Hello, I tried to create Azure DB for PostgresSQL with Data Encryption but ran into this error. azure-nativedbforpostgresqlServer (server5): error: Code="InternalServerError" Message="An unexpected error occured while processing the request. Tracking ID: '448e0c16-b379-4742-861a-36ae91a3c6df'" Code used

server5 = azure_native.dbforpostgresql.Server("server5",

administrator_login='tuvaadmin',

administrator_login_password='tuv1pg1!',

backup=azure_native.dbforpostgresql.BackupArgs(

backup_retention_days=7,

geo_redundant_backup=azure_native.dbforpostgresql.GeoRedundantBackupEnum.DISABLED,

),

location=resource_group_location,

resource_group_name=resource_group.name,

server_name=f"uh-{client_name}-server5",

sku=azure_native.dbforpostgresql.SkuArgs(

name="Standard_B1ms",

tier=azure_native.dbforpostgresql.SkuTier.BURSTABLE,

),

storage=azure_native.dbforpostgresql.StorageArgs(

storage_size_gb=32,

),

network=azure_native.dbforpostgresql.NetworkArgs(

delegated_subnet_resource_id=f"/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Network/virtualNetworks/{vnet_name}/subnets/{db_subnet_name}",

private_dns_zone_arm_resource_id=f"/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Network/privateDnsZones/{client_name}.<http://private.postgres.database.azure.com|private.postgres.database.azure.com>",

),

identity=azure_native.dbforpostgresql.UserAssignedIdentityArgs(

type='UserAssigned',

user_assigned_identities={

f"/subscriptions/{subscription_id}/resourcegroups/{resource_group_name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{db_user_assigned_identity_name}" : azure_native.dbforpostgresql.UserIdentityArgs()},

),

data_encryption=azure_native.dbforpostgresql.DataEncryptionArgs(

type="AzureKeyVault",

primary_key_uri=f"https://{vault_name}.<http://vault.azure.net/keys/{key.name}/{key_version}|vault.azure.net/keys/{key.name}/{key_version}>",

primary_user_assigned_identity_id=f"/subscriptions/{subscription_id}/resourcegroups/{resource_group_name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{db_user_assigned_identity_name}",

),

tags={

"created_by": author,

},

version=azure_native.dbforpostgresql.ServerVersion.SERVER_VERSION_12,

opts=pulumi.ResourceOptions(depends_on=[

# db_subnet, private_db_dns_zone, db_nsg, vault, db_user_assigned_identity, key, resource_group, storage_subnet,aks_cluster,vnet

db_subnet, private_db_dns_zone, vault, db_user_assigned_identity, key, resource_group, vnet,aks_cluster

],))

I've experienced some quirks in the Azure Postgres service the hard way and lack of error feedback from the API. Hoping some of these might help you: • Does this only fail when you configure

data_encryption

? • Is RBAC authorization enabled on the Key Vault? Which roles are you assigning on the user assigned identity? Make sure you have the

Key Vault Crypto Service Encryption User

role assigned on the identity • Do you have a Network Security Group attached to the subnet you're deploying the server into? ◦ If so try creating a rule allowing outbound communication with Entra with the

AzureActiveDirectory

service tag destination (might be needed for authenticating against the Key Vault) • Do you have a route table on the subnet? ◦ Then create a rule with destination service tag

AzureActiveDirectory

and next hop Internet • Make sure the private dns zone exists and has a Virtual Network Link to the vnet you're deploying into • Make sure there isn't a read-only lock present on the vnet or private dns zone as that might hinder the service from joining the vnet and creating records in the dns zone • Make sure the vnet is in the same subscription you're deploying the server into • If the private dns zone or the key vault reside in another subscription make sure the

Microsoft.DbForPostgreSql

provider is registered in those subscriptions as well • Since you seem to have dependencies on

db_subnet, private_db_dns_zone, vault, db_user_assigned_identity, key, resource_group, vnet,aks_cluster

within the same application – why not reference the ID outputs of those instead of constructing those resource IDs manually in downstream resource inputs? A bonus here is that Pulumi will automatically figure out those dependencies if you reference them in inputs in downstream resources • Try deploying by using some of the newer API versions of the provider:

from pulumi_azure_native.dbforpostgresql import (
    v20231201preview as postgres, 
)