New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_postgresql_flexible_server - mark public_network_access_enabled as optional #25812
base: main
Are you sure you want to change the base?
azurerm_postgresql_flexible_server - mark public_network_access_enabled as optional #25812
Conversation
"public_network_access_enabled": { | ||
Type: pluginsdk.TypeBool, | ||
Computed: true, | ||
Optional: true, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is going to be a breaking change for existing users? as it will now set everyone to false whenthe default iirc is true?
as such we should make it optional + computed to account for existing resources + users changing the default outside terraform
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. When user created the resource without delegated_subnet_id
, private_dns_zone_id
and public_network_access_enabled
using old AzureRM version and then user upgraded to new AzureRM version, tf plan
would cause difference if public_network_access_enabled
isn't set in the tf config. Though there is TF difference but it's expected since service API would return the default value true
for public_network_access_enabled
when delegated_subnet_id
and private_dns_zone_id
aren't set.
OK. I will use optional + computed. Then the existing resources wouldn't be impacted anymore.
@katbyte , thanks for the comment. I updated PR. Please take another look. Below is the test result I just now triggered. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hey @neil-yechenwei
Thanks for this PR - I've taken a look through and left some comments inline, but if we can fix those up then we should be able to take another look through here.
Thanks!
@@ -278,6 +278,7 @@ func resourcePostgresqlFlexibleServer() *pluginsdk.Resource { | |||
|
|||
"public_network_access_enabled": { | |||
Type: pluginsdk.TypeBool, | |||
Optional: true, | |||
Computed: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this shouldn't be Computed, but defaulted to true
:
Computed: true, | |
Default: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume that we can't simply set the default value to "true" in the schema based on below reasons.
- The default value of "public_network_access_enabled" is dynamic. Below is the scenarios. So we can't simply hard-code the default value in the schema.
~> **Note:** When `delegated_subnet_id` and `private_dns_zone_id` are set, the default value of `public_network_access_enabled` is `false`.
~> **Note:** When `delegated_subnet_id` and `private_dns_zone_id` aren't set, the default value of `public_network_access_enabled` is `true`.
- If we set the default value of "public_network_access_enabled" to "true" in the schema, then "public_network_access_enabled" would always be set to "true" in the request payload when it isn't set. At this time, if "delegated_subnet_id" and "private_dns_zone_id" are also set in the request payload, then service API would return below error message.
Error Message:
performing Create: unexpected status 400 (400 Bad Request) with error: ConflictingPublicNetworkAccessAndVirtualNetworkConfiguration: Conflicting configuration is detected between Public Network Access and Virtual Network arguments. Public Network Access is not supported along with Virtual Network feature.
- For the existing resource created with
delegated_subnet_id
andprivate_dns_zone_id
, the value of public_network_access_enabled returned by service is false, then TF would cause difference since the default value is set to true in the schema.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, users would need to set the value to false
in their configs when they configure either delegated_subnet_id
or private_dns_zone_id
, that's expected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
// `d.GetOk()` cannot identify if the bool property `public_network_access_enabled` is set or not in the tf config since d.GetOk() always returns `false` when `public_network_access_enabled` is set to `false` and `public_network_access_enabled` isn't set in the tf config | ||
if !pluginsdk.IsExplicitlyNullInConfig(d, "public_network_access_enabled") { | ||
publicNetworkAccessEnabled := servers.ServerPublicNetworkAccessStateDisabled | ||
if d.Get("public_network_access_enabled").(bool) { | ||
publicNetworkAccessEnabled = servers.ServerPublicNetworkAccessStateEnabled | ||
} | ||
network.PublicNetworkAccess = pointer.To(publicNetworkAccessEnabled) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By defaulting this in the Read we can just pull from the config:
// `d.GetOk()` cannot identify if the bool property `public_network_access_enabled` is set or not in the tf config since d.GetOk() always returns `false` when `public_network_access_enabled` is set to `false` and `public_network_access_enabled` isn't set in the tf config | |
if !pluginsdk.IsExplicitlyNullInConfig(d, "public_network_access_enabled") { | |
