diff --git a/main.tf b/main.tf index cf5c2bc5b3..d450088f02 100755 --- a/main.tf +++ b/main.tf @@ -73,6 +73,7 @@ locals { database = { mssql_servers = try(var.database.mssql_servers, {}) + mssql_databases = try(var.database.mssql_databases, {}) azurerm_redis_caches = try(var.database.azurerm_redis_caches, {}) synapse_workspaces = try(var.database.synapse_workspaces, {}) databricks_workspaces = try(var.database.databricks_workspaces, {}) diff --git a/modules/databases/mssql_database/auditing.tf b/modules/databases/mssql_database/auditing.tf new file mode 100644 index 0000000000..a8963d3122 --- /dev/null +++ b/modules/databases/mssql_database/auditing.tf @@ -0,0 +1,18 @@ +# Server auditing + +data "azurerm_storage_account" "mssqldb_auditing" { + count = try(var.settings.extended_auditing_policy.storage_account.key, null) == null ? 0 : 1 + + name = var.storage_accounts[var.settings.extended_auditing_policy.storage_account.key].name + resource_group_name = var.storage_accounts[var.settings.extended_auditing_policy.storage_account.key].resource_group_name +} + +resource "azurerm_mssql_server_extended_auditing_policy" "mssqldb" { + count = try(var.settings.extended_auditing_policy, null) == null ? 0 : 1 + + server_id = var.server_id + storage_endpoint = data.azurerm_storage_account.mssqldb_auditing.0.primary_blob_endpoint + storage_account_access_key = data.azurerm_storage_account.mssqldb_auditing.0.primary_access_key + storage_account_access_key_is_secondary = try(var.settings.extended_auditing_policy.storage_account_access_key_is_secondary, false) + retention_in_days = try(var.settings.extended_auditing_policy.retention_in_days, null) +} \ No newline at end of file diff --git a/modules/databases/mssql_database/database.tf b/modules/databases/mssql_database/database.tf new file mode 100644 index 0000000000..a23ca01ec7 --- /dev/null +++ b/modules/databases/mssql_database/database.tf @@ -0,0 +1,52 @@ +resource "azurecaf_name" "mssqldb" { + + name = var.settings.name + resource_type = "azurerm_mssql_database" + prefixes = [var.global_settings.prefix] + random_length = var.global_settings.random_length + clean_input = true + passthrough = var.global_settings.passthrough +} + +resource "azurerm_mssql_database" "mssqldb" { + name = azurecaf_name.mssqldb.result + server_id = var.server_id + auto_pause_delay_in_minutes = try(var.settings.auto_pause_delay_in_minutes, null) + create_mode = try(var.settings.create_mode, null) + creation_source_database_id = try(var.settings.creation_source_database_id, null) + collation = try(var.settings.collation, null) + license_type = try(var.settings.license_type, null) + max_size_gb = try(var.settings.max_size_gb, null) + min_capacity = try(var.settings.min_capacity, null) + restore_point_in_time = try(var.settings.restore_point_in_time, null) + read_replica_count = try(var.settings.read_replica_count, null) + read_scale = try(var.settings.read_scale, null) + sample_name = try(var.settings.sample_name, null) + sku_name = try(var.settings.sku_name, null) + zone_redundant = try(var.settings.zone_redundant, null) + tags = try(var.settings.tags, null) + + dynamic "threat_detection_policy" { + for_each = lookup(var.settings, "threat_detection_policy", {}) == {} ? [] : [1] + + content { + state = var.settings.threat_detection_policy.state + disabled_alerts = try(var.settings.threat_detection_policy.disabled_alerts, null) + email_account_admins = try(var.settings.threat_detection_policy.email_account_admins, null) + email_addresses = try(var.settings.threat_detection_policy.email_addresses, null) + retention_days = try(var.settings.threat_detection_policy.retention_days, null) + storage_endpoint = try(data.azurerm_storage_account.mssqldb_tdp.0.primary_blob_endpoint, null) + storage_account_access_key = try(data.azurerm_storage_account.mssqldb_tdp.0.primary_access_key, null) + use_server_default = try(var.settings.threat_detection_policy.use_server_default, null) + } + } +} + +# threat detection policy + +data "azurerm_storage_account" "mssqldb_tdp" { + count = try(var.settings.threat_detection_policy.storage_account.key, null) == null ? 