The azurerm_mysql_flexible_server resource does not have an option to set server configuration options on creation.
There is a azurerm_mysql_flexible_server_configuration option which seems to be designed to set server configuration options but this does not work as the ad_auth_only setting and a lot of the other settings are read_only after the database has been deployed.
I get this error (edited to remove our specific name)
Error: waiting for creation of Flexible Server Configuration: (Configuration Name “aad_auth_only” / Flexible Server Name “” / Resource Group “”): Code=“ConfigurationReadOnly” Message=“The configuration(s) ‘aad_auth_only’ is(are) read-only for 0 server version 8.0.21.”
Ho am I supposed to configure the mysql flexible server ad_auth_only in this case?
Thanks for any help
Thanks for asking this issue, I’m also find its solution from couple of days.
Is there anyone look into this?
Hi there,
I got a reply via a different route. The functionality is not there for Flexible Server at the moment. There are other requests to add a “azurerm_mysql_flexible_server_active_directory_administrator” resource but there has been no movement on this. I suggested more is needed.
- Either the ability to set the ad_auth setting post creation in the same way it can be done through the cli or the portal or for Microsoft to make the value writeable after creation.
- The ability to add the managed identity
- The ability to set the AD administrator.
These have been submitted as a feature request by the support agent.
In the interim it may be possible to use the azapi provider to work around any unsupported workflows
https://registry.terraform.io/providers/Azure/azapi/latest/docs
I’ve not tried this myself yet but it looks like it could work in the short term
Hope this helps
To set the ad_auth_only option on an Azure MySQL Flexible Server instance, you can follow these steps:
- Open the Azure portal (https://portal.azure.com) and navigate to your MySQL Flexible Server https://calculadoraalicia.online/ instance.
- In the left-hand menu, click on “Networking” under the “Settings” section.
- In the Networking settings, locate the “Active Directory admin” section.
- Click on the “Enable” button next to the “Enable Azure Active Directory admin” option if it’s not already enabled.
- Once enabled, additional options will appear. Locate the “Active Directory Authentication only” checkbox.
- Check the “Active Directory Authentication only” checkbox to enable the
ad_auth_only option for your MySQL Flexible Server instance.
- Click the “Save” button to apply the changes.
Hi Hellaparker010,
You might be missing the point here. We are trying to do this using terraform not manually.
Cheers
Phill
The azurerm_mysql_flexible_server resource does not have an option to set server configuration options on creation. The azurerm_mysql_flexible_server_configuration option is designed to set server configuration options, but the ad_auth_only setting is read-only after the database has been deployed. Therefore, the only way to configure the mysql flexible server ad_auth_only in this case is to use the Azure portal.
To do this, you need to open the Azure portal and navigate to your MySQL Flexible Server instance. In the left-hand menu, click on “Networking” under the “Settings” section. In the Networking settings, locate the “Active Directory admin” section. If the “Enable Azure Active Directory admin” option is not already enabled, click on the “Enable” button next to it. Once enabled, additional options will appear. Locate the “Active Directory Authentication only” checkbox and check it to enable the ad_auth_only option for your MySQL Flexible Server instance. Finally, click the “Save” button to apply the changes.
Once you have completed these steps, your MySQL Flexible Server instance will only allow connections from users who have been authenticated through Azure Active Directory.
Hi dustindepp56,
You might be missing the point here. We are trying to do this using terraform not manually.
Cheers
Phill
Answering my own question: There is now a resource called
azurerm_mysql_flexible_server_active_directory_administrator
which lets you set the same configuration items that are on the authentication blade for a mysql flexible instance. Once the database has been configured and the directory admin resource has been configured then the final step is to use the database configuration resource to set the aad_auth_only parameter to ‘ON’. Just to be clear this has to be done last because it is only after the first two steps complete that the aad_auth_only paramter becomes writeable. I added a dependency clause to the configuration resource so it waits for the other parts to finish.
If you are trying to set ad_auth_only for an Azure MySQL Flexible Server instance with version 8.0.21, you will not be able to do this using the azurerm_mysql_flexible_server_configuration resource. This is because the ad_auth_only setting is read-only for this version of MySQL.
To set ad_auth_only for an Azure MySQL Flexible Server instance with version 8.0.21, you will need to use the Azure portal or the Azure CLI.
Hi mattquil56,
You can set it with v8.0.x if you follow the steps I outlined in my answer above. Initialially the option is read-only but after the database instance has been deployed and the directory admin user has been set the ad_auth_only option becomes read/write and can be set using the configuration resource from terraform. I know this works because it is what I am doing right now.
Give it a go and see how you get on. If it doesn’t work for you then let me know and I’ll see if I can provide more details steps.
Cheers
Phill