feat: added private endpoint resources

[manjeet-cd]

Description

• Updated resources and sourrce url's.
• Added private dns module call ,instead of resource blocks.
• Added new variables with default values.
• Updated tags and source of modules.
• Updated github workflow files.

Deployed resource:

Fixes #

Closes #

---

Type of Change

• Feature
• Feature (Breaking Change)
• Fix
• Fix (Breaking Change)
• CI/CD
• Documentation
• Other (please specify):

---

Checklist

• I have reviewed open pull requests to avoid duplication of work
• All relevant pipelines or checks pass successfully
• I have added or updated documentation if applicable

[gemini-code-assist]

Summary of Changes

Hello @manjeet-cd, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the Azure MySQL Flexible Server Terraform module by integrating private endpoint capabilities for secure network access. It also refines the module's structure by adopting a dedicated private DNS module and introducing a wide array of new configuration options. These changes aim to provide users with greater flexibility and security controls when deploying MySQL Flexible Servers in Azure.

Highlights

• Private Endpoint Support: Introduced the capability to deploy Azure MySQL Flexible Server with private endpoint resources, enhancing network security and isolation.
• Private DNS Integration Refactor: Refactored private DNS zone integration to utilize a dedicated module call, improving modularity and consistency.
• Expanded Configuration Variables: Added numerous new variables with default values to provide more granular control over MySQL Flexible Server deployment, including options for CMK, Entra authentication, and firewall rules.
• Module Updates and Documentation: Updated module tags, source URLs, and significantly expanded the README.md and README.yaml files to reflect the new features and provide comprehensive input/output documentation.
• New Example for Private Endpoint: Added a new example demonstrating the deployment of a MySQL Flexible Server with private endpoint and Entra authentication.

Ignored Files

• Ignored by pattern: .github/workflows/** (8)
  • .github/workflows/auto_assignee.yml
  • .github/workflows/automerge.yml
  • .github/workflows/changelog.yml
  • .github/workflows/checkov.yml
  • .github/workflows/readme.yml
  • .github/workflows/tag-release.yml
  • .github/workflows/terraform-diff.yml
  • .github/workflows/tf-checks.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🛡️ Checkov Security Scan: 1 Issues Found

🔴 [CKV_AZURE_94] Ensure that My SQL server enables geo-redundant backups
🔗 main.tf:33-90
📚 More Info

resource "azurerm_mysql_flexible_server" "main" {
  count                             = var.enabled ? 1 : 0
  name                              = var.resource_position_prefix ? format("mysql-fs-%s", local.name) : format("%s-mysql-fs", local.name)
  resource_group_name               = var.resource_group_name
  location                          = var.location
  administrator_login               = var.admin_username
  administrator_password            = var.admin_password == null ? random_password.main[0].result : var.admin_password
  backup_retention_days             = var.backup_retention_days
  delegated_subnet_id               = var.delegated_subnet_id
  private_dns_zone_id               = var.private_dns_id
  sku_name                          = var.sku_name
  create_mode                       = var.create_mode
  geo_redundant_backup_enabled      = var.geo_redundant_backup_enabled
  point_in_time_restore_time_in_utc = var.create_mode == "PointInTimeRestore" ? var.point_in_time_restore_time_in_utc : null
  replication_role                  = var.replication_role
  source_server_id                  = var.create_mode == "PointInTimeRestore" ? var.source_server_id : null
  version                           = var.mysql_version
  zone                              = var.zone
  tags                              = module.labels.tags
  storage {
    auto_grow_enabled = var.auto_grow_enabled
    iops              = var.iops
    size_gb           = var.size_gb
  }

  dynamic "high_availability" {
    for_each = toset(var.high_availability != null ? [var.high_availability] : [])
    content {
      mode                      = high_availability.value.mode
      standby_availability_zone = lookup(high_availability.value, "standby_availability_zone", 1)
    }
  }

