Top / Microsoft Azure / Azure Database / SQL Server

Azure Database SQL Server

This page shows how to write Terraform and Azure Resource Manager for Database SQL Server and write them securely.

terraform-logo

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_sql_server (Terraform)

The SQL Server in Database can be configured in Terraform with the resource name azurerm_sql_server. The following sections describe 8 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L1
resource "azurerm_sql_server" "primary" {
    name = var.primary_database
    resource_group_name = var.resource_group
    location = var.location
    version = var.primary_database_version
    administrator_login = var.primary_database_admin
azurerm_sql_audit_retention.tf#L27
resource "azurerm_sql_server" "allowed" {
}

resource "azurerm_mssql_server" "denied_2" {
  extended_auditing_policy {
    retention_in_days = 89
azurerm_sql_server_auditing.tf#L9
resource "azurerm_sql_server" "allowed" {
  extended_auditing_policy {
    retention_in_days = 89
  }
}
main.tf#L1
resource "azurerm_sql_server" "sql_server_good_1" {
  name                         = "mysqlserver"
  resource_group_name          = "group"
  location                     = "location"
  version                      = "12.0"
  administrator_login          = "4dm1n157r470r"
main.tf#L1
resource "azurerm_sql_server" "sql_server_good_1" {
  name                         = "mysqlserver"
  resource_group_name          = "group"
  location                     = "location"
  version                      = "12.0"
  administrator_login          = "4dm1n157r470r"
sqlserver.tf#L10
resource "azurerm_sql_server" "sql" {
  name                         = local.sql_server_name
  resource_group_name          = azurerm_resource_group.spoke.name
  location                     = azurerm_resource_group.spoke.location
  administrator_login          = var.sqlUsername
  administrator_login_password = random_password.sql_password.result
main.tf#L17
resource "azurerm_sql_server" "primary" {
  name                         = "kmack-sql-primary"
  resource_group_name          = azurerm_resource_group.rg.name
  location                     = azurerm_resource_group.rg.location
  version                      = "12.0"
  administrator_login          = "sqladmin"
positive1.tf#L6
resource "azurerm_sql_server" "positive2" {
  name                         = "mysqlserver1"
  resource_group_name          = "acceptanceTestResourceGroup1"
  location                     = "West US"
  version                      = "12.0"
  administrator_login          = "4dm1n157r470r"

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for azurerm_sql_server

There is 1 setting in azurerm_sql_server that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure to enable auditing on Azure SQL databases

It is better to enable auditing on Azure SQL databases. It helps you maintain regulatory compliance, monitor the activities indicating unexpected incidents or suspected security violations.

Review your Azure Database settings

You can check if the azurerm_sql_server setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Manages a Microsoft SQL Azure Database Server.

Note: This resource provides usage of Microsoft SQL Azure Database server using an older sku based model. It is recommended going forward to use azurerm_mssql_server resource which provides support for vcores.

Note: All arguments including the administrator login and password will be stored in the raw state as plain-text. Read more about sensitive data in state.

>> from Terraform Registry

Tips: Best Practices for The Other Azure Database Resources

In addition to the azurerm_mariadb_firewall_rule, Azure Database has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_mariadb_firewall_rule

Ensure database firewalls do not permit public access

It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.

risk-label

azurerm_mariadb_server

Ensure that access to Azure SQL Database is restricted

It is better to disable public access to the database to avoid unwilling communications with unknown services if not required.

risk-label

azurerm_mssql_database_extended_auditing_policy

Ensure to configure retention periods of database auditing to enough duration

It is better to configure retention periods of database auditing to enough duration. It would be better to set greater than at least 90 days.

risk-label

azurerm_mssql_server

Ensure to enable auditing on Azure SQL databases

It is better to enable auditing on Azure SQL databases. It helps you maintain regulatory compliance, monitor the activities indicating unexpected incidents or suspected security violations.

risk-label

azurerm_mssql_server_security_alert_policy

Ensure to configure at least one email address for threat alerts

It is better to configure at least one email address for threat alerts. SQL Server is able to send alerts for threat detection via emails and it could support us to notice the incident on time.

risk-label

azurerm_mysql_firewall_rule

Ensure database firewalls do not permit public access

It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.

