Azure Database SQL Managed Instance
This page shows how to write Terraform for Database SQL Managed Instance and write them securely.
azurerm_sql_managed_instance (Terraform)
The SQL Managed Instance in Database can be configured in Terraform with the resource name azurerm_sql_managed_instance
. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_sql_managed_instance" "sqlmi" {
name = var.sqlmi_name
resource_group_name = var.resourcegroup_name
location = var.location
administrator_login = "administrator"
administrator_login_password = "thisIsDog11"
resource "azurerm_sql_managed_instance" "dev_soa_sqlmi" {
name = "soa-dev-db"
resource_group_name = azurerm_resource_group.rg-dev-db.name
location = azurerm_resource_group.rg-dev-db.location
administrator_login = "mradministrator"
administrator_login_password = "thisIsDog11"
Parameters
The following arguments are supported:
name
- (Required) The name of the SQL Managed Instance. This needs to be globally unique within Azure.resource_group_name
- (Required) The name of the resource group in which to create the SQL Server.location
- (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.sku_name
- (Required) Specifies the SKU Name for the SQL Managed Instance. Valid values includeGP_Gen4
,GP_Gen5
,BC_Gen4
,BC_Gen5
. Changing this forces a new resource to be created.vcores
- (Required) Number of cores that should be assigned to your instance. Values can be8
,16
, or24
ifsku_name
isGP_Gen4
, or8
,16
,24
,32
, or40
ifsku_name
isGP_Gen5
.storage_size_in_gb
- (Required) Maximum storage space for your instance. It should be a multiple of 32GB.license_type
- (Required) What type of license the Managed Instance will use. Valid values include can bePriceIncluded
orBasePrice
.administrator_login
- (Required) The administrator login name for the new server. Changing this forces a new resource to be created.administrator_login_password
- (Required) The password associated with theadministrator_login
user. Needs to comply with Azure's Password Policysubnet_id
- (Required) The subnet resource id that the SQL Managed Instance will be associated with.collation
- (Optional) Specifies how the SQL Managed Instance will be collated. Default value isSQL_Latin1_General_CP1_CI_AS
. Changing this forces a new resource to be created.public_data_endpoint_enabled
- (Optional) Is the public data endpoint enabled? Default value isfalse
.minimum_tls_version
- (Optional) The Minimum TLS Version. Default value is1.2
Valid values include1.0
,1.1
,1.2
.proxy_override
- (Optional) Specifies how the SQL Managed Instance will be accessed. Default value isDefault
. Valid values includeDefault
,Proxy
, andRedirect
.timezone_id
- (Optional) The TimeZone ID that the SQL Managed Instance will be operating in. Default value isUTC
. Changing this forces a new resource to be created.dns_zone_partner_id
- (Optional) The ID of the Managed Instance which will share the DNS zone. This is a prerequisite for creating a failover group, although creation of a failover group is not yet possible inazurerm
. Setting this after creation forces a new resource to be created.identity
- (Optional) Anidentity
block as defined below.tags
- (Optional) A mapping of tags to assign to the resource.
A sku
block supports the following:
name
- (Required) Sku of the managed instance. Values can beGP_Gen4
,GP_Gen5
,BC_Gen4
, orBC_Gen5
.
An identity
block supports the following:
type
- (Required) The identity type of the SQL Managed Instance. Only possible values isSystemAssigned
.
The following attributes are exported:
id
- The SQL Managed Instance ID.fqdn
- The fully qualified domain name of the Azure Managed SQL Instance
The identity
block exports the following:
principal_id
- The Principal ID for the Service Principal associated with the Identity of this SQL Managed Instance.tenant_id
- The Tenant ID for the Service Principal associated with the Identity of this SQL Managed Instance.
Explanation in Terraform Registry
Manages a SQL Azure Managed Instance.
Note: All arguments including the administrator login and password will be stored in the raw state as plain-text. Read more about sensitive data in state.
Tips: Best Practices for The Other Azure Database Resources
In addition to the azurerm_mariadb_firewall_rule, Azure Database has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_mariadb_firewall_rule
Ensure database firewalls do not permit public access
It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.
azurerm_mariadb_server
Ensure that access to Azure SQL Database is restricted
It is better to disable public access to the database to avoid unwilling communications with unknown services if not required.
azurerm_mssql_database_extended_auditing_policy
Ensure to configure retention periods of database auditing to enough duration
It is better to configure retention periods of database auditing to enough duration. It would be better to set greater than at least 90 days.
azurerm_mssql_server
Ensure to enable auditing on Azure SQL databases
It is better to enable auditing on Azure SQL databases. It helps you maintain regulatory compliance, monitor the activities indicating unexpected incidents or suspected security violations.
azurerm_mssql_server_security_alert_policy
Ensure to configure at least one email address for threat alerts
It is better to configure at least one email address for threat alerts. SQL Server is able to send alerts for threat detection via emails and it could support us to notice the incident on time.
azurerm_mysql_firewall_rule
Ensure database firewalls do not permit public access
It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.
azurerm_mysql_server
Ensure to disable public access to database
It is better to disable public access to the database to avoid unwilling communications with unknown services if not required.
azurerm_postgresql_firewall_rule
Ensure database firewalls do not permit public access
It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.
azurerm_postgresql_server
Ensure to disable public access to database
It is better to disable public access to the database to avoid unwilling communications with unknown services if not required.
azurerm_sql_firewall_rule
Ensure database firewalls do not permit public access
It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.
azurerm_sql_server
Ensure to enable auditing on Azure SQL databases
It is better to enable auditing on Azure SQL databases. It helps you maintain regulatory compliance, monitor the activities indicating unexpected incidents or suspected security violations.
Azure Resource Manager Example
Azure Resource Manager code does not have the related resource.
Frequently asked questions
What is Azure Database SQL Managed Instance?
Azure Database SQL Managed Instance is a resource for Database of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Database SQL Managed Instance?
For Terraform, the harishve6/secondrepo and Nizamc/ADIA source code examples are useful. See the Terraform Example section for further details.