publicNetworkAccessEnabled := servers.ServerPublicNetworkAccessStateDisabled | |
if d.Get("public_network_access_enabled").(bool) { | |
publicNetworkAccessEnabled = servers.ServerPublicNetworkAccessStateEnabled | |
} | |
network.PublicNetworkAccess = pointer.To(publicNetworkAccessEnabled) | |
} | |
// `d.GetOk()` cannot identify if the bool property `public_network_access_enabled` is set or not in the tf config since d.GetOk() always returns `false` when `public_network_access_enabled` is set to `false` and `public_network_access_enabled` isn't set in the tf config | |
publicNetworkAccessEnabled := servers.ServerPublicNetworkAccessStateEnabled | |
if !d.Get("public_network_access_enabled").(bool) { | |
publicNetworkAccessEnabled = servers.ServerPublicNetworkAccessStateDisabled | |
} | |
network.PublicNetworkAccess = pointer.To(publicNetworkAccessEnabled) |
Note: since the Azure API defaults this to true
today, we'll also need to update the Read function to account for this too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I above mentioned, I assume that we can't simply hard-code the default value for public_network_access_enabled. So I may not apply this suggestion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we can.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
@@ -116,6 +116,12 @@ The following arguments are supported: | |||
|
|||
~> **Note:** There will be a breaking change from upstream service at 15th July 2021, the `private_dns_zone_id` will be required when setting a `delegated_subnet_id`. For existing flexible servers who don't want to be recreated, you need to provide the `private_dns_zone_id` to the service team to manually migrate to the specified private DNS zone. The `azurerm_private_dns_zone` should end with suffix `.postgres.database.azure.com`. | |||
|
|||
* `public_network_access_enabled` - (Optional) Is public network access enabled? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* `public_network_access_enabled` - (Optional) Is public network access enabled? | |
* `public_network_access_enabled` - (Optional) Specifies whether this PostgreSQL Flexible Server is publicly accessible. Defaults to `true`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I above mentioned, I assume that we can't simply hard-code the default value for public_network_access_enabled. So I may not add "Defaults to true
." here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
~> **Note:** When `delegated_subnet_id` and `private_dns_zone_id` are set, the default value of `public_network_access_enabled` is `false`. | ||
|
||
~> **Note:** When `delegated_subnet_id` and `private_dns_zone_id` aren't set, the default value of `public_network_access_enabled` is `true`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By defaulting this on our side, we can make this informational:
~> **Note:** When `delegated_subnet_id` and `private_dns_zone_id` are set, the default value of `public_network_access_enabled` is `false`. | |
~> **Note:** When `delegated_subnet_id` and `private_dns_zone_id` aren't set, the default value of `public_network_access_enabled` is `true`. | |
-> **Note:** `public_network_access_enabled` must be set to `false` when `delegated_subnet_id` and `private_dns_zone_id` have a value. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I above mentioned, I assume that we can't simply hard-code the default value for public_network_access_enabled. So I may not apply this suggestion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
@tombuildsstuff , thank for the comments. Please take another look. |
@tombuildsstuff , thanks for the comments. I updated PR. Please take another look. Below is the test result I just now re-triggered. |
Community Note
Description
Service team confirmed that public_network_access_enabled is writeable property in the latest API version. So I submitted this PR to mark it as optional.
Below is the test scenarios for AzureRM version upgrade testing. As you can see, scenario 2 would cause breaking change but it's expected since service API would return the default value
true
forpublic_network_access_enabled
whendelegated_subnet_id
andprivate_dns_zone_id
aren't set. So users have to useignore_changes
or explicitly set it in the tf config to resolve it after AzureRM version is upgraded.PR Checklist
For example: “
resource_name_here
- description of change e.g. adding propertynew_property_name_here
”Changes to existing Resource / Data Source
Testing
Change Log
Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.
azurerm_postgresql_flexible_server
- markpublic_network_access_enabled
asoptional
This is a (please select all that apply):
Related Issue(s)
Fixes #14989
Fixes #24708
fixes #24641
Note
If this PR changes meaningfully during the course of review please update the title and description as required.