Gets error on azure terraform code: given server does not support private endpoint feature. pls create a new server that is private endpoint capable

Question

While trying to create a PostgreSQL flexible Server with private endpoint using terraform v3.97.1, i am getting below error

Error: creating Private Endpoint (Subscription: "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"

│ Resource Group Name: "psql-tst-buck-rg"

│ Private Endpoint Name: "peppsql-db-tst"): performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with error: : Call to Microsoft.DBforPostgreSQL/flexibleServers failed. Error message: The given server psql-db-tst does not support private endpoint feature. Please create a new server that is private endpoint capable. Refer to https://aka.ms/pgflex-pepreview for more details.

│

│ with azurerm_private_endpoint.peppsql-db-tst,

│ on main.tf line 96, in resource "azurerm_private_endpoint" "peppsql-db-tst":

│ 96: resource "azurerm_private_endpoint" "peppsql-db-tst" {

  <blink>
       
resource "random_pet" "name_prefix" {
  prefix = var.name_prefix
  length = 1
}

   resource "azurerm_resource_group" "db-tst-rg" {
      name     = "${random_pet.name_prefix.id}-rg"
  location = var.location
}

resource "azurerm_virtual_network" "db-tst-vnet" {
  name                = "${random_pet.name_prefix.id}-vnet"
  resource_group_name = azurerm_resource_group.db-tst-rg.name
  location            = azurerm_resource_group.db-tst-rg.location

    address_space = ["10.0.0.0/16"]

}

resource "azurerm_subnet" "db-tst-snet" {
  name                 = "${random_pet.name_prefix.id}-snet"
  resource_group_name  = azurerm_resource_group.db-tst-rg.name
  virtual_network_name = azurerm_virtual_network.db-tst-vnet.name
    address_prefixes     = ["10.0.1.0/24"]
    delegation {
    name = "dbsnet"
      service_delegation {
        name = "Microsoft.DBforPostgreSQL/flexibleServers"
        actions = [
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        ]
      }
    }


resource "azurerm_private_dns_zone" "db-tst-pdnszn" {
  name                = "pdnszndb.postgres.database.azure.com"
  resource_group_name = azurerm_resource_group.db-tst-rg.name
}


resource "azurerm_private_dns_zone_virtual_network_link" "lnk-pdnszndb-vnet" {
  name                  = "lnk-pdnszndb-vnet"
  private_dns_zone_name = azurerm_private_dns_zone.db-tst-pdnszn.name
  virtual_network_id    = azurerm_virtual_network.db-tst-vnet.id
  resource_group_name   = azurerm_resource_group.db-tst-rg.name
}


resource "azurerm_postgresql_flexible_server" "psql-db-tst" {
  name                   = "psql-db-tst"
  resource_group_name    = azurerm_resource_group.db-tst-rg.name
  location               = azurerm_resource_group.db-tst-rg.location
  version                = "13"
  delegated_subnet_id    = azurerm_subnet.db-tst-snet.id
  private_dns_zone_id    = azurerm_private_dns_zone.db-tst-pdnszn.id
  geo_redundant_backup_enabled  = false
  administrator_login    = "psqladmin"
  administrator_password = "Adminpsql@123#"
  zone                        = "1"
  storage_mb   = 32768
  storage_tier = "P30"
  sku_name   = "GP_Standard_D2s_v3"
  depends_on = [azurerm_private_dns_zone_virtual_network_link.lnk-pdnszndb-vnet]
  
}

resource "azurerm_private_endpoint" "peppsql-db-tst" {
  name                = "peppsql-db-tst"
  location            = azurerm_resource_group.db-tst-rg.location
  resource_group_name = azurerm_resource_group.db-tst-rg.name
  subnet_id           = azurerm_subnet.db-tst-snet.id

  private_service_connection {
    name                           = "psc-db-tst"
    private_connection_resource_id = azurerm_postgresql_flexible_server.psql-db-tst.id
    subresource_names              = ["postgresqlServer"]
    is_manual_connection           = false
  }    

  private_dns_zone_group {
    name                 = "dnsgrppsql-db-tst"
    private_dns_zone_ids = [azurerm_private_dns_zone.db-tst-pdnszn.id]
  }
}

resource "azurerm_postgresql_flexible_server_database" "testdb-tst" {
  name      = "tst-db"
  server_id = azurerm_postgresql_flexible_server.psql-db-tst.id
  charset   = "UTF8"
  collation = "en_US.utf8"
}


    </blink>

Tried to apply the above code , but got error below saying "The given server psql-db-tst does not support private endpoint feature. Please create a new server that is private endpoint capable."

