Authentication to Azure PostgreSQL using a Managed Service Identity fails with "ERROR: schema \\\"terraform_enterprise\\\" already exists"

Introduction

Starting from v202507-1, Terraform Enterprise version supports authentication with MSI (Managed Service Identity) for PostgreSQL, as announced here.

The following examples demonstrate the difference and expected parameters to implement this.

Example of the previous configuration, using the password:

TFE_DATABASE_HOST: "db.postges.database.azure.com:5432"
TFE_DATABASE_NAME: "tfe"
TFE_DATABASE_USER: "<postgres>"
TFE_DATABASE_PASSWORD: <password>

Example of the new configuration, using MSI:

TFE_DATABASE_HOST: "db.postges.database.azure.com:5432"
TFE_DATABASE_NAME: "tfe"
TFE_DATABASE_USER: "<MSI_name>"
TFE_DATABASE_PASSWORDLESS_AZURE_USE_MSI: "true"
TFE_DATABASE_PASSWORDLESS_AZURE_CLIENT_ID: "<identity_client_ID>" # Optional; required for user-assigned MSI only. For system-assigned MSI, this line is not needed

Problem

After switching the authentication for Azure Database for PostgreSQL flexible server from password to MSI, Terraform Enterprise fails to start with the following error:

{"component":"terraform-enterprise","log":"2025-08-06T14:16:15.163Z [INFO]  terraform-enterprise.database.pgmultiauth: getting initial db auth token"}
{"component":"terraform-enterprise","log":"2025-08-06T14:16:15.207Z [INFO]  terraform-enterprise.database: creating schema: schema=terraform_enterprise"}
{"component":"terraform-enterprise","log":"2025-08-06T14:16:15.209Z [ERROR] terraform-enterprise: startup: error=\"error creating schema: error creating terraform_enterprise schema: ERROR: schema \\\"terraform_enterprise\\\" already exists (SQLSTATE 42P06)\""}

Prerequisites

• Terraform Enterprise >= v202507-1
• Authentication to PostgreSQL with MSI (Managed Service Identity)

Cause

MSI is missing permissions to the database schema.

This can be validated by connecting to PostgreSQL database and executing the following command:
SELECT 1 FROM information_schema.schemata WHERE schema_name='terraform_enterprise'

Expected output is 1, e.g.

In case it returns 0, review the steps below.

Solution

• Ensure that MSI meets the requirements 

• Add MSI to Microsoft Entra Administrators under Azure Portal > Azure Database for PostgreSQL flexible server > select the database instance > Security > Authentication > Add Microsoft Entra Administrators

• Execute the following commands when connected to the database with old PostgreSQL username:

  GRANT <old_owner> TO "<new_MSI>";
  ALTER ROLE "<new_MSI>" SET ROLE <old_owner>;

  Replace <old_owner> with the old PostgreSQL username and <new_MSI> with a new MSI user.
  
  To validate, you can run \dn command to display the list of schemas and its owners.
   

• When it's done, re-deploy TFE with updated configuration to use MSI.

Outcome

Terraform Enterprise is up and running; it's authenticated to PostgreSQL using MSI (Managed Service Identity)

Additional Information

• https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-connect-with-managed-identity 

• https://developer.hashicorp.com/terraform/enterprise/deploy/reference/configuration#database-settings