azurerm_postgresql_flexible_server - mark public_network_access_enabled as optional

[neil-yechenwei]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave "+1" or "me too" comments, they generate extra noise for PR followers and do not help prioritize for review

Description

Service team confirmed that public_network_access_enabled is writeable property in the latest API version. So I submitted this PR to mark it as optional.

Below is the test scenarios for AzureRM version upgrade testing. As you can see, scenario 2 would cause breaking change but it's expected since service API would return the default value true for public_network_access_enabled when delegated_subnet_id and private_dns_zone_id aren't set. So users have to use ignore_changes or explicitly set it in the tf config to resolve it after AzureRM version is upgraded.

1. Create the resource with `delegated_subnet_id` and `private_dns_zone_id` without `public_network_access_enabled` using old AzureRM version -> Upgrade to new AzureRM version -> Run `tf plan` when `public_network_access_enabled` isn't set in the tf config -> No TF difference occurs.
2. Create the resource without `delegated_subnet_id`, `private_dns_zone_id` and `public_network_access_enabled` using old AzureRM version -> Upgrade to new AzureRM version -> Run `tf plan` when `public_network_access_enabled` isn't set in the tf config -> There is TF difference but it's expected since service API would return the default value `true` for `public_network_access_enabled` when `delegated_subnet_id` and `private_dns_zone_id` aren't set.

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
  For example: “resource_name_here - description of change e.g. adding property new_property_name_here”

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevent documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
• (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

• azurerm_postgresql_flexible_server - mark public_network_access_enabled as optional

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

Fixes #14989
Fixes #24708
fixes #24641

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

[katbyte]

This is going to be a breaking change for existing users? as it will now set everyone to false whenthe default iirc is true?

as such we should make it optional + computed to account for existing resources + users changing the default outside terraform

[neil-yechenwei]

Yes. When user created the resource without delegated_subnet_id, private_dns_zone_id and public_network_access_enabled using old AzureRM version and then user upgraded to new AzureRM version, tf plan would cause difference if public_network_access_enabled isn't set in the tf config. Though there is TF difference but it's expected since service API would return the default value true for public_network_access_enabled when delegated_subnet_id and private_dns_zone_id aren't set.

OK. I will use optional + computed. Then the existing resources wouldn't be impacted anymore.

[neil-yechenwei]

@katbyte , thanks for the comment. I updated PR. Please take another look. Below is the test result I just now triggered.

[tombuildsstuff]

hey @neil-yechenwei

Thanks for this PR - I've taken a look through and left some comments inline, but if we can fix those up then we should be able to take another look through here.

Thanks!

[tombuildsstuff]

this shouldn't be Computed, but defaulted to true:

Suggested change

	Computed: true,
	Default: true,

[neil-yechenwei]

I assume that we can't simply set the default value to "true" in the schema based on below reasons.

1. The default value of "public_network_access_enabled" is dynamic. Below is the scenarios. So we can't simply hard-code the default value in the schema.

~> **Note:** When `delegated_subnet_id` and `private_dns_zone_id` are set, the default value of `public_network_access_enabled` is `false`.
~> **Note:** When `delegated_subnet_id` and `private_dns_zone_id` aren't set, the default value of `public_network_access_enabled` is `true`.

2. If we set the default value of "public_network_access_enabled" to "true" in the schema, then "public_network_access_enabled" would always be set to "true" in the request payload when it isn't set. At this time, if "delegated_subnet_id" and "private_dns_zone_id" are also set in the request payload, then service API would return below error message.

Error Message:

performing Create: unexpected status 400 (400 Bad Request) with error: ConflictingPublicNetworkAccessAndVirtualNetworkConfiguration: Conflicting configuration is detected between Public Network Access and Virtual Network arguments. Public Network Access is not supported along with Virtual Network feature.

3. For the existing resource created with delegated_subnet_id and private_dns_zone_id, the value of public_network_access_enabled returned by service is false, then TF would cause difference since the default value is set to true in the schema.

[tombuildsstuff]

Yes, users would need to set the value to false in their configs when they configure either delegated_subnet_id or private_dns_zone_id, that's expected.

[neil-yechenwei]

Updated

[tombuildsstuff]

By defaulting this in the Read we can just pull from the config:

Suggested change

	// `d.GetOk()` cannot identify if the bool property `public_network_access_enabled` is set or not in the tf config since d.GetOk() always returns `false` when `public_network_access_enabled` is set to `false` and `public_network_access_enabled` isn't set in the tf config
	if !pluginsdk.IsExplicitlyNullInConfig(d, "public_network_access_enabled") {
	publicNetworkAccessEnabled := servers.ServerPublicNetworkAccessStateDisabled
	if d.Get("public_network_access_enabled").(bool) {
	publicNetworkAccessEnabled = servers.ServerPublicNetworkAccessStateEnabled
	}
	network.PublicNetworkAccess = pointer.To(publicNetworkAccessEnabled)
	}
	// `d.GetOk()` cannot identify if the bool property `public_network_access_enabled` is set or not in the tf config since d.GetOk() always returns `false` when `public_network_access_enabled` is set to `false` and `public_network_access_enabled` isn't set in the tf config
	publicNetworkAccessEnabled := servers.ServerPublicNetworkAccessStateEnabled
	if !d.Get("public_network_access_enabled").(bool) {
	publicNetworkAccessEnabled = servers.ServerPublicNetworkAccessStateDisabled
	}
	network.PublicNetworkAccess = pointer.To(publicNetworkAccessEnabled)

Note: since the Azure API defaults this to true today, we'll also need to update the Read function to account for this too.

[neil-yechenwei]

As I above mentioned, I assume that we can't simply hard-code the default value for public_network_access_enabled. So I may not apply this suggestion.

[tombuildsstuff]

Yes, we can.

[neil-yechenwei]

Updated

[tombuildsstuff]

Suggested change

	* `public_network_access_enabled` - (Optional) Is public network access enabled?
	* `public_network_access_enabled` - (Optional) Specifies whether this PostgreSQL Flexible Server is publicly accessible. Defaults to `true`.

[neil-yechenwei]

As I above mentioned, I assume that we can't simply hard-code the default value for public_network_access_enabled. So I may not add "Defaults to true." here.

[neil-yechenwei]

Updated

[tombuildsstuff]

By defaulting this on our side, we can make this informational:

Suggested change

	~> **Note:** When `delegated_subnet_id` and `private_dns_zone_id` are set, the default value of `public_network_access_enabled` is `false`.
	~> **Note:** When `delegated_subnet_id` and `private_dns_zone_id` aren't set, the default value of `public_network_access_enabled` is `true`.
	-> **Note:** `public_network_access_enabled` must be set to `false` when `delegated_subnet_id` and `private_dns_zone_id` have a value.

[neil-yechenwei]

As I above mentioned, I assume that we can't simply hard-code the default value for public_network_access_enabled. So I may not apply this suggestion.

[neil-yechenwei]

Updated

[neil-yechenwei]

@tombuildsstuff , thank for the comments. Please take another look.

[neil-yechenwei]

@tombuildsstuff , thanks for the comments. I updated PR. Please take another look. Below is the test result I just now re-triggered.