Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_mssql_managed_instance's new azure_active_directory_administrator block breaks use of random_password for administrator_login_password #28614

Open
1 task done
djr747 opened this issue Jan 27, 2025 · 1 comment
Open
1 task done

azurerm_mssql_managed_instance's new azure_active_directory_administrator block breaks use of random_password for administrator_login_password #28614

djr747 opened this issue Jan 27, 2025 · 1 comment
Labels
bug service/authorization service/mssqlmanagedinstance v/4.x

Comments

@djr747
Copy link

djr747 commented Jan 27, 2025
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.10.5

AzureRM Provider Version

4.15.0

Affected Resource(s)/Data Source(s)

azurerm_mssql_managed_instance

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source          = "hashicorp/azurerm"
      version         = "~>4.15.0"
    }
    random = {
      source          = "hashicorp/random"
      version         = "3.6.3"
    }
  }
}

provider "azurerm" {
  subscription_id = *****
  features {}
}

locals{
    location = "eastus"
    sqlmi_resource_group_name = "database"
    sqlmi_name = "free-sql-mi"
    sqlmi_subnet_id = *****
    sqlmi_identity_ids = [*****]
    admin_map = {
        admin1 = {
            "azuresql-admins" = *****
        }
    }
}

data "azurerm_client_config" "current" {}

resource "random_password" "admin_password" {
  length  = 16
}

resource "azurerm_mssql_managed_instance" "sqlmi" {
  administrator_login          = "mi-admin"
  administrator_login_password = random_password.admin_password.result
  license_type                 = "LicenseIncluded"
  location                     = local.location
  name                         = local.sqlmi_name
  proxy_override               = "Proxy"
  resource_group_name          = local.sqlmi_resource_group_name
  sku_name                     = "GP_Gen5"
  storage_size_in_gb           = 64
  subnet_id                    = local.sqlmi_subnet_id
  vcores                       = 4
  identity {
    identity_ids = local.sqlmi_identity_ids
    type         = "SystemAssigned, UserAssigned"
  }
  dynamic azure_active_directory_administrator {
    for_each = lookup(local.admin_map, "admin1")
    content {
      login_username                      = azure_active_directory_administrator.key
      object_id                           = azure_active_directory_administrator.value
      principal_type                      = "Group"
      tenant_id                           = data.azurerm_client_config.current.tenant_id
      azuread_authentication_only_enabled = false
    }
  }
  depends_on = [ random_password.admin_password ]
}

Debug Output/Panic Output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform planned the following actions, but then encountered a problem:

  # random_password.admin_password will be created
  + resource "random_password" "admin_password" {
      + bcrypt_hash = (sensitive value)
      + id          = (known after apply)
      + length      = 16
      + lower       = true
      + min_lower   = 0
      + min_numeric = 0
      + min_special = 0
      + min_upper   = 0
      + number      = true
      + numeric     = true
      + result      = (sensitive value)
      + special     = true
      + upper       = true
    }

Plan: 1 to add, 0 to change, 0 to destroy.
╷
│ Error: `administrator_login` and `administrator_login_password` are required when `azuread_authentication_only_enabled` is false
│ 
│   with azurerm_mssql_managed_instance.sqlmi,
│   on main.tf line 7, in resource "azurerm_mssql_managed_instance" "sqlmi":
│    7: resource "azurerm_mssql_managed_instance" "sqlmi" {
│ 
╵

Expected Behaviour

Populating administrator_login_password with a random_password's result should allow a random password to be generated and used for SQL MI's admin password on deployment if the block azure_active_directory_administrator is used. This was supported prior to version 4.15.0 with the extra resource azurerm_mssql_managed_instance_active_directory_administrator previously.

Actual Behaviour

Populating administrator_login_password with a random_password's result and using azure_active_directory_administrator.azuread_authentication_only_enabled = false cases a validation error for administrator_login and administrator_login_password properties.

Steps to Reproduce

  1. Replace ***** with actual values
  2. terraform init
  3. terraform plan

Important Factoids

Bug was created in this PR

References

Seems to be related to the GetOk() on schema.ResourceDiff package here.
@rcskosir rcskosir added the bug label Jan 28, 2025
@catriona-m
Copy link
Member

@sinbai looks like this may have been introduced in this pr #24801 - would you be able to investigate this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug service/authorization service/mssqlmanagedinstance v/4.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@djr747 @catriona-m @rcskosir