  dynamic "identity" {
    for_each = var.identity_type != null || var.cmk_enabled ? [1] : []
    content {
      type = var.cmk_enabled ? "UserAssigned" : var.identity_type
      identity_ids = distinct(concat(
        var.identity_type == "UserAssigned" ? var.user_assigned_identity_ids : [],
        var.cmk_enabled ? [azurerm_user_assigned_identity.primary_cmk_umi[0].id] : [],
        var.cmk_enabled && var.geo_redundant_backup_enabled ? [azurerm_user_assigned_identity.geo_cmk_umi[0].id] : []
      ))
    }
  }

  dynamic "customer_managed_key" {
    for_each = var.cmk_enabled ? [true] : []
    content {
      key_vault_key_id                     = azurerm_key_vault_key.primary_cmk_key[0].id
      primary_user_assigned_identity_id    = azurerm_user_assigned_identity.primary_cmk_umi[0].id
      geo_backup_key_vault_key_id          = var.geo_redundant_backup_enabled ? azurerm_key_vault_key.geo_cmk_key[0].id : null
      geo_backup_user_assigned_identity_id = var.geo_redundant_backup_enabled ? azurerm_user_assigned_identity.geo_cmk_umi[0].id : null
    }
  }
  lifecycle {
    ignore_changes = [administrator_password]
  }
}

---

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive new Terraform module for deploying Azure Flexible MySQL servers, including advanced features like private endpoints, CMK encryption, and Entra authentication. The changes are extensive and well-structured. However, I've identified a critical issue with the Entra authentication implementation that could cause deployment failures, along with several high-severity issues related to unused or confusing variables and incorrect defaults. I've also noted some medium-severity items to improve clarity, consistency, and documentation accuracy. Addressing these points will significantly improve the module's robustness and usability.

[github-actions]

🛡️ Checkov Security Scan: 1 Issues Found

🔴 [CKV_AZURE_94] Ensure that My SQL server enables geo-redundant backups
🔗 main.tf:33-90
📚 More Info

resource "azurerm_mysql_flexible_server" "main" {
  count                             = var.enabled ? 1 : 0
  name                              = var.resource_position_prefix ? format("mysql-fs-%s", local.name) : format("%s-mysql-fs", local.name)
  resource_group_name               = var.resource_group_name
  location                          = var.location
  administrator_login               = var.admin_username
  administrator_password            = var.admin_password == null ? random_password.main[0].result : var.admin_password
  backup_retention_days             = var.backup_retention_days
  delegated_subnet_id               = var.delegated_subnet_id
  private_dns_zone_id               = var.vnet_integration_private_dns_zone_id
  sku_name                          = var.sku_name
  create_mode                       = var.create_mode
  geo_redundant_backup_enabled      = var.geo_redundant_backup_enabled
  point_in_time_restore_time_in_utc = var.create_mode == "PointInTimeRestore" ? var.point_in_time_restore_time_in_utc : null
  replication_role                  = var.replication_role
  source_server_id                  = var.create_mode == "PointInTimeRestore" ? var.source_server_id : null
  version                           = var.mysql_version
  zone                              = var.zone
  tags                              = module.labels.tags
  storage {
    auto_grow_enabled = var.auto_grow_enabled
    iops              = var.iops
    size_gb           = var.size_gb
  }

  dynamic "high_availability" {
    for_each = toset(var.high_availability != null ? [var.high_availability] : [])
    content {
      mode                      = high_availability.value.mode
      standby_availability_zone = lookup(high_availability.value, "standby_availability_zone", 1)
    }
  }

  dynamic "identity" {
    for_each = var.identity_type != null || var.cmk_enabled ? [1] : []
    content {
      type = var.cmk_enabled ? "UserAssigned" : var.identity_type
      identity_ids = distinct(concat(
        var.identity_type == "UserAssigned" ? var.user_assigned_identity_ids : [],
        var.cmk_enabled ? [azurerm_user_assigned_identity.primary_cmk_umi[0].id] : [],
        var.cmk_enabled && var.geo_redundant_backup_enabled ? [azurerm_user_assigned_identity.geo_cmk_umi[0].id] : []
      ))
    }
  }

