Skip to content

[RDBMS] az postgres flexible-server create: Bug fix, generating password when password auth is disabled. Support adding admin during create if Microsoft Entra is enabled. #30999

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
evelyn-ys merged 38 commits into from
Mar 24, 2025
Merged

[RDBMS] az postgres flexible-server create: Bug fix, generating password when password auth is disabled. Support adding admin during create if Microsoft Entra is enabled. #30999

evelyn-ys merged 38 commits into from
Mar 24, 2025

Conversation

@nasc17
Copy link
Member

@nasc17 nasc17 commented Mar 10, 2025
edited by evelyn-ys
Loading

Related command
az postgres flexible-server create

Description
Fix when during flexible-server create makes a password when --password-auth Disabled.
Update text that reference active directory auth and change to Microsoft Entra
Add ability to add admin during create if Microsoft Entra is enabled

Testing Guide
az postgres flexible-server create -h

Arguments
    --active-directory-auth      : Whether Microsoft Entra authentication is enabled.  Allowed
                                   values: Disabled, Enabled.  Default: Disabled.
    --address-prefixes           : The IP address prefix to use when creating a new virtual network
                                   in CIDR format. Default value is 10.0.0.0/16.
    --admin-display-name -m      : Display name of the Microsoft Entra administrator user or group.
    --admin-object-id -i         : The unique ID of the Microsoft Entra administrator.
    --admin-type -t              : Type of the Microsoft Entra administrator.  Allowed values:
                                   Group, ServicePrincipal, Unknown, User.

Create a PostgreSQL flexible server with Microsoft Entra auth only and primary administrator
specified.

    # create flexible server with aad only auth and password auth disabled with primary
    administrator specified
    az postgres flexible-server create -g testGroup -n testServer --location testLocation \
      --active-directory-auth Enabled --password-auth Disabled \
      --admin-object-id 00000000-0000-0000-0000-000000000000 --admin-display-name
    [email protected] --admin-type User

az postgres flexible-server create -g testGroup -n test-default --location location

Make a note of your password. If you forget, you would have to reset your password with "az postgres flexible-server update -n test-default -g testGroup -p <new-password>".
Try using 'az postgres flexible-server connect' command to test out connection.
{
  "connectionString": "postgresql://bubblypepper8:[email protected]/flexibleserverdb?sslmode=require",
  "databaseName": "flexibleserverdb",
  "host": "test-default.postgres.database.azure.com",
  "id": "/subscriptions/subid/resourceGroups/testGroup/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-default",
  "location": "Location",
  "password": "password",
  "resourceGroup": "testGroup",
  "skuname": "Standard_D2s_v3",
  "username": "bubblypepper8",
  "version": "16"
}

az postgres flexible-server create -g testGroup -n test-msentra --location location --create-default-database Disabled --active-directory-auth Enabled

Make a note of your password. If you forget, you would have to reset your password with "az postgres flexible-server update -n test-msentra -g testGroup -p <new-password>".
Try using 'az postgres flexible-server connect' command to test out connection.
{
  "admin": null,
  "connectionString": "postgresql://selfishsalt4:[email protected]/postgres?sslmode=require",
  "databaseName": "postgres",
  "host": "test-msentra.postgres.database.azure.com",
  "id": "/subscriptions/subid/resourceGroups/testGroup/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-msentra",
  "location": "Location",
  "password": "password",
  "resourceGroup": "testGroup",
  "skuname": "Standard_D2s_v3",
  "username": "selfishsalt4",
  "version": "16"
}

az postgres flexible-server create -g testGroup -n test-msentra-only --location location --create-default-database Disabled --active-directory-auth Enabled --password-auth Disabled

Try using 'az postgres flexible-server connect' command to test out connection.
{
  "admin": null,
  "connectionString": "postgresql://<admin>@test-msentra-only.postgres.database.azure.com/postgres?sslmode=require",
  "databaseName": "postgres",
  "host": "test-msentra-only.postgres.database.azure.com",
  "id": "/subscriptions/subid/resourceGroups/testGroup/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-msentra-only",
  "location": "Location",
  "resourceGroup": "testGroup",
  "skuname": "Standard_D2s_v3",
  "version": "16"
}

az postgres flexible-server create -g testGroup -n test-msentra-admin --location location --create-default-database Disabled --active-directory-auth Enabled --password-auth Disabled --admin-object-id 00000000-0000-0000-0000-000000000000 --admin-display-name [email protected] --admin-type User

Creating PostgreSQL Server 'test-msentra-admin' in group 'testGroup'...
Add Microsoft Entra Admin '[email protected]'.
Try using 'az postgres flexible-server connect' command to test out connection.
{
  "admin": "[email protected]",
  "connectionString": "postgresql://[email protected]@test-msentra-admin.postgres.database.azure.com/postgres?sslmode=require",
  "databaseName": "postgres",
  "host": "test-msentra-admin.postgres.database.azure.com",
  "id": "/subscriptions/subid/resourceGroups/testGroup/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-msentra-admin",
  "location": "Location",
  "resourceGroup": "testGroup",
  "skuname": "Standard_D2s_v3",
  "version": "16"
}

az postgres flexible-server create -g testGroup -n test-msentra-password-admin --location location --create-default-database Disabled --active-directory-auth Enabled --admin-object-id 00000000-0000-0000-0000-000000000000 --admin-display-name [email protected] --admin-type User

