azurerm_mssql_server : fix for administrator_login_password not being able to be updated

[sinbai]

• The behavior of the API when updating the password of resource azurerm_mssql_server:

If azuread_authentication_only is set to true when creating resource azurerm_mssql_server. In this case, the password is not allowed to be updated. Password is allowed to be updated when azuread_authentication_only is set to false.

• Issue mentioned in [azurerm_mssql_server] updating administrator_login_password throws error even though azuread_authentication_only is disabled #25116:

1. Create a resource azurerm_mssql_serverwith azuread_administrator.0.azuread_authentication_only = true.
2. Update the password of azurerm_mssql_server and update azuread_administrator.0.azuread_authentication_only = false.
   Actual: TF returns error: administrator_login_passwordcannot be changed onceazuread_administrator.0.azuread_authentication_only = true

• TF’s current implementation:

1. The validation in code prevents the password from being updated because of the old value of azuread_authentication_only is true (this is the value set when creating the new resource).
2. Even if the validation in 1. is deleted, it is still not possible to update the password, because the password is updated first in code （this is not allowed by API since the azuread_authentication_only is true）, and then updating the azuread_authentication_only in code.

Therefore, I removed the validation in code, and adjusted the update order in 2. to fix #25116.

Test results:

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

[AtakanColak]

Thanks very much for your PR. I'm not really familiar with this codebase, but I wanted to review to the best of my ability.

[AtakanColak]

I'm not sure if having azuread_authentication_only = true and administrator_login_password present is a feasible state. My bug report's initial state is aad auth is true and there is no additional administrator_login setting.

[sinbai]

I assume that it is possible because in the Terraform documentation it is stated that When true, the administrator_login and administrator_login_password properties can be omitted. . I assuming this means omitted means azure authentication only, not omitted means both. Also, the test case TestAccMsSqlServer_passwordUpdate passed.

[AtakanColak]

Not knowing much about the code styling of this repositiry, I think this function naming could be improved to something like mssqlServerResourceWithAadAuthOnly

[sinbai]

Thanks, changed to aadAdminWithAADAuthOnlyWithPassword.

[AtakanColak]

Similarly would rename to something like mssqServerResourceWithAdminLogin

[sinbai]

Thanks, changed to aadAdminWithAADAuthOnlyWithPasswordUpdate.

[AtakanColak]

Might prefer rename to be more precise (see comments below)

[sinbai]

Maybe the TestAccMsSqlServer_azureadAdminWithAADAuthOnlyWithPasswordUpdate would be more appropriate.

[AtakanColak]

Authentiction typos?

[sinbai]

Thanks for the correction.

[AtakanColak]

Sorry this may be a silly question but was there a reason for moving this part of the code?

[sinbai]

Moving this part of the code is key to solving issue #25116, where the Azure Rest API does not allow administrator_login_password updates when azuread_authentication_only = true. Because the API has such limitations, the correct behavior of TF should be to first update azuread_authentication_only = false (specified by the user), and then update administrator_login_password, so that the update can be successful.

[sinbai]

Thanks very much for your PR. I'm not really familiar with this codebase, but I wanted to review to the best of my ability.

Hi @AtakanColak thanks for your time and feedback.

[manicminer]

Thanks for looking at this @sinbai. Isn't the problem here due to azuread_authentication_only being optional + computed? If we make this not computed, the validation should pass as-is?

[manicminer]

(typo)

Suggested change

	aadOnlyAuthenticationsEnabled := expandMsSqlServerAADOnlyAuthentictions(d.Get("azuread_administrator").([]interface{}))
	aadOnlyAuthenticationsEnabled := expandMsSqlServerAADOnlyAuthentications(d.Get("azuread_administrator").([]interface{}))

[sinbai]

Fixed.

[manicminer]

(typo)

Suggested change

	aadOnlyAuthentictionsProps := serverazureadonlyauthentications.ServerAzureADOnlyAuthentication{
	aadOnlyAuthenticationsProps := serverazureadonlyauthentications.ServerAzureADOnlyAuthentication{

[sinbai]

Fixed.

[sinbai]

Thanks for looking at this @sinbai. Isn't the problem here due to azuread_authentication_only being optional + computed? If we make this not computed, the validation should pass as-is?

Hi @manicminer thanks for your time and feedback. I assume that even if we make azuread_authentication_only not computed, the validation still fails. Detail see the explanation below for details.

• The behavior of the API when updating the password of resource azurerm_mssql_server:

If azuread_authentication_only is set to true when creating resource azurerm_mssql_server. In this case, the password is not allowed to be updated. Password is allowed to be updated when azuread_authentication_only is set to false.

• Issue mentioned in [azurerm_mssql_server] updating administrator_login_password throws error even though azuread_authentication_only is disabled #25116:

1. Create a resource azurerm_mssql_serverwith azuread_administrator.0.azuread_authentication_only = true.
2. Update the password of azurerm_mssql_server and update azuread_administrator.0.azuread_authentication_only = false.
   Actual: TF returns error: administrator_login_passwordcannot be changed onceazuread_administrator.0.azuread_authentication_only = true

• TF’s current implementation:

1. The validation in code prevents the password from being updated because of the old value of azuread_authentication_only is true (this is the value set when creating the new resource).
2. Even if the validation in 1. is deleted, it is still not possible to update the password, because the password is updated first in code （this is not allowed by API since the azuread_authentication_only is true）, and then updating the azuread_authentication_only in code.

Therefore, I removed the validation and adjusted the update order in 2. to fix #25116. Please let me know if you have any feedback. Thanks in advance.