Postgresql flexible database username/password and AD auth

[ruben-janssens]

What happened?

We started our databases with username/password because the application did not yet support AD auth. Now the applications are ready to use and are already using AD auth. We would like to disable username/password auth but cannot do this because the fields administrator_login and administrator_login_password are required and force a replace of the resource.

Should the admin username and password not only be required when password_auth is enabled and changing these values when password_auth is disabled should not trigger a replacement.

I don't mind multiple steps like first disabling username/password and then removing the username and password but it should be possible.

Example

Server(
    "Database",
    server_name="my-database",
    administrator_login="nolongerneeded_admin",
    administrator_login_password="TheSuperSecretPassword",
    high_availability=HighAvailabilityArgs(
        mode=HighAvailabilityMode.DISABLED,
        standby_availability_zone=None
    ),
    version=ServerVersion.SERVER_VERSION_16,
    sku=SkuArgs(
        name="Standard_B1ms",
        tier=SkuTier.BURSTABLE
    ),
    storage=StorageArgs(
        auto_grow=StorageAutoGrow.DISABLED,
        iops=None,
        storage_size_gb=self.__server_type.storage_in_gb, # noted in GiB
        throughput=None,
        tier=AzureManagedDiskPerformanceTiers.P4,
        type=StorageType.PREMIUM_LRS
    ),
    network=NetworkArgs(
        public_network_access=ServerPublicNetworkAccessState.DISABLED
    ),
    auth_config=AuthConfigArgs(
        active_directory_auth=ActiveDirectoryAuthEnum.ENABLED,
        password_auth=PasswordAuthEnum.ENABLED,
        tenant_id="<tenant-id>"
    ),
    resource_group_name="a-resource-group"
)

Change to vvvv

Server(
    "Database",
    server_name="my-database",
    administrator_login="",
    administrator_login_password="",
    high_availability=HighAvailabilityArgs(
        mode=HighAvailabilityMode.DISABLED,
        standby_availability_zone=None
    ),
    version=ServerVersion.SERVER_VERSION_16,
    sku=SkuArgs(
        name="Standard_B1ms",
        tier=SkuTier.BURSTABLE
    ),
    storage=StorageArgs(
        auto_grow=StorageAutoGrow.DISABLED,
        iops=None,
        storage_size_gb=self.__server_type.storage_in_gb, # noted in GiB
        throughput=None,
        tier=AzureManagedDiskPerformanceTiers.P4,
        type=StorageType.PREMIUM_LRS
    ),
    network=NetworkArgs(
        public_network_access=ServerPublicNetworkAccessState.DISABLED
    ),
    auth_config=AuthConfigArgs(
        active_directory_auth=ActiveDirectoryAuthEnum.ENABLED,
        password_auth=PasswordAuthEnum.DISABLED,
        tenant_id="<tenant-id>"
    ),
    resource_group_name="a-resource-group"
)

Output of pulumi about

CLI
Version 3.139.0
Go Version go1.23.3
Go Compiler gc

Host
OS ubuntu
Version 24.04
Arch x86_64

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[thomas11]

Hi @ruben-janssens, according to the docs none of the two properties is required. Are you seeing an error that they are required when you remove them, or only the problem that Pulumi wants to replace the server?

If the latter, you have two options:

1. Remove only administrator_login_password. It doesn't cause replacement on changes and is the more sensitive part.
2. Remove both and use ignore changes to make Pulumi ignore administrator_login.

[ruben-janssens]

Hi @thomas11, the docs state that the username and password are required for creation (Not with an * but in the comment). In our use case now we do not have to create the database but in future plans we will create new databases for new application and we want to use AD auth then from the beginning. I have not fully tested this and forgot about the ignore_changes for a moment. So it could be this is a documentation issue ?

[thomas11]

Hi @ruben-janssens, I'm not sure it's possible to create a Server without username and password, even when AD is enabled. The official example in the Azure API spec still specifies username and password.

[ruben-janssens]

I have attempted to create a server in the Azure portal, giving in all the parameters (excluding an username and password and setting an Entra administrator) and then letting it generate a template. In the template they use null for the password so I assume it should be possible ?

[thomas11]

It could be that the docs saying that password is required are wrong. We take them directly from the Azure spec, so the problem would be upstream. You could try leaving out the password to create a server.