azurerm_mssql_managed_instance_transparent_data_encryption

Manages the transparent data encryption configuration for a MSSQL Managed Instance

Example Usage with Service Managed Key

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "EastUs"
}

resource "azurerm_virtual_network" "example" {
  name                = "acctest-vnet1-mssql"
  resource_group_name = azurerm_resource_group.example.name
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.test.location
}

resource "azurerm_subnet" "example" {
  name                 = "subnet1-mssql"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.0.0/24"]

  delegation {
    name = "managedinstancedelegation"

    service_delegation {
      name    = "Microsoft.Sql/managedInstances"
      actions = ["Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", "Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action"]
    }
  }
}

resource "azurerm_mssql_managed_instance" "example" {
  name                = "mssqlinstance"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  license_type       = "BasePrice"
  sku_name           = "GP_Gen5"
  storage_size_in_gb = 32
  subnet_id          = azurerm_subnet.example.id
  vcores             = 4

  administrator_login          = "missadministrator"
  administrator_login_password = "NCC-1701-D"

  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_mssql_managed_instance_transparent_data_encryption" "example" {
  managed_instance_id = azurerm_mssql_managed_instance.example.id
}

Example Usage with Customer Managed Key

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "EastUs"
}

resource "azurerm_virtual_network" "example" {
  name                = "acctest-vnet1-mssql"
  resource_group_name = azurerm_resource_group.example.name
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.test.location
}

resource "azurerm_subnet" "example" {
  name                 = "subnet1-mssql"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.0.0/24"]

  delegation {
    name = "managedinstancedelegation"

    service_delegation {
      name    = "Microsoft.Sql/managedInstances"
      actions = ["Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", "Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action"]
    }
  }
}

resource "azurerm_mssql_managed_instance" "example" {
  name                = "mssqlinstance"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  license_type       = "BasePrice"
  sku_name           = "GP_Gen5"
  storage_size_in_gb = 32
  subnet_id          = azurerm_subnet.example.id
  vcores             = 4

  administrator_login          = "missadministrator"
  administrator_login_password = "NCC-1701-D"

  identity {
    type = "SystemAssigned"
  }
}

# Create a key vault with policies for the deployer to create a key & SQL Managed Instance to wrap/unwrap/get key
resource "azurerm_key_vault" "example" {
  name                        = "example"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false

  sku_name = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    key_permissions = [
      "Get", "List", "Create", "Delete", "Update", "Recover", "Purge", "GetRotationPolicy",
    ]
  }
  access_policy {
    tenant_id = azurerm_mssql_managed_instance.example.identity[0].tenant_id
    object_id = azurerm_mssql_managed_instance.example.identity[0].principal_id

    key_permissions = [
      "Get", "WrapKey", "UnwrapKey"
    ]
  }
}

resource "azurerm_key_vault_key" "example" {
  name         = "byok"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "unwrapKey",
    "wrapKey",
  ]

  depends_on = [
    azurerm_key_vault.example
  ]
}

resource "azurerm_mssql_managed_instance_transparent_data_encryption" "example" {
  managed_instance_id = azurerm_mssql_managed_instance.example.id
  key_vault_key_id    = azurerm_key_vault_key.example.id
}

Arguments Reference

The following arguments are supported:


Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

Import

SQL Managed Instance Transparent Data Encryption can be imported using the resource id, e.g.

terraform import azurerm_mssql_managed_instance_transparent_data_encryption.example /subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/group1/providers/Microsoft.Sql/managedInstances/instance1/encryptionProtector/current