How to Output the Cosmos DB Primary and Secondary Connection Strings using Terraform

Question

I need to output the Primary Connection or Secondary Connection Strings to use this connection string as an input value in Azure Data Factory MongoApi Linked Services to connect the database to upload the Json files from Azure storage account to Azure cosmos db. But I'm getting the error message while output the connection strings using terraform

Can Someone please check and help me in this with detailed explanation is much appreciated.

output "cosmosdb_connection_strings" {
   value = data.azurerm_cosmosdb_account.example.connection_strings
   sensitive   = true
}

Error: Unsupported attribute │ │ on outputs.tf line 21, in output "cosmosdb_connection_strings": │ 21: value = data.azurerm_cosmosdb_account.example.connection_strings │ │ This object has no argument, nested block, or exported attribute named "connection_strings"

Answer 1

In version 3.29.1 I use this primary_sql_connection_string key. example: azurerm_cosmosdb_account.acc.primary_sql_connection_string

In version 3.71.0 can use connection_strings and tostring("${azurerm_cosmosdb_account.db.connection_strings[0]}")

Answer 2

I have found two ways and implemented both ways were working.

In the first way I can be able to store the primary connection string of the cosmos db using azurerm_cosmosdb_account.acc.connection_strings[0] with index number. So, it will only store the Primary Connection String.

resource "azurerm_key_vault_secret" "ewo11" {
 
  name         = "Cosmos-DB-Primary-String"
  value        = azurerm_cosmosdb_account.acc.connection_strings[0]
  key_vault_id = azurerm_key_vault.ewo11.id
  depends_on = [
    azurerm_key_vault.ewo11,
    azurerm_key_vault_access_policy.aduser,
    azurerm_key_vault_access_policy.demo-terraform-automation

  ]
}

In the Second Way is I'm creating it manually by using join function. I have found some common values in the connection string, like wise I have creating and I'm successfully able to connect with this string.

output "cosmosdb_account_primary_key" {
  value = azurerm_cosmosdb_account.acc.primary_key
  sensitive = true
}

locals {
    
  kind = "mongodb"
  db_name = azurerm_cosmosdb_account.acc.name
  common_value = ".mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retrywrites=false&maxIdleTimeMS=120000&appName="
  
}

output "cosmosdb_connection_strings" {
   value = join("", [local.kind, ":", "//", azurerm_cosmosdb_account.acc.name, ":", azurerm_cosmosdb_account.acc.primary_key, "@", local.db_name,  local.common_value, "@", local.db_name, "@"])
   sensitive   = true
}

resource "azurerm_key_vault_secret" "example" {
  name         = "cosmos-connection-string"
  value        = join("", [local.kind, ":", "//", azurerm_cosmosdb_account.acc.name, ":", azurerm_cosmosdb_account.acc.primary_key, "@", local.db_name,  local.common_value, "@", local.db_name, "@"])
  key_vault_id = data.azurerm_key_vault.example.id
}

In both ways I can be able to fix the problems.

If we want to see the sensitive values, we check those values in terraform.tfstate file. It will be available when we call them in outputs.

Answer 3

I tried to reproduce the same in my environment:

resource "azurerm_cosmosdb_account" "db" {
  name                = "tfex-cosmos-db-31960"
  location            = "westus2"
  resource_group_name = data.azurerm_resource_group.example.name
  offer_type          = "Standard"
  kind                = "MongoDB"

  enable_automatic_failover = true
  

  capabilities {
    name = "EnableAggregationPipeline"
  }

  capabilities {
    name = "mongoEnableDocLevelTTL"
  }

  capabilities {
    name = "MongoDBv3.4"
  }

  capabilities {
    name = "EnableMongo"
  }

  consistency_policy {
    consistency_level       = "BoundedStaleness"
    max_interval_in_seconds = 300
    max_staleness_prefix    = 100000
  }

  geo_location {
    location          = "eastus"
    failover_priority = 0
  }

 
}

You can get the output using below code:

output "cosmosdb_connectionstrings" {
   value = "AccountEndpoint=${azurerm_cosmosdb_account.db.endpoint};AccountKey=${azurerm_cosmosdb_account.db.primary_key};"
   sensitive   = true
}

• I have below terraform azurerm provider version:

   terraform {
  required_providers {
  
  
    azapi = {
      source  = "azure/azapi"
      version = "=0.1.0"
    }
  
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.0.2" 
    }
  

Try upgrade you terraform version.

You can even traverse the array of connection strings and output required one whith below code:

output "cosmosdb_connectionstrings" {
  value        = tostring("${azurerm_cosmosdb_account.db.connection_strings[0]}")
sensitive   = true
}

Result:

As they are sensitive you cannot see output values to the UI, but you can export to required resource.

I Have created a keyvault and exported the connection strings to keyvault.

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "example" {
  name                        = "kaexamplekeyvault"
  location                    = data.azurerm_resource_group.example.location
  resource_group_name         = data.azurerm_resource_group.example.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false

  sku_name = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    key_permissions = [
      "Get","List", "Backup", "Create"
    ]

    secret_permissions = [
      "Get","List", "Backup", "Delete", "Purge", "Recover", "Restore", "Set"
    ]

    storage_permissions = [
      "Get", "List", "Backup", "Delete", "DeleteSAS", "GetSAS", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update",
    ]
  }
}

resource "azurerm_key_vault_secret" "example" {
  count = length(azurerm_cosmosdb_account.db.connection_strings)
  name         = "ASCosmosDBConnectionString-${count.index}"
  value        = tostring("${azurerm_cosmosdb_account.db.connection_strings[count.index]}")
  key_vault_id = azurerm_key_vault.example.id
}

Then you can check the connection string values in your keyvault.

check the version and click on show secret from which you can copy the secret value which is connection string.