Support for Azure Active Directory for Azure Database for MySQL – Flexible Server

[marcoboffi]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Azure Active Directory authentication for Azure Database for MySQL - Flexible Server allows to improve database security by delegating credential management and authentication to a centralized identity provider. Azure Active Directory supports advanced security features such as second factor authentication options, password lifecycle management, applications and managed identities and conditional access. Azure Active Directory for Azure Database for MySQL – Flexible Server now provides full support for managed identities, improved group roles and support for invited users and Azure Active Directory-only authentication mode with ability to disable local user support.

New or Affected Resource(s)/Data Source(s)

azurerm_mysql_flexible_server_active_directory_administrator

Potential Terraform Configuration

resource "azurerm_mysql_flexible_server_active_directory_administrator" "example" {
  server_name         = azurerm_mysql_server.example.name
  resource_group_name = azurerm_resource_group.example.name
  login               = "sqladmin"
  tenant_id           = data.azurerm_client_config.current.tenant_id
  object_id           = data.azurerm_client_config.current.object_id
}

References

https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-azure-ad-authentication

[gasparecoolshop]

It could be good to add the AAD support for flexible server quickly given that Azure Database for MySQL single server is on the retirement path and people will start to use flexible as a preferred solution

[rohangollena]

+1

[paulh-utilita]

Has there been any update on this as I find myself now needing to start the migration process over from single server to flexible server and this does need to be set

[rsun-thoughtworks]

Any update?

[sigv]

Taking a look at the ARM template, Microsoft.DBforMySQL flexibleServers/administrators, it looks like a reasonable request for implementation in AzureRM provider.

[kratkyzobak]

@sigv IIRC, AzureRM provider depends on Azure GO SDK, which depends on Microsoft extending API, which is sthg Microsoft does when planning go from preview to GA with feature. There is AzAPI terraform provider, which can utilize given resource template.

As configuring AAD auth is separate resource from server itself, it is very easy to mix AzAPI with AzureRM providers in this case.

My approach for example:

resource "azapi_resource" "mysql_flexible_server_administrator" {
  count = var.aad_auth != null ? 1 : 0

  type = "Microsoft.DBforMySQL/flexibleServers/administrators@2021-12-01-preview"
  name = "ActiveDirectory"
  parent_id = azurerm_mysql_flexible_server.primary.id
  body = jsonencode({
    properties = {
      administratorType = "ActiveDirectory"
      # this identity needs to have Directory Reader Azure AD role ssigned
      # if not, this will fail with "AzureKeyVaultNoServerIdentity"
      # we're not running Terraform as Azure Global admins, so identity is created in advance
      identityResourceId = var.aad_auth.identity_id
      # this will be username to use to login as server admin. Portal would set here name of identity bellow
      # this is not needed
      login = "aad-superuser"
      # group id of users which will be able to access the server as administrators
      sid = var.aad_auth.admin_object_id
      tenantId = var.aad_auth.tenant_id
    }
  })
}

Used identity (in example var.aad_auth.identity_id) has to be assigned to server using azurerm_mysql_flexible_server's identity block and has to have Directory Read role as stated in Azure documentation.

Creating this resource would enable mixed auth (password and AAD). You can disable password users access by setting configuration aad_auth_only to on (for example by azurerm_mysql_flexible_server_configuration)

[nbjohnson]

It looks like AD support was added for mysql flex back in v3.58.0 with this MR: #21786 However I am not seeing support for AD only, can support be added to mysql flex server so I can enable only AD login and completely disable local auth?

[kratkyzobak]

If you want AD only, you should set aad_only server parameter using azurerm_mysql_flexible_server_configuration.

IIRC, Azure Portal does exactly same thing when you select “AD only”. There is still admin with standard password, but just disabled by this parameter.

[nbjohnson]

Ok thanks for that information, will try out that parameter. Is that really what azure portal does when selecting "Azure Active Directory authentication only" for the Auth method?

[kratkyzobak]

As stated in documentation:

Only Azure AD authentication - MySQL native authentication is disabled, and users are able to authenticate using only their Azure AD user and token. To enable this mode, the server parameter aad_auth_only is set to enabled.

[wiebeck]

Can this issue be closed with the existence of the azurerm_mysql_flexible_server_active_directory_administrator resource?

[rohangollena]

yes

…

On Wed, 27 Dec 2023 at 8:23 PM, Oliver Wiebeck ***@***.***> wrote: Can this issue be closed with the existence of the azurerm_mysql_flexible_server_active_directory_administrator <https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_flexible_server_aad_administrator> resource? — Reply to this email directly, view it on GitHub <#19272 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFZGW5RT2HSKK2VIS2VHD6TYLQY5ZAVCNFSM6AAAAAAR7S354SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZQGM3TONBYGU> . You are receiving this because you commented.Message ID: ***@***.***>