  dynamic "customer_managed_key" {
    for_each = var.cmk_enabled ? [true] : []
    content {
      key_vault_key_id                     = azurerm_key_vault_key.primary_cmk_key[0].id
      primary_user_assigned_identity_id    = azurerm_user_assigned_identity.primary_cmk_umi[0].id
      geo_backup_key_vault_key_id          = var.geo_redundant_backup_enabled ? azurerm_key_vault_key.geo_cmk_key[0].id : null
      geo_backup_user_assigned_identity_id = var.geo_redundant_backup_enabled ? azurerm_user_assigned_identity.geo_cmk_umi[0].id : null
    }
  }
  lifecycle {
    ignore_changes = [administrator_password]
  }
}

---

[github-actions]

diff

Diff

--- a/examples/complete/plan-target.txt
+++ b/examples/complete/plan-pr.txt
@@ -1,5 +1,512 @@
 
-No changes. Your infrastructure matches the configuration.
+Terraform used the selected providers to generate the following execution
+plan. Resource actions are indicated with the following symbols:
+  + create
+ <= read (data resources)
 
-Terraform has compared your real infrastructure against your configuration
-and found no differences, so no changes are needed.
+Terraform will perform the following actions:
+
+  # module.flexible-mysql.data.azurerm_client_config.current will be read during apply
+  # (depends on a resource or a module with changes pending)
+ <= data "azurerm_client_config" "current" {
+      + client_id       = (known after apply)
+      + id              = (known after apply)
+      + object_id       = (known after apply)
+      + subscription_id = (known after apply)
+      + tenant_id       = (known after apply)
+    }
+
+  # module.flexible-mysql.azurerm_key_vault_key.primary_cmk_key[0] will be created
+  + resource "azurerm_key_vault_key" "primary_cmk_key" {
+      + curve                   = (known after apply)
+      + e                       = (known after apply)
+      + id                      = (known after apply)
+      + key_opts                = [
+          + "encrypt",
+          + "decrypt",
+          + "sign",
+          + "verify",
+          + "wrapKey",
+          + "unwrapKey",
+        ]
+      + key_size                = 2048
+      + key_type                = "RSA"
+      + key_vault_id            = (known after apply)
+      + n                       = (known after apply)
+      + name                    = "s-cmk-key-core-dev-inci"
+      + public_key_openssh      = (known after apply)
+      + public_key_pem          = (known after apply)
+      + resource_id             = (known after apply)
+      + resource_versionless_id = (known after apply)
+      + version                 = (known after apply)
+      + versionless_id          = (known after apply)
+      + x                       = (known after apply)
+      + y                       = (known after apply)
+    }
+
+  # module.flexible-mysql.azurerm_monitor_diagnostic_setting.mysql[0] will be created
+  + resource "azurerm_monitor_diagnostic_setting" "mysql" {
+      + id                             = (known after apply)
+      + log_analytics_destination_type = "AzureDiagnostics"
+      + log_analytics_workspace_id     = (known after apply)
+      + name                           = "mysql-diag-log-core-dev-inci"
+      + target_resource_id             = (known after apply)
+
+      + enabled_log {
+          + category       = "MySqlAuditLogs"
+            # (1 unchanged attribute hidden)
+        }
+
+      + enabled_metric {
+          + category = "AllMetrics"
+        }
+
+      + metric (known after apply)
+    }
+
+  # module.flexible-mysql.azurerm_mysql_flexible_database.main[0] will be created
+  + resource "azurerm_mysql_flexible_database" "main" {
+      + charset             = "utf8mb3"
+      + collation           = "utf8mb3_unicode_ci"
+      + id                  = (known after apply)
+      + name                = "maindb"
+      + resource_group_name = "rg-core-dev-inci"
+      + server_name         = "mysql-fs-core-dev-inci"
+    }
+
+  # module.flexible-mysql.azurerm_mysql_flexible_server.main[0] will be created
+  + resource "azurerm_mysql_flexible_server" "main" {
+      + administrator_login           = "mysqlusername"
+      + administrator_password        = (sensitive value)
+      + administrator_password_wo     = (write-only attribute)
+      + backup_retention_days         = 7
+      + create_mode                   = "Default"
+      + delegated_subnet_id           = (known after apply)
+      + fqdn                          = (known after apply)
+      + geo_redundant_backup_enabled  = false
+      + id                            = (known after apply)
+      + location                      = "centralindia"
+      + name                          = "mysql-fs-core-dev-inci"
+      + private_dns_zone_id           = (known after apply)
+      + public_network_access         = (known after apply)
+      + public_network_access_enabled = (known after apply)
+      + replica_capacity              = (known after apply)
+      + replication_role              = (known after apply)
+      + resource_group_name           = "rg-core-dev-inci"
+      + sku_name                      = "B_Standard_B1ms"
+      + tags                          = {
+          + "Business_unit"   = "corp"
+          + "Deployment_mode" = "terraform"
+          + "Environment"     = "dev"
+          + "Managedby"       = "terraform-az-modules"
+          + "Name"            = "core"
+          + "Repository"      = "https://github.com/terraform-az-modules/terraform-azure-flexible-mysql"
+        }
+      + version                       = "8.0.21"
+      + zone                          = "1"
+
+      + customer_managed_key {
+          + key_vault_key_id                  = (known after apply)
+          + primary_user_assigned_identity_id = (known after apply)
+        }
+
+      + identity {
+          + identity_ids = (known after apply)
+          + type         = "UserAssigned"
+        }
+
+      + storage {
+          + auto_grow_enabled   = true
+          + io_scaling_enabled  = false
+          + iops                = 360
+          + log_on_disk_enabled = false
+          + size_gb             = 20
+        }
+    }
+
+  # module.flexible-mysql.azurerm_mysql_flexible_server_configuration.main[0] will be created
+  + resource "azurerm_mysql_flexible_server_configuration" "main" {
+      + id                  = (known after apply)
+      + name                = "interactive_timeout"
+      + resource_group_name = "rg-core-dev-inci"
+      + server_name         = "mysql-fs-core-dev-inci"
+      + value               = "600"
+    }
+
+  # module.flexible-mysql.azurerm_mysql_flexible_server_configuration.main[1] will be created
+  + resource "azurerm_mysql_flexible_server_configuration" "main" {
+      + id                  = (known after apply)
+      + name                = "audit_log_enabled"
+      + resource_group_name = "rg-core-dev-inci"
+      + server_name         = "mysql-fs-core-dev-inci"
+      + value               = "ON"
+    }
+
+  # module.flexible-mysql.azurerm_mysql_flexible_server_configuration.main[2] will be created
+  + resource "azurerm_mysql_flexible_server_configuration" "main" {
+      + id                  = (known after apply)
+      + name                = "audit_log_events"
+      + resource_group_name = "rg-core-dev-inci"
+      + server_name         = "mysql-fs-core-dev-inci"
+      + value               = "CONNECTION,ADMIN,DDL,TABLE_ACCESS"
+    }
+
+  # module.flexible-mysql.azurerm_role_assignment.primary_cmk_role_assignment[0] will be created
+  + resource "azurerm_role_assignment" "primary_cmk_role_assignment" {
+      + condition_version                = (known after apply)
+      + id                               = (known after apply)
+      + name                             = (known after apply)
+      + principal_id                     = (known after apply)
+      + principal_type                   = (known after apply)
+      + role_definition_id               = (known after apply)
+      + role_definition_name             = "Key Vault Crypto Service Encryption User"
+      + scope                            = (known after apply)
+      + skip_service_principal_aad_check = (known after apply)
+    }
+
+  # module.flexible-mysql.azurerm_user_assigned_identity.primary_cmk_umi[0] will be created
+  + resource "azurerm_user_assigned_identity" "primary_cmk_umi" {
+      + client_id           = (known after apply)
+      + id                  = (known after apply)
+      + location            = "centralindia"
+      + name                = "cmk-primary-identity-core-dev-inci"
+      + principal_id        = (known after apply)
+      + resource_group_name = "rg-core-dev-inci"
+      + tenant_id           = (known after apply)
+    }
+
+  # module.flexible-mysql.random_password.main[0] will be created
+  + resource "random_password" "main" {
+      + bcrypt_hash = (sensitive value)
+      + id          = (known after apply)
+      + length      = 16
+      + lower       = true
+      + min_lower   = 2
+      + min_numeric = 4
+      + min_special = 0
+      + min_upper   = 4
+      + number      = true
+      + numeric     = true
+      + result      = (sensitive value)
+      + special     = false
+      + upper       = true
+    }
+
+  # module.log-analytics.azurerm_log_analytics_workspace.main[0] will be created
+  + resource "azurerm_log_analytics_workspace" "main" {
+      + allow_resource_only_permissions = true
+      + daily_quota_gb                  = 1
+      + id                              = (known after apply)
+      + internet_ingestion_enabled      = true
+      + internet_query_enabled          = true
+      + local_authentication_disabled   = (known after apply)
+      + local_authentication_enabled    = (known after apply)
+      + location                        = "centralindia"
+      + name                            = "law-core-dev-inci"
+      + primary_shared_key              = (sensitive value)
+      + resource_group_name             = "rg-core-dev-inci"
+      + retention_in_days               = (known after apply)
+      + secondary_shared_key            = (sensitive value)
+      + sku                             = "PerGB2018"
+      + tags                            = {
+          + "Business_unit"   = "corp"
+          + "Deployment_mode" = "terraform"
+          + "Environment"     = "dev"
+          + "Managedby"       = "terraform-az-modules"
+          + "Name"            = "core"
+          + "Repository"      = "https://github.com/terraform-az-modules/terraform-azure-log-analytics"
+        }
+      + workspace_id                    = (known 

