{RDBMS} az postgres flexible-server identity update: Cannot disable SAMI when Fabric Mirroring is enabled (#30971)

mattboentoro · Matthew Boentoro · web-flow · commit 11269016ab8f · 2025-03-11T10:02:50.000+08:00
Co-authored-by: Matthew Boentoro &lt;mboentoro@microsoft.com&gt;
diff --git a/src/azure-cli/azure/cli/command_modules/rdbms/flexible_server_custom_postgres.py b/src/azure-cli/azure/cli/command_modules/rdbms/flexible_server_custom_postgres.py
@@ -28,7 +28,7 @@
     cf_postgres_check_resource_availability_with_location, \
     cf_postgres_flexible_private_dns_zone_suffix_operations, \
     cf_postgres_flexible_private_endpoint_connections, \
-    cf_postgres_flexible_tuning_options
+    cf_postgres_flexible_tuning_options, cf_postgres_flexible_config
 from ._flexible_server_util import generate_missing_parameters, resolve_poller, \
     generate_password, parse_maintenance_window, get_current_time, build_identity_and_data_encryption, \
     _is_resource_name, get_tenant_id, get_case_insensitive_key_value, get_enum_value_true_false
@@ -942,9 +942,14 @@ def flexible_server_identity_update(cmd, client, resource_group_name, server_nam
             # if user-assigned identity is enabled, then enable both system-assigned and user-assigned identity
             identity_type = 'SystemAssigned,UserAssigned'
     else:
+        # check if fabric is enabled
+        config_client = cf_postgres_flexible_config(cmd.cli_ctx, '_')
+        fabric_mirror_status = config_client.get(resource_group_name, server_name, 'azure.fabric_mirror_enabled')
+        if (fabric_mirror_status and fabric_mirror_status.value.lower() == 'on'):
+            raise CLIError("On servers for which Fabric mirroring is enabled, system assigned managed identity cannot be disabled.")
         if server.data_encryption.type == 'AzureKeyVault':
             # if data encryption is enabled, then system-assigned identity cannot be disabled
-            raise CLIError("Disabling system-assigned identity isn't supported on servers configured to use customer managed keys for data encryption.")
+            raise CLIError("On servers for which data encryption is based on customer managed key, system assigned managed identity cannot be disabled.")
         if identity_type == 'SystemAssigned,UserAssigned':
             # if both system-assigned and user-assigned identity is enabled, then disable system-assigned identity
             identity_type = 'UserAssigned'