risk-label

azurerm_mysql_server

Ensure to disable public access to database

It is better to disable public access to the database to avoid unwilling communications with unknown services if not required.

risk-label

azurerm_postgresql_firewall_rule

Ensure database firewalls do not permit public access

It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.

risk-label

azurerm_postgresql_server

Ensure to disable public access to database

It is better to disable public access to the database to avoid unwilling communications with unknown services if not required.

risk-label

azurerm_sql_firewall_rule

Ensure database firewalls do not permit public access

It is better to restrict IP address ranges that can access the database by firewall rules. If both start_ip_address and end_ip_address are set to 0.0.0.0, it blocks connections from the Internet and accepts connections from all Azure datacenter IP addresses.

Review your Azure Database settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Sql/servers (Azure Resource Manager)

The servers in Microsoft.Sql can be configured in Azure Resource Manager with the resource name Microsoft.Sql/servers. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

template.json#L8
            "type": "Microsoft.Sql/servers",
            "apiVersion": "2019-06-01-preview",
            "name": "machinessql",
            "location": "eastus",
            "kind": "v12.0",
            "properties": {
sql-template.json#L8
            "type": "Microsoft.Sql/servers",
            "apiVersion": "2021-02-01-preview",
            "name": "sportplannersqlserver",
            "location": "westeurope",
            "kind": "v12.0",
            "properties": {
template.json#L16
            "type": "Microsoft.Sql/servers",
            "apiVersion": "2019-06-01-preview",
            "name": "[parameters('servers_se010server_name')]",
            "location": "southeastasia",
            "kind": "v12.0",
            "properties": {
Resources.SQL.json#L6
        "ResourceType": "Microsoft.Sql/servers",
        "Kind": "v12.0",
        "ResourceGroupName": "test-rg",
        "Location": "region",
        "SubscriptionId": "00000000-0000-0000-0000-000000000000",
        "Tags": null,
template.json#L8
            "type": "Microsoft.Sql/servers",
            "apiVersion": "2019-06-01-preview",
            "name": "machinessql",
            "location": "eastus",
            "kind": "v12.0",
            "properties": {
template.json#L16
            "type": "Microsoft.Sql/servers",
            "apiVersion": "2019-06-01-preview",
            "name": "[parameters('servers_machinessql_name')]",
            "location": "eastus",
            "kind": "v12.0",
            "properties": {
template.json#L13
            "type": "Microsoft.Sql/servers",
            "apiVersion": "2019-06-01-preview",
            "name": "[parameters('servers_machinessql_name')]",
            "location": "eastus",
            "kind": "v12.0",
            "properties": {
template.json#L16
            "type": "Microsoft.Sql/servers",
            "apiVersion": "2019-06-01-preview",
            "name": "[parameters('servers_felyx_sql_name')]",
            "location": "westeurope",
            "tags": {
                "db": "sql"
template.json#L33
            "type": "Microsoft.Sql/servers",
            "apiVersion": "2019-06-01-preview",
            "name": "[parameters('servers_serverm13_name')]",
            "location": "eastus",
            "kind": "v12.0",
            "properties": {
template.json
{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "servers_se010server_name": {

Parameters

  • apiVersion required - string
  • location required - string

    Resource location.

  • name required - string

    The name of the server.

  • properties required
      • administratorLogin optional - string

        Administrator username for the server. Can only be specified when the server is being created (and is required for creation).

      • administratorLoginPassword optional - string

        The administrator login password (required for server creation).

      • version optional - string

        The version of the server.

  • tags optional - string

    Resource tags.

  • type required - string

>> from Azure Resource Manager Documentation

The Other Related Azure Database Resources

Frequently asked questions

What is Azure Database SQL Server?

Azure Database SQL Server is a resource for Database of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Database SQL Server?

For Terraform, the himank98/azure-stack, snyk-labs/infrastructure-as-code-goof and snyk-labs/infrastructure-as-code-goof source code examples are useful. See the Terraform Example section for further details.

For Azure Resource Manager, the AmirEliav/Machines, matlij/SportPlanner and deshanjali/ARM-Templates-se010 source code examples are useful. See the Azure Resource Manager Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents