azurerm_mssql_server minimum_tls_version cannot be removed once set, please set a valid value for this property

[a2m1]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.7

AzureRM Provider Version

3.57.0

Affected Resource(s)/Data Source(s)

azurerm_mssql_server

Terraform Configuration Files

terraform {
  required_version = "1.3.7"
  backend "remote" {}
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.57.0"
    }
  }
}

resource "azurerm_mssql_server" "sql" {
  count = var.create ? 1 : 0

  name                          = var.name
  resource_group_name           = var.resource_group_name
  location                      = var.location
  version                       = var.sql_version
  administrator_login           = local.administrator_login
  administrator_login_password  = local.administrator_login_password
  connection_policy             = var.connection_policy
  public_network_access_enabled = var.public_network_access_enabled
  minimum_tls_version           = var.minimum_tls_version # It's currenlty set to "Disabled"
  tags                          = var.tags

  primary_user_assigned_identity_id = var.primary_user_assigned_identity_id
  identity {
    type         = var.identity_type
    identity_ids = var.identity_ids
  }

  dynamic "azuread_administrator" {
    for_each = var.login_username != null && var.object_id != null && var.tenant_id != null ? [1] : []
    content {
      login_username = var.login_username
      object_id      = var.object_id
      tenant_id      = var.tenant_id
    }
  }
}

Debug Output/Panic Output

[...]
2023-05-22T13:00:14.627-0500 [WARN]  Provider "registry.terraform.io/hashicorp/azurerm" produced an unexpected new value for module.udp_adf_sql.azurerm_mssql_server.sql[0] during refresh.
      - .minimum_tls_version: was cty.StringVal("Disabled"), but now cty.StringVal("None")
      - .transparent_data_encryption_key_vault_key_id: was null, but now cty.StringVal("")
[...]
2023-05-22T13:00:14.638-0500 [ERROR] provider.terraform-provider-azurerm_v3.57.0_x5: Response contains error diagnostic: @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:55 tf_proto_version=5.3 tf_rpc=PlanResourceChange tf_provider_addr=provider tf_req_id=0ed83182-6da0-8d19-e39f-1eb8dbbb6bb1 tf_resource_type=azurerm_mssql_server @module=sdk.proto diagnostic_detail= diagnostic_severity=ERROR diagnostic_summary="1 error occurred:
	* `minimum_tls_version` cannot be removed once set, please set a valid value for this property

" timestamp=2023-05-22T13:00:14.637-0500
2023-05-22T13:00:14.638-0500 [ERROR] vertex "module.udp_adf_sql.azurerm_mssql_server.sql[0]" error: 1 error occurred:
	* `minimum_tls_version` cannot be removed once set, please set a valid value for this property
2023-05-22T13:00:14.639-0500 [ERROR] vertex "module.udp_adf_sql.azurerm_mssql_server.sql (expand)" error: 1 error occurred:
	* `minimum_tls_version` cannot be removed once set, please set a valid value for this property
[...]

Expected Behaviour

Terraform plan executed without any issues

Actual Behaviour

SQL instance has been deployed a while ago and didn't have any changes since that. Today terrafrom plan start failing with

│ Error: 1 error occurred:
│ * minimum_tls_version cannot be removed once set, please set a valid value for this property

Steps to Reproduce

1. terraform init
2. terraform plan

Important Factoids

No response

References

No response

[a2m1]

I might be wrong but I believe Azure rolled new changes that replaced Disabled with None for minimalTlsVersion and now it's causing the issue the azurerm_mssql_server doesn't support None value

[Pidgegeddon]

We are seeing the same issue. It worked 18. April with azurerm version 3.52.0. Reverting to 3.52.0 did not work.

We changed minimum_tls_version from "Disabled" to "1.0" in config to see output in plan and it shows:

~ minimum_tls_version = "None" -> "1.0"

edit:
created a new server with the below config and it applied and was created fine but running new plan right after fails with same error. version = "3.57.0"

resource "azurerm_mssql_server" "server" {
  name                          = "${azurerm_resource_group.rg.name}szokjf-sqlsvr"
  resource_group_name           = azurerm_resource_group.rg.name
  location                      = azurerm_resource_group.rg.location
  version                       = "12.0"
  administrator_login           = "sqlsvradminlogin"
  administrator_login_password  = ***
  public_network_access_enabled = false
  minimum_tls_version           = "Disabled"

  identity {
    type = "SystemAssigned"
  }
}

[baynezy]

For those with this issue we have had to go with:

resource "azurerm_mssql_server" "server" {

lifecycle {
    ignore_changes = [
      minimum_tls_version,
    ]
  }
}

It is not ideal, but it unblocks our builds.

[rcskosir]

Thanks for opening this issue. A related PR (#22067) has been merged and was released in v3.60.0. Please upgrade to that version or the latest, thanks! If this is still an issue with the provider please do let us know by opening a new issue.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.