The azurerm_mysql_flexible_server resource does not have an option to set server configuration options on creation.
There is a azurerm_mysql_flexible_server_configuration option which seems to be designed to set server configuration options but this does not work as the ad_auth_only setting and a lot of the other settings are read_only after the database has been deployed.
I get this error (edited to remove our specific name)
Error: waiting for creation of Flexible Server Configuration: (Configuration Name “aad_auth_only” / Flexible Server Name “” / Resource Group “”): Code=“ConfigurationReadOnly” Message=“The configuration(s) ‘aad_auth_only’ is(are) read-only for 0 server version 8.0.21.”
Ho am I supposed to configure the mysql flexible server ad_auth_only in this case?
I got a reply via a different route. The functionality is not there for Flexible Server at the moment. There are other requests to add a “azurerm_mysql_flexible_server_active_directory_administrator” resource but there has been no movement on this. I suggested more is needed.
Either the ability to set the ad_auth setting post creation in the same way it can be done through the cli or the portal or for Microsoft to make the value writeable after creation.
The ability to add the managed identity
The ability to set the AD administrator.
These have been submitted as a feature request by the support agent.
In the interim it may be possible to use the azapi provider to work around any unsupported workflows
The azurerm_mysql_flexible_server resource does not have an option to set server configuration options on creation. The azurerm_mysql_flexible_server_configuration option is designed to set server configuration options, but the ad_auth_only setting is read-only after the database has been deployed. Therefore, the only way to configure the mysql flexible server ad_auth_only in this case is to use the Azure portal.
To do this, you need to open the Azure portal and navigate to your MySQL Flexible Server instance. In the left-hand menu, click on “Networking” under the “Settings” section. In the Networking settings, locate the “Active Directory admin” section. If the “Enable Azure Active Directory admin” option is not already enabled, click on the “Enable” button next to it. Once enabled, additional options will appear. Locate the “Active Directory Authentication only” checkbox and check it to enable the ad_auth_only option for your MySQL Flexible Server instance. Finally, click the “Save” button to apply the changes.
Once you have completed these steps, your MySQL Flexible Server instance will only allow connections from users who have been authenticated through Azure Active Directory.
which lets you set the same configuration items that are on the authentication blade for a mysql flexible instance. Once the database has been configured and the directory admin resource has been configured then the final step is to use the database configuration resource to set the aad_auth_only parameter to ‘ON’. Just to be clear this has to be done last because it is only after the first two steps complete that the aad_auth_only paramter becomes writeable. I added a dependency clause to the configuration resource so it waits for the other parts to finish.
If you are trying to set ad_auth_only for an Azure MySQL Flexible Server instance with version 8.0.21, you will not be able to do this using the azurerm_mysql_flexible_server_configuration resource. This is because the ad_auth_only setting is read-only for this version of MySQL.
To set ad_auth_only for an Azure MySQL Flexible Server instance with version 8.0.21, you will need to use the Azure portal or the Azure CLI.
You can set it with v8.0.x if you follow the steps I outlined in my answer above. Initialially the option is read-only but after the database instance has been deployed and the directory admin user has been set the ad_auth_only option becomes read/write and can be set using the configuration resource from terraform. I know this works because it is what I am doing right now.
Give it a go and see how you get on. If it doesn’t work for you then let me know and I’ll see if I can provide more details steps.
You can’t set aad_auth_only during creation because it’s a read-only setting after deployment. To enable aad_auth_only, try configuring it using Azure CLI or PowerShell after the server is deployed, or check if it’s supported through the Azure portal.