Error: creating Private Endpoint (Subscription: "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"

│ Resource Group Name: "psql-tst-buck-rg"

│ Private Endpoint Name: "peppsql-db-tst"): performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with error: : Call to Microsoft.DBforPostgreSQL/flexibleServers failed. Error message: The given server psql-db-tst does not support private endpoint feature. Please create a new server that is private endpoint capable. Refer to https://aka.ms/pgflex-pepreview for more details.

│

│ with azurerm_private_endpoint.peppsql-db-tst,

│ on main.tf line 96, in resource "azurerm_private_endpoint" "peppsql-db-tst":

│ 96: resource "azurerm_private_endpoint" "peppsql-db-tst" {

Answer 1

I also received the same error as you in my environment.

To deploy a PostgreSQL flexible server with a private endpoint connection, you need to associate a network security group to it and delegate the appropriate subnet as shown below.

Referring to the MSDoc, I tried deploying your requirement and was able to perform it as expected without any errors.

Note: Make sure that you are using the latest Azurerm terraform providers.

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "3.98.0"
    }
  }
}

provider "azurerm" {
  features{}
}
resource "random_pet" "name_prefix" {
  prefix = "postgresmy"
  length = 1
}

resource "azurerm_resource_group" "main" {
  name     = random_pet.name_prefix.id
  location = "westus"
}

resource "azurerm_virtual_network" "main" {
  name                = "${random_pet.name_prefix.id}-vnet"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  address_space       = ["10.0.0.0/16"]
}

resource "azurerm_network_security_group" "main" {
  name                = "${random_pet.name_prefix.id}-nsg"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name

  security_rule {
    name                       = "test123"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}

resource "azurerm_subnet" "main" {
  name                 = "${random_pet.name_prefix.id}-subnet"
  virtual_network_name = azurerm_virtual_network.main.name
  resource_group_name  = azurerm_resource_group.main.name
  address_prefixes     = ["10.0.2.0/24"]
  service_endpoints    = ["Microsoft.Storage"]

  delegation {
    name = "newsub"

    service_delegation {
      name = "Microsoft.DBforPostgreSQL/flexibleServers"

      actions = [
        "Microsoft.Network/virtualNetworks/subnets/join/action",
      ]
    }
  }
}

resource "azurerm_subnet_network_security_group_association" "main" {
  subnet_id                 = azurerm_subnet.main.id
  network_security_group_id = azurerm_network_security_group.main.id
}

resource "azurerm_private_dns_zone" "main" {
  name                = "${random_pet.name_prefix.id}-pdz.postgres.database.azure.com"
  resource_group_name = azurerm_resource_group.main.name

  depends_on = [azurerm_subnet_network_security_group_association.main]
}

resource "azurerm_private_dns_zone_virtual_network_link" "main" {
  name                  = "${random_pet.name_prefix.id}-pdzvnetlink.com"
  private_dns_zone_name = azurerm_private_dns_zone.main.name
  virtual_network_id    = azurerm_virtual_network.main.id
  resource_group_name   = azurerm_resource_group.main.name
}

resource "azurerm_postgresql_flexible_server" "main" {
  name                   = "${random_pet.name_prefix.id}-server"
  resource_group_name    = azurerm_resource_group.main.name
  location               = azurerm_resource_group.main.location
  version                = "13"
  delegated_subnet_id    = azurerm_subnet.main.id
  private_dns_zone_id    = azurerm_private_dns_zone.main.id
  administrator_login    = "adminTerraform"
  administrator_password = "Adminpsql@123#"
  #zone                   = "1"
  storage_mb             = 32768
  sku_name               = "GP_Standard_D2s_v3"
  backup_retention_days  = 7

  depends_on = [azurerm_private_dns_zone_virtual_network_link.main]
}

Deployment succeeded: