = 32768
backup_retention_days = 7
auto_grow_enabled = true
zone = 3
authentication {
active_directory_auth_enabled = true
password_auth_enabled = false
tenant_id = data.azurerm_client_config.current.tenant_id
}
tags = {
ENV = "Test"
}
}
locals {
admin_info = {
"Group" = [{
display_name = "group"
object_id = "group_id"
}]
"ServicePrincipal" = [{
display_name = "sp"
object_id = "sp_id"
}]
"User" = [{
display_name = "user"
object_id = "user_id"
}]
}
permissionsbyrole = flatten([
for role, identities in var.admin_info : [
for identity in identities : {
role = role
identity = identity
}
]
])
}
resource "azurerm_postgresql_flexible_server_active_directory_administrator" "test" {
for_each = { for permission in local.permissionsbyrole : "${permission.role}" => permission }
server_name = azurerm_postgresql_flexible_server.test.name
resource_group_name = azurerm_resource_group.test.name
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = each.value.identity.object_id
principal_name = each.value.identity.display_name
principal_type = each.value.role
depends_on = [azurerm_postgresql_flexible_server.test]
} I cannot explain the resolution root cause but it now works for me. Would be interested in your comments @fardarter. |
@Leo-67 @neil-yechenwei I'm still having the same issues with destruction. As an aside, I also can't redeploy under the same name after a destroy. Seems that the object is still persisting after reporting destruction. Does it matter if the admin has specific rights over a database? |
Hello there, I was able to reproduce the issue. If you just deploy and straight after destroy the resources, you will not face any issues. However, if you apply any configuration within the postgresql instance, the issue then appears when trying to delete the resources. I only connect with my PostgreSQL Entra ID admin account and create a "test" database and then I get the error:
|
@Leo-67 Thanks That actually explains why the destroy was working before I configured any DB roles/permissions. |
Any suggested fix for this issue since terraform does not destroy flexible server completely when an ad admin is present? Also,Is there any alternative way to destroy the flexible server in the mean time? |
Is there an existing issue for this?
There is also a hashicorp forum post on the issue: https://discuss.hashicorp.com/t/delete-postgresql-flexible-server-with-ad-admins-enabled/57042
Community Note
Terraform Version
1.6.6
AzureRM Provider Version
3.87.0
Affected Resource(s)/Data Source(s)
azurerm_postgresql_flexible_server
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
The resource should have been destroyed.
Actual Behaviour
The resource was not destroyed.
Steps to Reproduce
Important Factoids
No response
References
No response
The text was updated successfully, but these errors were encountered: