Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_postgresql_flexible_server - mark public_network_access_enabled as optional #25812

Merged
merged 19 commits into from
May 24, 2024
Merged

azurerm_postgresql_flexible_server - mark public_network_access_enabled as optional #25812

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
7168d14
azurerm_postgresql_flexible_server - mark public_network_access_enabl…
neil-yechenwei Apr 30, 2024
0ef5691
update code
neil-yechenwei Apr 30, 2024
ca141dc
update code
neil-yechenwei Apr 30, 2024
e2b2a52
Merge remote-tracking branch 'upstream/main' into postgresqlfspublicn…
neil-yechenwei Apr 30, 2024
3ab28ee
update code
neil-yechenwei Apr 30, 2024
97087eb
update code
neil-yechenwei Apr 30, 2024
c5971c5
update code
neil-yechenwei Apr 30, 2024
8fe8a0b
update code
neil-yechenwei May 1, 2024
ea8f0dd
update code
neil-yechenwei May 1, 2024
a20a509
update code
neil-yechenwei May 1, 2024
7555138
update code
neil-yechenwei May 1, 2024
d1fea46
update code
neil-yechenwei May 6, 2024
66efd11
update code
neil-yechenwei May 7, 2024
a4f67cc
update code
neil-yechenwei May 7, 2024
7c5f48e
update code
neil-yechenwei May 7, 2024
de337e5
update description of public_network_access_enabled in md
neil-yechenwei May 8, 2024
a4bd274
set default value to true
neil-yechenwei May 9, 2024
853cc27
update tc
neil-yechenwei May 9, 2024
19ae87e
resolve conflict
neil-yechenwei May 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 11 additions & 1 deletion internal/services/postgres/postgresql_flexible_server_resource.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -278,6 +278,7 @@ func resourcePostgresqlFlexibleServer() *pluginsdk.Resource {

"public_network_access_enabled": {
Type: pluginsdk.TypeBool,
Optional: true,
Computed: true,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this shouldn't be Computed, but defaulted to true:

Suggested change
Computed: true,
Default: true,

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume that we can't simply set the default value to "true" in the schema based on below reasons.

  1. The default value of "public_network_access_enabled" is dynamic. Below is the scenarios. So we can't simply hard-code the default value in the schema.
~> **Note:** When `delegated_subnet_id` and `private_dns_zone_id` are set, the default value of `public_network_access_enabled` is `false`.
~> **Note:** When `delegated_subnet_id` and `private_dns_zone_id` aren't set, the default value of `public_network_access_enabled` is `true`.
  1. If we set the default value of "public_network_access_enabled" to "true" in the schema, then "public_network_access_enabled" would always be set to "true" in the request payload when it isn't set. At this time, if "delegated_subnet_id" and "private_dns_zone_id" are also set in the request payload, then service API would return below error message.

Error Message:

performing Create: unexpected status 400 (400 Bad Request) with error: ConflictingPublicNetworkAccessAndVirtualNetworkConfiguration: Conflicting configuration is detected between Public Network Access and Virtual Network arguments. Public Network Access is not supported along with Virtual Network feature.
  1. For the existing resource created with delegated_subnet_id and private_dns_zone_id, the value of public_network_access_enabled returned by service is false, then TF would cause difference since the default value is set to true in the schema.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, users would need to set the value to false in their configs when they configure either delegated_subnet_id or private_dns_zone_id, that's expected.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated

},

Expand Down Expand Up @@ -767,7 +768,7 @@ func resourcePostgresqlFlexibleServerUpdate(d *pluginsdk.ResourceData, meta inte
}
}

if d.HasChange("private_dns_zone_id") {
if d.HasChange("private_dns_zone_id") || d.HasChange("public_network_access_enabled") {
parameters.Properties.Network = expandArmServerNetwork(d)
}

Expand Down Expand Up @@ -964,6 +965,15 @@ func expandArmServerNetwork(d *pluginsdk.ResourceData) *servers.Network {
network.PrivateDnsZoneArmResourceId = utils.String(v.(string))
}

// `d.GetOk()` cannot identify if the bool property `public_network_access_enabled` is set or not in the tf config since d.GetOk() always returns `false` when `public_network_access_enabled` is set to `false` and `public_network_access_enabled` isn't set in the tf config
if !pluginsdk.IsExplicitlyNullInConfig(d, "public_network_access_enabled") {
publicNetworkAccessEnabled := servers.ServerPublicNetworkAccessStateDisabled
if d.Get("public_network_access_enabled").(bool) {
publicNetworkAccessEnabled = servers.ServerPublicNetworkAccessStateEnabled
}
network.PublicNetworkAccess = pointer.To(publicNetworkAccessEnabled)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By defaulting this in the Read we can just pull from the config:

Suggested change
// `d.GetOk()` cannot identify if the bool property `public_network_access_enabled` is set or not in the tf config since d.GetOk() always returns `false` when `public_network_access_enabled` is set to `false` and `public_network_access_enabled` isn't set in the tf config
if !pluginsdk.IsExplicitlyNullInConfig(d, "public_network_access_enabled") {
publicNetworkAccessEnabled := servers.ServerPublicNetworkAccessStateDisabled
if d.Get("public_network_access_enabled").(bool) {
publicNetworkAccessEnabled = servers.ServerPublicNetworkAccessStateEnabled
}
network.PublicNetworkAccess = pointer.To(publicNetworkAccessEnabled)
}
// `d.GetOk()` cannot identify if the bool property `public_network_access_enabled` is set or not in the tf config since d.GetOk() always returns `false` when `public_network_access_enabled` is set to `false` and `public_network_access_enabled` isn't set in the tf config
publicNetworkAccessEnabled := servers.ServerPublicNetworkAccessStateEnabled
if !d.Get("public_network_access_enabled").(bool) {
publicNetworkAccessEnabled = servers.ServerPublicNetworkAccessStateDisabled
}
network.PublicNetworkAccess = pointer.To(publicNetworkAccessEnabled)

Note: since the Azure API defaults this to true today, we'll also need to update the Read function to account for this too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I above mentioned, I assume that we can't simply hard-code the default value for public_network_access_enabled. So I may not apply this suggestion.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we can.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated


return &network
}

Expand Down
39 changes: 39 additions & 0 deletions internal/services/postgres/postgresql_flexible_server_resource_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -524,6 +524,27 @@ func TestAccPostgresqlFlexibleServer_invalidStorageTierScalingStorageMbStorageTi
})
}

func TestAccPostgresqlFlexibleServer_publicNetworkAccessEnabled(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_postgresql_flexible_server", "test")
r := PostgresqlFlexibleServerResource{}
data.ResourceTest(t, r, []acceptance.TestStep{
{
Config: r.publicNetworkAccessEnabled(data, true),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep("administrator_password", "create_mode"),
{
Config: r.publicNetworkAccessEnabled(data, false),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep("administrator_password", "create_mode"),
})
}

func (PostgresqlFlexibleServerResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
id, err := servers.ParseFlexibleServerID(state.ID)
if err != nil {
Expand Down Expand Up @@ -1267,3 +1288,21 @@ resource "azurerm_postgresql_flexible_server" "test" {
}
`, r.template(data), data.RandomInteger, storageMb, storageTier)
}

func (r PostgresqlFlexibleServerResource) publicNetworkAccessEnabled(data acceptance.TestData, publicNetworkAccessEnabled bool) string {
return fmt.Sprintf(`
%s

resource "azurerm_postgresql_flexible_server" "test" {
name = "acctest-fs-%d"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
administrator_login = "adminTerraform"
administrator_password = "QAZwsx123"
version = "12"
sku_name = "GP_Standard_D2s_v3"
zone = "2"
public_network_access_enabled = %t
}
`, r.template(data), data.RandomInteger, publicNetworkAccessEnabled)
}
8 changes: 6 additions & 2 deletions website/docs/r/postgresql_flexible_server.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,12 @@ The following arguments are supported:

~> **Note:** There will be a breaking change from upstream service at 15th July 2021, the `private_dns_zone_id` will be required when setting a `delegated_subnet_id`. For existing flexible servers who don't want to be recreated, you need to provide the `private_dns_zone_id` to the service team to manually migrate to the specified private DNS zone. The `azurerm_private_dns_zone` should end with suffix `.postgres.database.azure.com`.

* `public_network_access_enabled` - (Optional) Is public network access enabled?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `public_network_access_enabled` - (Optional) Is public network access enabled?
* `public_network_access_enabled` - (Optional) Specifies whether this PostgreSQL Flexible Server is publicly accessible. Defaults to `true`.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I above mentioned, I assume that we can't simply hard-code the default value for public_network_access_enabled. So I may not add "Defaults to true." here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated


~> **Note:** When `delegated_subnet_id` and `private_dns_zone_id` are set, the default value of `public_network_access_enabled` is `false`.

~> **Note:** When `delegated_subnet_id` and `private_dns_zone_id` aren't set, the default value of `public_network_access_enabled` is `true`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By defaulting this on our side, we can make this informational:

Suggested change
~> **Note:** When `delegated_subnet_id` and `private_dns_zone_id` are set, the default value of `public_network_access_enabled` is `false`.
~> **Note:** When `delegated_subnet_id` and `private_dns_zone_id` aren't set, the default value of `public_network_access_enabled` is `true`.
-> **Note:** `public_network_access_enabled` must be set to `false` when `delegated_subnet_id` and `private_dns_zone_id` have a value.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I above mentioned, I assume that we can't simply hard-code the default value for public_network_access_enabled. So I may not apply this suggestion.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated


* `high_availability` - (Optional) A `high_availability` block as defined below.

* `identity` - (Optional) An `identity` block as defined below.
Expand Down Expand Up @@ -245,8 +251,6 @@ In addition to the Arguments listed above - the following Attributes are exporte

* `fqdn` - The FQDN of the PostgreSQL Flexible Server.

* `public_network_access_enabled` - Is public network access enabled?

## Timeouts

The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/language/resources/syntax#operation-timeouts) for certain actions:
Expand Down