Mysql Flexible Server private_service_connection subresource name

[seppmaier99]

Hi,

1.)
I have an issue with the Azure Mysql Flexible Server private_service_connection. According the documentation the subresources_names are only available for

Azure Database for MySQL | Microsoft.DBforMySQL/servers | mysqlServer

and the subresources_names is "mysqlServer".

Is there an equivalent for the Mysql Flexible Server, like "flexibleServers" or similar?

What could be another way to connect a azure spring cloud to the flexible server? The old "azurerm_spring_cloud_app_mysql_association" does not work.

2.)
The I tried to set up it manually. It worked but only when I fully opened the firewall and let all azure services have access to the flexible server, just to see if it ever works at all. As I want to have it secure and to be automatically created with terraform I tried the proposed solution from the documentation see point 3.

3.)
I tried the example with service delegation according to the documentation https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_flexible_server

This did not work and my script needed over an hour an ran into an error. It could not delete the existing subnet and recreate it with the delegation. Now I have been stuck beeing not able to delete the subnet, see also https://docs.microsoft.com/en-us/answers/questions/140197/unable-to-delete-vnet-due-to-serviceassociationlin.html

I think this maybe has nothing to do with the flexible server, maybe it would work from scratch if reset the whole environment and build it new, but this takes a lot of time and is out of scope.

Thanks

[neil-yechenwei]

1. Per the doc description, azurerm_private_endpoint.private_service_connection.subresource_names only supports mysql server.

2. After tested with below tf config and latest provider version, azurerm_spring_cloud_app_mysql_association works fine from our side.
   My tf config:

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "test" {
  name     = "acctestRG-spring-test01"
  location = "West Europe"
}

resource "azurerm_spring_cloud_service" "test" {
  name                = "acctest-sc-test01"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
}

resource "azurerm_spring_cloud_app" "test" {
  name                = "acctest-sca-test01"
  resource_group_name = azurerm_spring_cloud_service.test.resource_group_name
  service_name        = azurerm_spring_cloud_service.test.name
}

resource "azurerm_mysql_server" "test" {
  name                             = "acctestmysqlsvr-test01"
  location                         = azurerm_resource_group.test.location
  resource_group_name              = azurerm_resource_group.test.name
  sku_name                         = "GP_Gen5_2"
  administrator_login              = "acctestun"
  administrator_login_password     = "B@Sh1CoR3!"
  ssl_enforcement_enabled          = true
  ssl_minimal_tls_version_enforced = "TLS1_1"
  storage_mb                       = 51200
  version                          = "5.7"
}

resource "azurerm_mysql_database" "test" {
  name                = "acctest-db-test01"
  resource_group_name = azurerm_resource_group.test.name
  server_name         = azurerm_mysql_server.test.name
  charset             = "utf8"
  collation           = "utf8_unicode_ci"
}

resource "azurerm_spring_cloud_app_mysql_association" "test" {
  name                = "acctestscamb-test01"
  spring_cloud_app_id = azurerm_spring_cloud_app.test.id
  mysql_server_id     = azurerm_mysql_server.test.id
  database_name       = azurerm_mysql_database.test.name
  username            = azurerm_mysql_server.test.administrator_login
  password            = azurerm_mysql_server.test.administrator_login_password
}

3. After tested, the example in the doc of mysql fs works fine on my local.

4. The serviceAssociationLink issue you mentioned has been fixed from service side. See more details from azurerm_mysql_flexible_server database resource inconsistently does not remove serviceAssociationLinks from delegated subnet #15032.
   Below is the example that works fine on my local:

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "test" {
  name     = "acctestRG-mysqlfs-test03"
  location = "eastus"
}

resource "azurerm_virtual_network" "test" {
  name                = "acctest-dbvn-test03"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
  address_space       = ["10.0.0.0/16"]
}

resource "azurerm_subnet" "test" {
    name                 = "acctest-subnettest03"
    resource_group_name  = azurerm_resource_group.test.name
    virtual_network_name = azurerm_virtual_network.test.name
    address_prefixes     = ["10.0.2.0/24"]
    service_endpoints    = ["Microsoft.Storage"]

    delegation {
        name = "acctest-sndel"

        service_delegation {
            name    = "Microsoft.DBforMySQL/flexibleServers"
            actions = ["Microsoft.Network/virtualNetworks/subnets/join/action",]
        }
    }
}

resource "azurerm_private_dns_zone" "test" {
    name                = "acctestVnetZonetest03.mysql.database.azure.com"
    resource_group_name = azurerm_resource_group.test.name
}

resource "azurerm_private_dns_zone_virtual_network_link" "test" {
    name                  = "acctestVnetZonetest03.com"
    resource_group_name   = azurerm_resource_group.test.name
    private_dns_zone_name = azurerm_private_dns_zone.test.name
    virtual_network_id    = azurerm_virtual_network.test.id
}

resource "azurerm_mysql_flexible_server" "test" {
    name                         = "acctest-mysqlfs-test03"
    location                     = azurerm_resource_group.test.location
    resource_group_name          = azurerm_resource_group.test.name
    backup_retention_days        = 7
    geo_redundant_backup_enabled = false
    sku_name                     = "GP_Standard_D2ds_v4"
    version                      = "8.0.21"
    administrator_login          = "adminTerraform"
    administrator_password       = "BGZwsx123"
    
    storage { 
        auto_grow_enabled = false
        size_gb           = 32
    } 
    
    delegated_subnet_id = azurerm_subnet.test.id 
    private_dns_zone_id = azurerm_private_dns_zone.test.id 
    
    depends_on = [azurerm_private_dns_zone_virtual_network_link.test] 
}

For more usage problem, suggest leave message on https://discuss.hashicorp.com/c/terraform-providers/tf-azure/34. Thanks.

[seppmaier99]

Thank you very much for the detailled response!

I think I have found the main mistake in my project. As we have defined the virtual networks + subnets in a separate parent project, which is executed separately in the pipeline, I don't have access to the azurerm_private_dns_zone + azurerm_subnet within the subproject, where the flexible server is defined (with the single server, this was not an issue as we used the azurerm_spring_cloud_app_mysql_association). Propably it is possible to import those resources and then use them in the subproject.

Still one question here for the delegation:
Is it possible to define the delegation in the parent project and use it for multiple subprojects and if yes, can there be several delegations, eg. one for mysql flexible and one postgresql flexible in one subnet?

Thank you and have a nice weekend

[neil-yechenwei]

Yes. I think you can define the subnet with delegation in parent project. See more usage from terraform doc. Per doc, one or more delegations can be added but I didn't try the scenario of "one for mysql flexible and one postgresql flexible in one subnet". For more usage problem, suggest leave message on https://discuss.hashicorp.com/c/terraform-providers/tf-azure/34. Thanks.