Creating PostgreSQL Server 'test-msentra-password-admin' in group 'testGroup'...
Add Microsoft Entra Admin '[email protected]'.
Make a note of your password. If you forget, you would have to reset your password with "az postgres flexible-server update -n test-msentra-password-admin -g testGroup -p <new-password>".
Try using 'az postgres flexible-server connect' command to test out connection.
{
  "admin": "[email protected]",
  "connectionString": "postgresql://anxiousgranola3:[email protected]/postgres?sslmode=require",
  "databaseName": "postgres",
  "host": "test-msentra-password-admin.postgres.database.azure.com",
  "id": "/subscriptions/subid/resourceGroups/testGroup/providers/Microsoft.DBforPostgreSQL/flexibleServers/test-msentra-password-admin",
  "location": "Location",
  "password": "password",
  "resourceGroup": "testGroup",
  "skuname": "Standard_D2s_v3",
  "username": "anxiousgranola3",
  "version": "16"
}

az postgres flexible-server create -g testGroup -n nasc-test --location location --create-default-database Disabled --admin-object-id 00000000-0000-0000-0000-000000000000 --admin-display-name [email protected] --admin-type User
To provide values for --admin-object-id, --admin-display-name, and --admin-type please set --active-directory-auth to "Enabled".

az postgres flexible-server create -g testGroup -n nasc-test7 --location location --create-default-database Disabled --active-directory-auth Enabled --admin-object-id 00000000-0000-0000-0000-000000000000 --admin-display-name [email protected]
To add Microsoft Entra admin, please provide values for --admin-object-id, --admin-display-name, and --admin-type.

History Notes
[RDBMS] az postgres flexible-server create: Support adding admin during creation if --active-directory-auth is Enabled and no longer generate password when --password-auth is Disabled

This checklist is used to make sure that common guidelines for a pull request are followed.

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Mar 10, 2025
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️acs
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.9
️✔️ams
️✔️latest
️✔️3.12
️✔️3.9
️✔️apim
️✔️latest
️✔️3.12
️✔️3.9
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.9
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️aro
️✔️latest
️✔️3.12
️✔️3.9
️✔️backup
️✔️latest
️✔️3.12
️✔️3.9
️✔️batch
️✔️latest
️✔️3.12
️✔️3.9
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.9
️✔️billing
️✔️latest
️✔️3.12
️✔️3.9
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.9
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.9
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.9
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.9
️✔️config
️✔️latest
️✔️3.12
️✔️3.9
️✔️configure
️✔️latest
️✔️3.12
️✔️3.9
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.9
️✔️container
️✔️latest
️✔️3.12
️✔️3.9
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.9
️✔️core
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.9
️✔️databoxedge
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️dls
️✔️latest
️✔️3.12
️✔️3.9
️✔️dms
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.9
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.9
️✔️find
️✔️latest
️✔️3.12
️✔️3.9
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.9
️✔️identity
️✔️latest
️✔️3.12
️✔️3.9
️✔️iot
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️keyvault
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️lab
️✔️latest
️✔️3.12
️✔️3.9
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️maps
️✔️latest
️✔️3.12
️✔️3.9
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.9
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.9
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.9
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.9
️✔️network
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.9
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.9
️✔️profile
️✔️latest
️✔️3.12
️✔️3.9
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.9
️✔️redis
️✔️latest
️✔️3.12
️✔️3.9
️✔️relay
️✔️latest
️✔️3.12
️✔️3.9
️✔️resource
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️role
️✔️latest
️✔️3.12
️✔️3.9
️✔️search
️✔️latest
️✔️3.12
️✔️3.9
️✔️security
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.9
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.9
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.9
️✔️sql
️✔️latest
️✔️3.12
️✔️3.9
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.9
️✔️storage
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.9
️✔️telemetry
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️util
️✔️latest
️✔️3.12
️✔️3.9
️✔️vm
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Mar 10, 2025
edited
Loading

❌AzureCLI-BreakingChangeTest
❌rdbms
rule cmd_name rule_message suggest_message
1010 - ParaPropUpdate postgres flexible-server geo-restore cmd postgres flexible-server geo-restore update parameter restore_point_in_time: updated property default from 2025-03-22T04:32:20+00:00 to 2025-03-22T04:29:50+00:00 please change property default from 2025-03-22T04:29:50+00:00 to 2025-03-22T04:32:20+00:00 for parameter restore_point_in_time of cmd postgres flexible-server geo-restore
⚠️ 1006 - ParaAdd postgres flexible-server create cmd postgres flexible-server create added parameter admin_id
⚠️ 1006 - ParaAdd postgres flexible-server create cmd postgres flexible-server create added parameter admin_name
⚠️ 1006 - ParaAdd postgres flexible-server create cmd postgres flexible-server create added parameter admin_type

