Azure Database SQL Server
This page shows how to write Terraform and Azure Resource Manager for Database SQL Server and write them securely.
azurerm_sql_server (Terraform)
The SQL Server in Database can be configured in Terraform with the resource name azurerm_sql_server
. The following sections describe 8 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_sql_server" "primary" {
name = var.primary_database
resource_group_name = var.resource_group
location = var.location
version = var.primary_database_version
administrator_login = var.primary_database_admin
resource "azurerm_sql_server" "allowed" {
}
resource "azurerm_mssql_server" "denied_2" {
extended_auditing_policy {
retention_in_days = 89
resource "azurerm_sql_server" "allowed" {
extended_auditing_policy {
retention_in_days = 89
}
}
resource "azurerm_sql_server" "sql_server_good_1" {
name = "mysqlserver"
resource_group_name = "group"
location = "location"
version = "12.0"
administrator_login = "4dm1n157r470r"
resource "azurerm_sql_server" "sql_server_good_1" {
name = "mysqlserver"
resource_group_name = "group"
location = "location"
version = "12.0"
administrator_login = "4dm1n157r470r"
resource "azurerm_sql_server" "sql" {
name = local.sql_server_name
resource_group_name = azurerm_resource_group.spoke.name
location = azurerm_resource_group.spoke.location
administrator_login = var.sqlUsername
administrator_login_password = random_password.sql_password.result
resource "azurerm_sql_server" "primary" {
name = "kmack-sql-primary"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
version = "12.0"
administrator_login = "sqladmin"
resource "azurerm_sql_server" "positive2" {
name = "mysqlserver1"
resource_group_name = "acceptanceTestResourceGroup1"
location = "West US"
version = "12.0"
administrator_login = "4dm1n157r470r"
Security Best Practices for azurerm_sql_server
There is 1 setting in azurerm_sql_server that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure to enable auditing on Azure SQL databases
It is better to enable auditing on Azure SQL databases. It helps you maintain regulatory compliance, monitor the activities indicating unexpected incidents or suspected security violations.
Parameters
-
administrator_login
required - string -
administrator_login_password
required - string -
connection_policy
optional - string -
extended_auditing_policy
optional computed - list of object-
log_monitoring_enabled
- bool -
retention_in_days
- number -
storage_account_access_key
- string -
storage_account_access_key_is_secondary
- bool -
storage_endpoint
- string
-
-
fully_qualified_domain_name
optional computed - string -
id
optional computed - string -
location
required - string -
name
required - string -
resource_group_name
required - string -
tags
optional - map from string to string -
version
required - string -
identity
list block-
principal_id
optional computed - string -
tenant_id
optional computed - string -
type
required - string
-
-
timeouts
single block
Explanation in Terraform Registry
Manages a Microsoft SQL Azure Database Server.
Note: This resource provides usage of Microsoft SQL Azure Database server using an older
sku
based model. It is recommended going forward to useazurerm_mssql_server
resource which provides support forvcores
.Note: All arguments including the administrator login and password will be stored in the raw state as plain-text. Read more about sensitive data in state.
Tips: Best Practices for The Other Azure Database Resources
In addition to the azurerm_mariadb_firewall_rule, Azure Database has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_mariadb_firewall_rule
Ensure database firewalls do not permit public access
It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.
azurerm_mariadb_server
Ensure that access to Azure SQL Database is restricted
It is better to disable public access to the database to avoid unwilling communications with unknown services if not required.
azurerm_mssql_database_extended_auditing_policy
Ensure to configure retention periods of database auditing to enough duration
It is better to configure retention periods of database auditing to enough duration. It would be better to set greater than at least 90 days.
azurerm_mssql_server
Ensure to enable auditing on Azure SQL databases
It is better to enable auditing on Azure SQL databases. It helps you maintain regulatory compliance, monitor the activities indicating unexpected incidents or suspected security violations.
azurerm_mssql_server_security_alert_policy
Ensure to configure at least one email address for threat alerts
It is better to configure at least one email address for threat alerts. SQL Server is able to send alerts for threat detection via emails and it could support us to notice the incident on time.
azurerm_mysql_firewall_rule
Ensure database firewalls do not permit public access
It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.
azurerm_mysql_server
Ensure to disable public access to database
It is better to disable public access to the database to avoid unwilling communications with unknown services if not required.
azurerm_postgresql_firewall_rule
Ensure database firewalls do not permit public access
It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.
azurerm_postgresql_server
Ensure to disable public access to database
It is better to disable public access to the database to avoid unwilling communications with unknown services if not required.
azurerm_sql_firewall_rule
Ensure database firewalls do not permit public access
It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.
Microsoft.Sql/servers (Azure Resource Manager)
The servers in Microsoft.Sql can be configured in Azure Resource Manager with the resource name Microsoft.Sql/servers
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Sql/servers",
"apiVersion": "2019-06-01-preview",
"name": "machinessql",
"location": "eastus",
"kind": "v12.0",
"properties": {
"type": "Microsoft.Sql/servers",
"apiVersion": "2021-02-01-preview",
"name": "sportplannersqlserver",
"location": "westeurope",
"kind": "v12.0",
"properties": {
"type": "Microsoft.Sql/servers",
"apiVersion": "2019-06-01-preview",
"name": "[parameters('servers_se010server_name')]",
"location": "southeastasia",
"kind": "v12.0",
"properties": {
"ResourceType": "Microsoft.Sql/servers",
"Kind": "v12.0",
"ResourceGroupName": "test-rg",
"Location": "region",
"SubscriptionId": "00000000-0000-0000-0000-000000000000",
"Tags": null,
"type": "Microsoft.Sql/servers",
"apiVersion": "2019-06-01-preview",
"name": "machinessql",
"location": "eastus",
"kind": "v12.0",
"properties": {
"type": "Microsoft.Sql/servers",
"apiVersion": "2019-06-01-preview",
"name": "[parameters('servers_machinessql_name')]",
"location": "eastus",
"kind": "v12.0",
"properties": {
"type": "Microsoft.Sql/servers",
"apiVersion": "2019-06-01-preview",
"name": "[parameters('servers_machinessql_name')]",
"location": "eastus",
"kind": "v12.0",
"properties": {
"type": "Microsoft.Sql/servers",
"apiVersion": "2019-06-01-preview",
"name": "[parameters('servers_felyx_sql_name')]",
"location": "westeurope",
"tags": {
"db": "sql"
"type": "Microsoft.Sql/servers",
"apiVersion": "2019-06-01-preview",
"name": "[parameters('servers_serverm13_name')]",
"location": "eastus",
"kind": "v12.0",
"properties": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"servers_se010server_name": {
Parameters
apiVersion
required - stringlocation
required - stringResource location.
name
required - stringThe name of the server.
properties
requiredadministratorLogin
optional - stringAdministrator username for the server. Can only be specified when the server is being created (and is required for creation).
administratorLoginPassword
optional - stringThe administrator login password (required for server creation).
version
optional - stringThe version of the server.
tags
optional - stringResource tags.
type
required - string
Frequently asked questions
What is Azure Database SQL Server?
Azure Database SQL Server is a resource for Database of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Database SQL Server?
For Terraform, the himank98/azure-stack, snyk-labs/infrastructure-as-code-goof and snyk-labs/infrastructure-as-code-goof source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the AmirEliav/Machines, matlij/SportPlanner and deshanjali/ARM-Templates-se010 source code examples are useful. See the Azure Resource Manager Example section for further details.