azure-cli: postgres flexible-server create doesn't use an existing vnet if it's in a different resource group

When running az postgres flexible-server create and supplying --vnet and --subnet parameters for a vnet that is deployed in a different resource group, the command tries to create a new vnet and subnet in the same resource group as the server.

In many enterprise environments, the management of network resources are handled by a different team from the one that deploys application resources. This bug was discovered because the CI/CD pipeline service principal that is used to create the PostgreSQL server didn’t have permissions to create a vnet. I’ve reproduced the issue below in my own subscription, where I do have the necessary permissions, so the vnet gets created in the server resource group rather than using the existing one.

Adding a new parameter, --vnet-resource-group, and using this for the vnet would solve this problem.

Errors: Doesn’t use existing vnet.

To Reproduce:

az group create -l westeurope -n postgres-test-server-rg az group create -l westeurope -n postgres-test-vnet-rg az network vnet create --resource-group postgres-test-vnet-rg --name postgres-vnet --address-prefix 10.0.0.0/16 --subnet-name postgres-subnet --subnet-prefix 10.0.0.0/24 az postgres flexible-server create -l westeurope -n larslindpostgrestestserver -g postgres-test-server-rg --subnet postgres-subnet --vnet postgres-vnet OUTPUT: Command group ‘postgres flexible-server’ is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus Checking the existence of the resource group ‘postgres-test-server-rg’… Resource group ‘postgres-test-server-rg’ exists ? : True You have supplied a Vnet and Subnet name. Verifying its existence… Creating new Vnet “postgres-vnet” in resource group “postgres-test-server-rg” Creating new Subnet “postgres-subnet” in resource group “postgres-test-server-rg” Creating PostgreSQL Server ‘larslindpostgrestestserver’ in group ‘postgres-test-server-rg’…

Expected Behavior

Existing vnet and subnet would be used even if the vnet is in a different resource group.

Environment Summary

Linux-4.15.0-1113-azure-x86_64-with-debian-10.2 (Cloud Shell)
Python 3.6.10
Installer: DEB

azure-cli 2.22.0 *

Extensions:
resource-graph 0.1.8
azure-iot 0.9.2
ai-examples 0.2.5
ssh 0.1.4

Additional Context

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 17 (5 by maintainers)

Most upvoted comments

@larslind

I checked with the portal team that we add storage endpoint to the subnet for restoring purpose. Now that the backend team is taking care of storage endpoint, this additional write operation will be removed starting from 5/3 in the portal and June for CLI.

+1
DaeunYim on Apr 29, 2021

Yeah, I totally agree. Let me work on updating the help doc. Thanks for reporting the issue and let me know if you need anything else!

+1
DaeunYim on Apr 27, 2021
Read more comments on GitHub
← azure-cli: `portalocker` error: FileNotFoundError: [Errno 2] No such file or directory
azure-cli: Repair script fails to find Resource Group even though the name is an exact match →