@yonzhan
Copy link
Collaborator

yonzhan commented Mar 10, 2025

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions
Copy link

github-actions bot commented Mar 10, 2025

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

@nasc17 nasc17 requested a review from mattboentoro March 10, 2025 22:09
@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Mar 10, 2025
nachoalonsoportillo
nachoalonsoportillo suggested changes Mar 10, 2025
View reviewed changes
@nasc17
Copy link
Member Author

nasc17 commented Mar 20, 2025

@evelyn-ys please retrigger checks

@evelyn-ys
Copy link
Member

evelyn-ys commented Mar 21, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Mar 21, 2025

Azure Pipelines successfully started running 3 pipeline(s).

@evelyn-ys
Copy link
Member

evelyn-ys commented Mar 21, 2025

Please sync with upstream/dev branch, there're acs and storage code changes on PR review

@nasc17
Copy link
Member Author

nasc17 commented Mar 21, 2025

Please sync with upstream/dev branch, there're acs and storage code changes on PR review

Thank you for catching that. Sync has been merged and title fixed. Please retrigger.

@yonzhan
Copy link
Collaborator

yonzhan commented Mar 22, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Mar 22, 2025

Azure Pipelines successfully started running 3 pipeline(s).

@evelyn-ys evelyn-ys merged commit a6798ae into Azure:dev Mar 24, 2025
53 checks passed
CustardTart32 pushed a commit to CustardTart32/azure-cli that referenced this pull request Mar 24, 2025
@nasc17 @CustardTart32
[RDBMS] az postgres flexible-server create: Bug fix, generating pas…
1df5f45 
…sword when password auth is disabled. Support adding admin during create if Microsoft Entra is enabled. (Azure#30999)

* add to ignore

* Fix bug when updating cmk geo

* Revert "add to ignore"

This reverts commit ee1192c.

* Updates to not create password if pasword is disabled

* Add admin during create

* Update text

* fixes

* fix

* PR comments

* PR comments

* lint fix

* Revert "Updates to not create password if pasword is disabled"

This reverts commit 3b1d20b.

* PR comments

* add to ignore

* Revert "add to ignore"

This reverts commit ee1192c.

* Updates to not create password if pasword is disabled

* Add admin during create

* Update text

* fixes

* fix

* PR comments

* PR comments

* lint fix

* Revert "Updates to not create password if pasword is disabled"

This reverts commit 3b1d20b.

* PR comments

* Lint fixes

* merge fix
jiasli
jiasli reviewed Mar 25, 2025
View reviewed changes
src/azure-cli/azure/cli/command_modules/rdbms/flexible_server_custom_postgres.py
db_name = POSTGRES_DB_NAME

user = server_result.administrator_login
user = server_result.administrator_login if is_password_auth_enabled else '<user>'
Copy link
Member

@jiasli jiasli Mar 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This lines causes CredScan to fail:

https://dev.azure.com/azclitools/public/_build/results?buildId=230241&view=logs&j=9a50307c-53e6-51fa-ddad-d8767a4a0ece&t=51a28232-c495-58b8-0a15-8a556d230675

##[error]1. Credential Scanner Error CSCAN-GENERAL0030 - File: src/azure-cli/azure/cli/command_modules/rdbms/flexible_server_custom_postgres.py:src/azure-cli/azure/cli/command_modules/rdbms/flexible_server_custom_postgres.py. Line: 193. Column 3. 
Signature: 4437f095d08224d8fa3ba459bdf3c04eda1552b093c54217622502e91385ca39
Tool: Credential Scanner: Rule: CSCAN-GENERAL0030 (User Login Credentials). https://aka.ms/credscan
A potential secret was detected in 'flexible_server_custom_postgres.py':(CSCAN-GENERAL0030 User Login Credentials) Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan.

Copy link
Member Author

@nasc17 nasc17 Mar 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How would you suggest we update this line to avoid error in future?

This was referenced Mar 25, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jiasli jiasli jiasli left review comments

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@calvinhzy calvinhzy Awaiting requested review from calvinhzy calvinhzy is a code owner

@yonzhan yonzhan Awaiting requested review from yonzhan

@jsntcy jsntcy Awaiting requested review from jsntcy

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms

@FumingZhang FumingZhang Awaiting requested review from FumingZhang

@yanzhudd yanzhudd Awaiting requested review from yanzhudd

+2 more reviewers

@nachoalonsoportillo nachoalonsoportillo nachoalonsoportillo requested changes

@mattboentoro mattboentoro mattboentoro approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@evelyn-ys evelyn-ys

Labels

Auto-Assign Auto assign by bot

Projects

None yet

Milestone

April 2025 (2025-04-01)

Development

Successfully merging this pull request may close these issues.

6 participants

@nasc17 @yonzhan @evelyn-ys @jiasli @mattboentoro @nachoalonsoportillo