Manages the transparent data encryption configuration for a MSSQL Server
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "EastUs"
}
resource "azurerm_mssql_server" "example" {
name = "mssqlserver"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
version = "12.0"
administrator_login = "missadministrator"
administrator_login_password = "thisIsKat11"
minimum_tls_version = "1.2"
azuread_administrator {
login_username = "AzureAD Admin"
object_id = "00000000-0000-0000-0000-000000000000"
}
tags = {
environment = "production"
}
}
resource "azurerm_mssql_server_transparent_data_encryption" "example" {
server_id = azurerm_mssql_server.example.id
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "EastUs"
}
resource "azurerm_mssql_server" "example" {
name = "mssqlserver"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
version = "12.0"
administrator_login = "missadministrator"
administrator_login_password = "thisIsKat11"
minimum_tls_version = "1.2"
azuread_administrator {
login_username = "AzureAD Admin"
object_id = "00000000-0000-0000-0000-000000000000"
}
tags = {
environment = "production"
}
identity {
type = "SystemAssigned"
}
lifecycle {
ignore_changes = [transparent_data_encryption_key_vault_key_id]
}
}
# Create a key vault with policies for the deployer to create a key & SQL Server to wrap/unwrap/get key
resource "azurerm_key_vault" "example" {
name = "example"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get", "List", "Create", "Delete", "Update", "Recover", "Purge", "GetRotationPolicy",
]
}
access_policy {
tenant_id = azurerm_mssql_server.example.identity[0].tenant_id
object_id = azurerm_mssql_server.example.identity[0].principal_id
key_permissions = [
"Get", "WrapKey", "UnwrapKey"
]
}
}
resource "azurerm_key_vault_key" "example" {
name = "byok"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = [
"unwrapKey",
"wrapKey",
]
depends_on = [
azurerm_key_vault.example
]
}
resource "azurerm_mssql_server_transparent_data_encryption" "example" {
server_id = azurerm_mssql_server.example.id
key_vault_key_id = azurerm_key_vault_key.example.id
}
The following arguments are supported:
server_id
- (Required) Specifies the name of the MS SQL Server. Changing this forces a new resource to be created.key_vault_key_id
- (Optional) To use customer managed keys from Azure Key Vault, provide the AKV Key ID. To use service managed keys, omit this field.auto_rotation_enabled
- (Optional) When enabled, the server will continuously check the key vault for any new versions of the key being used as the TDE protector. If a new version of the key is detected, the TDE protector on the server will be automatically rotated to the latest key version within 60 minutes.In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the MSSQL encryption protectorThe timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the MSSQL.read
- (Defaults to 5 minutes) Used when retrieving the MSSQL.update
- (Defaults to 30 minutes) Used when updating the MSSQL.delete
- (Defaults to 30 minutes) Used when deleting the MSSQL.SQL Server Transparent Data Encryption can be imported using the resource id, e.g.
terraform import azurerm_mssql_server_transparent_data_encryption.example /subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/group1/providers/Microsoft.Sql/servers/server1/encryptionProtector/current