replaceOnChanges Option Not Working as expected for Azure SQL Server with azureadAuthenticationOnly and switching back to SQL Login

[tmeckel]

What happened?

I am using the Azure Classic Provider to manage Azure SQL Server instances. Initially, I set azureadAuthenticationOnly to true to enable Azure AD authentication. Now, I want to switch back to SQL login authentication by setting azureadAuthenticationOnly to false.

Since changing azureadAuthenticationOnly requires replacing the SQL Server instance, I used the following configuration in my Pulumi code:

const server = new azure.mssql.Server(
  "server",
  sqlServerOptions,
  {
    deleteBeforeReplace: true,
    replaceOnChanges: [
      "administratorLoginPassword",
      "azureadAdministrator",
      "azureadAdministrator.*"
    ]
  }
);

Despite using replaceOnChanges with the appropriate fields, I am encountering the following error from the upstream Terraform provider:

azure:mssql:Server (server):
    error:   sdk-v2/provider2.go:385: sdk.helper_schema: 1 error occurred:
        * `administrator_login_password` cannot be changed once `azuread_administrator.0.azuread_authentication_only = true`
    
    : [email protected]
    error: diffing urn:pulumi:default::mssql-test::azure:mssql/server:Server::server: 1 error occurred:
        * 1 error occurred:
        * `administrator_login_password` cannot be changed once `azuread_administrator.0.azuread_authentication_only = true`

Expected Behavior:

Given that the replaceOnChanges option is explicitly configured, I expected the SQL Server instance to be replaced when attempting to change the administratorLoginPassword or azureadAdministrator fields. However, the error suggests that Pulumi is not handling the replacement as expected, and instead, it is attempting to modify the resource in place, which is not allowed.

Example

import * as pulumi from "@pulumi/pulumi"
import * as azure from "@pulumi/azure"
import * as azuread from "@pulumi/azuread"
import * as random from "@pulumi/random"

const location = "eastus2"

const current = azure.core.getClientConfig({})

const azureadGroupDatabaseAdministrators = azuread.getGroupOutput({
  displayName: "Database Administrators",
  securityEnabled: true,
})

const randomId = new random.RandomId("random-id", {
  keepers: {
    keep: location,
  },
  byteLength: 8,
})

const resourceGroup = new azure.core.ResourceGroup("resource-group", {
  name: pulumi.interpolate`pulumi-mssql-test-${randomId.hex}`,
  location: location,
})

let sqlServerOptions: azure.mssql.ServerArgs = {
  name: pulumi.interpolate`pulumi-mssql-test-${randomId.hex}`,
  resourceGroupName: resourceGroup.name,
  location: resourceGroup.location,
  version: "12.0",
  minimumTlsVersion: "1.2",
}

const useSqlLogin: boolean = false

if (useSqlLogin) {
  sqlServerOptions.administratorLogin = "sadmin"
  sqlServerOptions.administratorLoginPassword = "P@ssword!"
} else {
  sqlServerOptions.azureadAdministrator = {
    loginUsername: "pulumi-app",
    objectId: current.then((current) => current.objectId),
    tenantId: current.then((current) => current.tenantId),
    azureadAuthenticationOnly: true,
  }
}

const server = new azure.mssql.Server(
  "server",
  sqlServerOptions,
  {
    deleteBeforeReplace: true,
    replaceOnChanges: [
      "administratorLoginPassword",
      "azureadAdministrator",
      "azureadAdministrator.*"
    ]
  }
)

Output of pulumi about

CLI          
Version      3.136.1
Go Version   go1.23.2
Go Compiler  gc

Plugins
KIND      NAME     VERSION
resource  azure    5.89.0
resource  azuread  5.53.5
resource  mssql    0.0.9-alpha.1728421250+4d89c63e
language  nodejs   unknown
resource  random   4.16.6

Host     
OS       ubuntu
Version  22.04
Arch     x86_64

This project is written in nodejs: executable='/usr/bin/node' version='v18.17.1'

Current Stack: organization/mssql-test/default

TYPE                                               URN
pulumi:pulumi:Stack                                urn:pulumi:default::mssql-test::pulumi:pulumi:Stack::mssql-test-default
pulumi:providers:azuread                           urn:pulumi:default::mssql-test::pulumi:providers:azuread::default_5_53_5
pulumi:providers:azure                             urn:pulumi:default::mssql-test::pulumi:providers:azure::provider
pulumi:providers:azure                             urn:pulumi:default::mssql-test::pulumi:providers:azure::default_5_89_0
pulumi:providers:random                            urn:pulumi:default::mssql-test::pulumi:providers:random::default_4_16_6
random:index/randomId:RandomId                     urn:pulumi:default::mssql-test::random:index/randomId:RandomId::random-id
azure:core/resourceGroup:ResourceGroup             urn:pulumi:default::mssql-test::azure:core/resourceGroup:ResourceGroup::resource-group
azure:mssql/server:Server                          urn:pulumi:default::mssql-test::azure:mssql/server:Server::server
azure:mssql/firewallRule:FirewallRule              urn:pulumi:default::mssql-test::azure:mssql/firewallRule:FirewallRule::database-firewall-rule
azure:mssql/firewallRule:FirewallRule              urn:pulumi:default::mssql-test::azure:mssql/firewallRule:FirewallRule::database-firewall-rule-self
azure:mssql/database:Database                      urn:pulumi:default::mssql-test::azure:mssql/database:Database::database
pulumi:providers:mssql                             urn:pulumi:default::mssql-test::pulumi:providers:mssql::provider-mssql
mssql:index/azureadUser:AzureadUser                urn:pulumi:default::mssql-test::mssql:index/azureadUser:AzureadUser::mssql-database-admin
mssql:index/databaseRoleMember:DatabaseRoleMember  urn:pulumi:default::mssql-test::mssql:index/databaseRoleMember:DatabaseRoleMember::mssql-database-administrators-member


Found no pending operations associated with default

Backend        
Name           pulumi
URL            file://./.stacks
User           vagrant
Organizations  
Token type     personal

Dependencies:
NAME                VERSION
@pulumi/azure       5.89.0
@pulumi/azuread     5.53.5
@pulumi/pulumi      3.136.1
@pulumi/random      4.16.6
@pulumiverse/mssql  0.1.0
@types/node         18.19.55
typescript          4.9.5
prettier            3.3.3

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[guineveresaenger]

hi @tmeckel - I'm wondering if this is perhaps an instance of pulumi/pulumi#16764?

[tmeckel]

Hi @guineveresaenger 👋🏻 I had a small discussion about this with @t0yv0 on Slack and Pulumi calls the provider to do a diff between the new and the current settings on the resource, instead of calling it only with "news" as if the resource has to be newly created, what replaceOnChanges definitely implies. This has been verified by using PULUMI_DEBUG_GRPC.

To me pulumi/pulumi#16764 is different story because it talks about that the delete order is wrong when a resource is deleted by replaceOnChanges that has dependent resources.

[guineveresaenger]

thank you for clarifying @tmeckel!