Azure Database SQL Managed Instance

azurerm_sql_managed_instance (Terraform)

The SQL Managed Instance in Database can be configured in Terraform with the resource name azurerm_sql_managed_instance. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

harishve6/secondrepo

resource "azurerm_sql_managed_instance" "sqlmi" {
  name                         = var.sqlmi_name
  resource_group_name          = var.resourcegroup_name
  location                     = var.location
  administrator_login          = "administrator"
  administrator_login_password = "thisIsDog11"

Nizamc/ADIA

resource "azurerm_sql_managed_instance" "dev_soa_sqlmi" {
  name                         = "soa-dev-db"
  resource_group_name          = azurerm_resource_group.rg-dev-db.name
  location                     = azurerm_resource_group.rg-dev-db.location
  administrator_login          = "mradministrator"
  administrator_login_password = "thisIsDog11"

Parameters

The following arguments are supported:

• name - (Required) The name of the SQL Managed Instance. This needs to be globally unique within Azure.

• resource_group_name - (Required) The name of the resource group in which to create the SQL Server.

• location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

• sku_name - (Required) Specifies the SKU Name for the SQL Managed Instance. Valid values include GP_Gen4, GP_Gen5, BC_Gen4, BC_Gen5. Changing this forces a new resource to be created.

• vcores - (Required) Number of cores that should be assigned to your instance. Values can be 8, 16, or 24 if sku_name is GP_Gen4, or 8, 16, 24, 32, or 40 if sku_name is GP_Gen5.

• storage_size_in_gb - (Required) Maximum storage space for your instance. It should be a multiple of 32GB.

• license_type - (Required) What type of license the Managed Instance will use. Valid values include can be PriceIncluded or BasePrice.

• administrator_login - (Required) The administrator login name for the new server. Changing this forces a new resource to be created.

• administrator_login_password - (Required) The password associated with the administrator_login user. Needs to comply with Azure's Password Policy

• subnet_id - (Required) The subnet resource id that the SQL Managed Instance will be associated with.

• collation - (Optional) Specifies how the SQL Managed Instance will be collated. Default value is SQL_Latin1_General_CP1_CI_AS. Changing this forces a new resource to be created.

• public_data_endpoint_enabled - (Optional) Is the public data endpoint enabled? Default value is false.

• minimum_tls_version - (Optional) The Minimum TLS Version. Default value is 1.2 Valid values include 1.0, 1.1, 1.2.

• proxy_override - (Optional) Specifies how the SQL Managed Instance will be accessed. Default value is Default. Valid values include Default, Proxy, and Redirect.

• timezone_id - (Optional) The TimeZone ID that the SQL Managed Instance will be operating in. Default value is UTC. Changing this forces a new resource to be created.

• dns_zone_partner_id - (Optional) The ID of the Managed Instance which will share the DNS zone. This is a prerequisite for creating a failover group, although creation of a failover group is not yet possible in azurerm. Setting this after creation forces a new resource to be created.

• identity - (Optional) An identity block as defined below.

• tags - (Optional) A mapping of tags to assign to the resource.

A sku block supports the following:

• name - (Required) Sku of the managed instance. Values can be GP_Gen4, GP_Gen5, BC_Gen4, or BC_Gen5.

An identity block supports the following:

• type - (Required) The identity type of the SQL Managed Instance. Only possible values is SystemAssigned.

The following attributes are exported:

• id - The SQL Managed Instance ID.

• fqdn - The fully qualified domain name of the Azure Managed SQL Instance

The identity block exports the following:

• principal_id - The Principal ID for the Service Principal associated with the Identity of this SQL Managed Instance.

• tenant_id - The Tenant ID for the Service Principal associated with the Identity of this SQL Managed Instance.

Explanation in Terraform Registry

Manages a SQL Azure Managed Instance.

Note: All arguments including the administrator login and password will be stored in the raw state as plain-text. Read more about sensitive data in state.

Tips: Best Practices for The Other Azure Database Resources

In addition to the azurerm_mariadb_firewall_rule, Azure Database has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

azurerm_mariadb_firewall_rule

Ensure database firewalls do not permit public access

It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.

azurerm_mariadb_server

Ensure that access to Azure SQL Database is restricted

It is better to disable public access to the database to avoid unwilling communications with unknown services if not required.

azurerm_mssql_database_extended_auditing_policy

Ensure to configure retention periods of database auditing to enough duration

It is better to configure retention periods of database auditing to enough duration. It would be better to set greater than at least 90 days.

azurerm_mssql_server

Ensure to enable auditing on Azure SQL databases

It is better to enable auditing on Azure SQL databases. It helps you maintain regulatory compliance, monitor the activities indicating unexpected incidents or suspected security violations.

azurerm_mssql_server_security_alert_policy

Ensure to configure at least one email address for threat alerts

It is better to configure at least one email address for threat alerts. SQL Server is able to send alerts for threat detection via emails and it could support us to notice the incident on time.

azurerm_mysql_firewall_rule

Ensure database firewalls do not permit public access

It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.

azurerm_mysql_server

Ensure to disable public access to database

It is better to disable public access to the database to avoid unwilling communications with unknown services if not required.

azurerm_postgresql_firewall_rule

Ensure database firewalls do not permit public access

It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.

azurerm_postgresql_server

Ensure to disable public access to database

It is better to disable public access to the database to avoid unwilling communications with unknown services if not required.

azurerm_sql_firewall_rule

Ensure database firewalls do not permit public access

It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.

azurerm_sql_server

Ensure to enable auditing on Azure SQL databases

It is better to enable auditing on Azure SQL databases. It helps you maintain regulatory compliance, monitor the activities indicating unexpected incidents or suspected security violations.