See the full diff from https://github.com/terraform-az-modules/terraform-azurerm-flexible-mysql/actions/runs/19764589677

GitHub Actions

[github-actions]

🛡️ Checkov Security Scan: 1 Issues Found

🔴 [CKV_AZURE_94] Ensure that My SQL server enables geo-redundant backups
🔗 main.tf:33-90
📚 More Info

resource "azurerm_mysql_flexible_server" "main" {
  count                             = var.enabled ? 1 : 0
  name                              = var.resource_position_prefix ? format("mysql-fs-%s", local.name) : format("%s-mysql-fs", local.name)
  resource_group_name               = var.resource_group_name
  location                          = var.location
  administrator_login               = var.admin_username
  administrator_password            = var.admin_password == null ? random_password.main[0].result : var.admin_password
  backup_retention_days             = var.backup_retention_days
  delegated_subnet_id               = var.delegated_subnet_id
  private_dns_zone_id               = var.vnet_integration_private_dns_zone_id
  sku_name                          = var.sku_name
  create_mode                       = var.create_mode
  geo_redundant_backup_enabled      = var.geo_redundant_backup_enabled
  point_in_time_restore_time_in_utc = var.create_mode == "PointInTimeRestore" ? var.point_in_time_restore_time_in_utc : null
  replication_role                  = var.replication_role
  source_server_id                  = var.create_mode == "PointInTimeRestore" ? var.source_server_id : null
  version                           = var.mysql_version
  zone                              = var.zone
  tags                              = module.labels.tags
  storage {
    auto_grow_enabled = var.auto_grow_enabled
    iops              = var.iops
    size_gb           = var.size_gb
  }

  dynamic "high_availability" {
    for_each = toset(var.high_availability != null ? [var.high_availability] : [])
    content {
      mode                      = high_availability.value.mode
      standby_availability_zone = lookup(high_availability.value, "standby_availability_zone", 1)
    }
  }

  dynamic "identity" {
    for_each = var.identity_type != null || var.cmk_enabled ? [1] : []
    content {
      type = var.cmk_enabled ? "UserAssigned" : var.identity_type
      identity_ids = distinct(concat(
        var.identity_type == "UserAssigned" ? var.user_assigned_identity_ids : [],
        var.cmk_enabled ? [azurerm_user_assigned_identity.primary_cmk_umi[0].id] : [],
        var.cmk_enabled && var.geo_redundant_backup_enabled ? [azurerm_user_assigned_identity.geo_cmk_umi[0].id] : []
      ))
    }
  }

  dynamic "customer_managed_key" {
    for_each = var.cmk_enabled ? [true] : []
    content {
      key_vault_key_id                     = azurerm_key_vault_key.primary_cmk_key[0].id
      primary_user_assigned_identity_id    = azurerm_user_assigned_identity.primary_cmk_umi[0].id
      geo_backup_key_vault_key_id          = var.geo_redundant_backup_enabled ? azurerm_key_vault_key.geo_cmk_key[0].id : null
      geo_backup_user_assigned_identity_id = var.geo_redundant_backup_enabled ? azurerm_user_assigned_identity.geo_cmk_umi[0].id : null
    }
  }
  lifecycle {
    ignore_changes = [administrator_password]
  }
}

---

[github-actions]

🛡️ Checkov Security Scan: 1 Issues Found

🔴 [CKV_AZURE_94] Ensure that My SQL server enables geo-redundant backups
🔗 main.tf:33-90
📚 More Info

resource "azurerm_mysql_flexible_server" "main" {
  count                             = var.enabled ? 1 : 0
  name                              = var.resource_position_prefix ? format("mysql-fs-%s", local.name) : format("%s-mysql-fs", local.name)
  resource_group_name               = var.resource_group_name
  location                          = var.location
  administrator_login               = var.admin_username
  administrator_password            = var.admin_password == null ? random_password.main[0].result : var.admin_password
  backup_retention_days             = var.backup_retention_days
  delegated_subnet_id               = var.delegated_subnet_id
  private_dns_zone_id               = var.vnet_integration_private_dns_zone_id
  sku_name                          = var.sku_name
  create_mode                       = var.create_mode
  geo_redundant_backup_enabled      = var.geo_redundant_backup_enabled
  point_in_time_restore_time_in_utc = var.create_mode == "PointInTimeRestore" ? var.point_in_time_restore_time_in_utc : null
  replication_role                  = var.replication_role
  source_server_id                  = var.create_mode == "PointInTimeRestore" ? var.source_server_id : null
  version                           = var.mysql_version
  zone                              = var.zone
  tags                              = module.labels.tags
  storage {
    auto_grow_enabled = var.auto_grow_enabled
    iops              = var.iops
    size_gb           = var.size_gb
  }

  dynamic "high_availability" {
    for_each = toset(var.high_availability != null ? [var.high_availability] : [])
    content {
      mode                      = high_availability.value.mode
      standby_availability_zone = lookup(high_availability.value, "standby_availability_zone", 1)
    }
  }

  dynamic "identity" {
    for_each = var.identity_type != null || var.cmk_enabled ? [1] : []
    content {
      type = var.cmk_enabled ? "UserAssigned" : var.identity_type
      identity_ids = distinct(concat(
        var.identity_type == "UserAssigned" ? var.user_assigned_identity_ids : [],
        var.cmk_enabled ? [azurerm_user_assigned_identity.primary_cmk_umi[0].id] : [],
        var.cmk_enabled && var.geo_redundant_backup_enabled ? [azurerm_user_assigned_identity.geo_cmk_umi[0].id] : []
      ))
    }
  }

  dynamic "customer_managed_key" {
    for_each = var.cmk_enabled ? [true] : []
    content {
      key_vault_key_id                     = azurerm_key_vault_key.primary_cmk_key[0].id
      primary_user_assigned_identity_id    = azurerm_user_assigned_identity.primary_cmk_umi[0].id
      geo_backup_key_vault_key_id          = var.geo_redundant_backup_enabled ? azurerm_key_vault_key.geo_cmk_key[0].id : null
      geo_backup_user_assigned_identity_id = var.geo_redundant_backup_enabled ? azurerm_user_assigned_identity.geo_cmk_umi[0].id : null
    }
  }
  lifecycle {
    ignore_changes = [administrator_password]
  }
}

---