Azure Cosmos for PostgresDB provisioning error when specifying authConfig

Question

I'm seeing an issue when trying to provision a Cosmos for PostgresDB instance using terraform/arm templates. I can provision this configuration successfully, but if I uncomment the 'authConfig' block it fails with a "500 - Internal Server Error".

resource "azapi_resource" "cosmos-pg-dev" {
  type = "Microsoft.DBforPostgreSQL/serverGroupsv2@2023-03-02-preview"
  name      = "somerandomname"
  location  = azurerm_resource_group.dev.location
  parent_id = azurerm_resource_group.dev.id

  body = jsonencode({
    properties = {
      coordinatorEnablePublicIpAccess = true
      administratorLoginPassword = random_password.password.result
      coordinatorStorageQuotaInMb = 262144
      coordinatorVCores = 2
      coordinatorServerEdition = "GeneralPurpose"
      enableHa = true
      enableShardsOnCoordinator = true
      nodeCount = 0
      postgresqlVersion = "16"
#      authConfig = {
#        activeDirectoryAuth = "enabled"
#        passwordAuth = "enabled"
#      }
      "maintenanceWindow": {
        "customWindow": "Enabled",
        "dayOfWeek": 0,
        "startHour": 2,
        "startMinute": 0
      }
    }
  })
}

This is also true when I change the different options between 'enabled' and 'disabled', I tried all the combinations with the same result.

What could be causing the issue?

Answer 1

Hi ,

Thanks for reaching out to Microsoft Q&A.

The issue you're experiencing with provisioning Azure Cosmos for PostgreSQL and encountering a 500 - Internal Server Error when enabling the authConfig block could be due to one of several reasons:

1. Preview Feature Limitations

The authConfig feature might still be in preview (2023-03-02-preview version) and not fully supported in all regions or configurations. Azure services often have limitations or specific requirements when using preview APIs.

Action:

• Check if authConfig is supported for the region where you are provisioning the database.
• Ensure your Azure subscription has the necessary permissions and features enabled for preview services.

2. Missing or Incorrect API Version

If the authConfig field is not recognized or improperly implemented in the specified API version (2023-03-02-preview), it may result in a 500 error.

Action:

• Confirm with the Azure REST API documentation for Cosmos DB for PostgreSQL that authConfig is valid for the API version.
• Test with a more recent or stable API version if available.

3. Invalid Configuration or Dependency

The authConfig block might require additional configuration or dependencies not specified in your template, such as specific Active Directory settings or integration with an existing AAD tenant.

Action:

• Verify if additional dependencies are required for activeDirectoryAuth or passwordAuth to work correctly. For instance:
  • Is the Azure AD tenant configured properly?
    • Does the user account or service principal have sufficient permissions to use activeDirectoryAuth?

4. Terraform Provider Limitation

The azapi_resource provider may have a bug or an incomplete implementation for handling authConfig.

Action:

• Try manually provisioning the resource via the Azure CLI or REST API with the same configuration to see if it is a Terraform-specific issue.
• Open an issue with the azapi_resource GitHub repository to confirm if this feature is supported.

5. Underlying Service Issue

The 500 - Internal Server Error could indicate a transient issue or bug within the Azure Cosmos DB for PostgreSQL service itself.

Action:

• Check the Azure Service Health dashboard to see if there are any ongoing issues in your region.
• Contact Azure support and provide the details of your configuration for further investigation.

Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.