I have a terraformed Azure MySQL instance and a WordPress docker instance running in an Azure Container Instance. Both come up fine, but I can't see a way to automatically allow access from the container instance to MySQL because 1) the traffic is not coming through the external IP address, and 2) I don't know where the actual IP address is being created, and 3) I can't see a way to determine what the IP address is.
resource "azurerm_container_group" "wp-container-group" {
name = var.container_group_name
location = azurerm_resource_group.wordpress-resource-group.location
resource_group_name = azurerm_resource_group.wordpress-resource-group.name
ip_address_type = "public"
dns_name_label = var.dns_label
os_type = "Linux"
container {
name = "wordpress"
image = "wordpress:latest"
...
}
...
}
resource "azurerm_mysql_server" "wordpress_mysql" {
name = "foo-bar"
location = azurerm_resource_group.wordpress-resource-group.location
resource_group_name = azurerm_resource_group.wordpress-resource-group.name
....
}
resource "azurerm_mysql_database" "wp-db" {
name = "wordpress"
resource_group_name = azurerm_resource_group.wordpress-resource-group.name
server_name = azurerm_mysql_server.wordpress_mysql.name
charset = "utf8"
collation = "utf8_general_ci"
}
This is set to allow traffic from the external IP address:
resource "azurerm_mysql_firewall_rule" "allow_container" {
name = "allow_wordpress_container"
resource_group_name = azurerm_resource_group.wordpress-resource-group.name
server_name = azurerm_mysql_server.wordpress_mysql.name
start_ip_address = azurerm_container_group.wp-container-group.ip_address
end_ip_address = azurerm_container_group.wp-container-group.ip_address
}
When I SSH into the container instance and try to connect via the command line mysql
, it tells me that it's using a different IP address than the external one---the internal one is in the 52.x.x.x range. I can manually add this ip address as a firewall rule, but I want to do it automatically.
So my question is: where does this 52.x.x.x address get assigned, and how can I access it in Terraform so that I can automatically configure the firewall rule between the container instance and mysql?
The outbound IP address associated with the container instance is not available as a property of the container. The IP address is not guaranteed to persist beyond container restart either, so it would not be a reliable identifier for a firewall rule.
The simplest solution in this case would be to "Allow access to Azure services" in your database firewall. This is acheived by creating an azurerm_sql_firewall_rule
having start_ip_address
and end_ip_address
set to "0.0.0.0"