0 : 1 + + name = var.storage_accounts[var.settings.threat_detection_policy.storage_account.key].name + resource_group_name = var.storage_accounts[var.settings.threat_detection_policy.storage_account.key].resource_group_name +} \ No newline at end of file diff --git a/modules/databases/mssql_database/main.tf b/modules/databases/mssql_database/main.tf new file mode 100755 index 0000000000..72d1cc4c39 --- /dev/null +++ b/modules/databases/mssql_database/main.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + azurecaf = { + source = "aztfmod/azurecaf" + } + } + required_version = ">= 0.13" +} \ No newline at end of file diff --git a/modules/databases/mssql_database/variables.tf b/modules/databases/mssql_database/variables.tf new file mode 100755 index 0000000000..c42d60557e --- /dev/null +++ b/modules/databases/mssql_database/variables.tf @@ -0,0 +1,4 @@ +variable global_settings {} +variable settings {} +variable server_id {} +variable storage_accounts {} \ No newline at end of file diff --git a/modules/databases/mssql_server/output.tf b/modules/databases/mssql_server/output.tf new file mode 100644 index 0000000000..487375be98 --- /dev/null +++ b/modules/databases/mssql_server/output.tf @@ -0,0 +1,7 @@ +output id { + value = azurerm_mssql_server.mssql.id +} + +output rbac_id { + value = azurerm_mssql_server.mssql.identity[0].principal_id +} \ No newline at end of file diff --git a/mssql_databases.tf b/mssql_databases.tf new file mode 100755 index 0000000000..a7e77e1cec --- /dev/null +++ b/mssql_databases.tf @@ -0,0 +1,36 @@ + +output mssql_databases { + value = module.mssql_databases + sensitive = true +} + +module "mssql_databases" { + source = "./modules/databases/mssql_database" + for_each = local.database.mssql_databases + + global_settings = local.global_settings + settings = each.value + server_id = try(each.value.remote_tfstate, null) == null ? module.mssql_servers[each.value.mssql_server_key].id : data.terraform_remote_state.mssql_remote_server[each.key].outputs[each.value.remote_tfstate.output_key][each.value.mssql_server_key].id + storage_accounts = module.storage_accounts +} + +# +# Get remote mssql server to deploy the database +# +data "terraform_remote_state" "mssql_remote_server" { + for_each = { + for key, value in local.database.mssql_databases : key => value + if try(value.remote_tfstate, null) != null + } + + backend = "azurerm" + config = { + storage_account_name = var.tfstates[each.value.remote_tfstate.tfstate_key].storage_account_name + container_name = var.tfstates[each.value.remote_tfstate.tfstate_key].container_name + resource_group_name = var.tfstates[each.value.remote_tfstate.tfstate_key].resource_group_name + key = var.tfstates[each.value.remote_tfstate.tfstate_key].key + use_msi = var.use_msi + subscription_id = var.use_msi ? var.tfstates[each.value.remote_tfstate.tfstate_key].subscription_id : null + tenant_id = var.use_msi ? var.tfstates[each.value.remote_tfstate.tfstate_key].tenant_id : null + } +} \ No newline at end of file diff --git a/roles.tf b/roles.tf index 1f8536d9e6..8ffb8f2834 100755 --- a/roles.tf +++ b/roles.tf @@ -32,6 +32,7 @@ locals { resource_groups = module.resource_groups managed_identities = module.managed_identities storage_accounts = module.storage_accounts + mssql_servers = module.mssql_servers synapse_workspaces = module.synapse_workspaces subscriptions = merge(try(var.subscriptions, {}), { "logged_in_subscription" = { id = data.azurerm_subscription.primary.id } }) logged_in = {