azurermMssqlManagedInstance

Manages a Microsoft SQL Azure Managed Instance.

\~> Note: All arguments including the administrator login and password will be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "database-rg",
  }
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
  this,
  "example_1",
  {
    address_space: ["10.0.0.0/16"],
    location: azurermResourceGroupExample.location,
    name: "vnet-mi",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const azurermNetworkSecurityGroupExample =
  new azurerm.networkSecurityGroup.NetworkSecurityGroup(this, "example_2", {
    location: azurermResourceGroupExample.location,
    name: "mi-security-group",
    resource_group_name: azurermResourceGroupExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermNetworkSecurityGroupExample.overrideLogicalId("example");
new azurerm.networkSecurityRule.NetworkSecurityRule(
  this,
  "allow_health_probe_inbound",
  {
    access: "Allow",
    destination_address_prefix: "*",
    destination_port_range: "*",
    direction: "Inbound",
    name: "allow_health_probe_inbound",
    network_security_group_name: azurermNetworkSecurityGroupExample.name,
    priority: 300,
    protocol: "*",
    resource_group_name: azurermResourceGroupExample.name,
    source_address_prefix: "AzureLoadBalancer",
    source_port_range: "*",
  }
);
new azurerm.networkSecurityRule.NetworkSecurityRule(
  this,
  "allow_management_inbound",
  {
    access: "Allow",
    destination_address_prefix: "*",
    destination_port_ranges: ["9000", "9003", "1438", "1440", "1452"],
    direction: "Inbound",
    name: "allow_management_inbound",
    network_security_group_name: azurermNetworkSecurityGroupExample.name,
    priority: 106,
    protocol: "Tcp",
    resource_group_name: azurermResourceGroupExample.name,
    source_address_prefix: "*",
    source_port_range: "*",
  }
);
new azurerm.networkSecurityRule.NetworkSecurityRule(
  this,
  "allow_management_outbound",
  {
    access: "Allow",
    destination_address_prefix: "*",
    destination_port_ranges: ["80", "443", "12000"],
    direction: "Outbound",
    name: "allow_management_outbound",
    network_security_group_name: azurermNetworkSecurityGroupExample.name,
    priority: 102,
    protocol: "Tcp",
    resource_group_name: azurermResourceGroupExample.name,
    source_address_prefix: "*",
    source_port_range: "*",
  }
);
new azurerm.networkSecurityRule.NetworkSecurityRule(
  this,
  "allow_misubnet_inbound",
  {
    access: "Allow",
    destination_address_prefix: "*",
    destination_port_range: "*",
    direction: "Inbound",
    name: "allow_misubnet_inbound",
    network_security_group_name: azurermNetworkSecurityGroupExample.name,
    priority: 200,
    protocol: "*",
    resource_group_name: azurermResourceGroupExample.name,
    source_address_prefix: "10.0.0.0/24",
    source_port_range: "*",
  }
);
new azurerm.networkSecurityRule.NetworkSecurityRule(
  this,
  "allow_misubnet_outbound",
  {
    access: "Allow",
    destination_address_prefix: "*",
    destination_port_range: "*",
    direction: "Outbound",
    name: "allow_misubnet_outbound",
    network_security_group_name: azurermNetworkSecurityGroupExample.name,
    priority: 200,
    protocol: "*",
    resource_group_name: azurermResourceGroupExample.name,
    source_address_prefix: "10.0.0.0/24",
    source_port_range: "*",
  }
);
new azurerm.networkSecurityRule.NetworkSecurityRule(this, "allow_tds_inbound", {
  access: "Allow",
  destination_address_prefix: "*",
  destination_port_range: "1433",
  direction: "Inbound",
  name: "allow_tds_inbound",
  network_security_group_name: azurermNetworkSecurityGroupExample.name,
  priority: 1000,
  protocol: "Tcp",
  resource_group_name: azurermResourceGroupExample.name,
  source_address_prefix: "VirtualNetwork",
  source_port_range: "*",
});
new azurerm.networkSecurityRule.NetworkSecurityRule(this, "deny_all_inbound", {
  access: "Deny",
  destination_address_prefix: "*",
  destination_port_range: "*",
  direction: "Inbound",
  name: "deny_all_inbound",
  network_security_group_name: azurermNetworkSecurityGroupExample.name,
  priority: 4096,
  protocol: "*",
  resource_group_name: azurermResourceGroupExample.name,
  source_address_prefix: "*",
  source_port_range: "*",
});
new azurerm.networkSecurityRule.NetworkSecurityRule(this, "deny_all_outbound", {
  access: "Deny",
  destination_address_prefix: "*",
  destination_port_range: "*",
  direction: "Outbound",
  name: "deny_all_outbound",
  network_security_group_name: azurermNetworkSecurityGroupExample.name,
  priority: 4096,
  protocol: "*",
  resource_group_name: azurermResourceGroupExample.name,
  source_address_prefix: "*",
  source_port_range: "*",
});
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_11", {
  address_prefixes: ["10.0.0.0/24"],
  delegation: [
    {
      name: "managedinstancedelegation",
      service_delegation: [
        {
          actions: [
            "Microsoft.Network/virtualNetworks/subnets/join/action",
            "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",
            "Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action",
          ],
          name: "Microsoft.Sql/managedInstances",
        },
      ],
    },
  ],
  name: "subnet-mi",
  resource_group_name: azurermResourceGroupExample.name,
  virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
const azurermSubnetNetworkSecurityGroupAssociationExample =
  new azurerm.subnetNetworkSecurityGroupAssociation.SubnetNetworkSecurityGroupAssociation(
    this,
    "example_12",
    {
      network_security_group_id: azurermNetworkSecurityGroupExample.id,
      subnet_id: azurermSubnetExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetNetworkSecurityGroupAssociationExample.overrideLogicalId(
  "example"
);
const azurermRouteTableExample = new azurerm.routeTable.RouteTable(
  this,
  "example_13",
  {
    depends_on: [`\${${azurermSubnetExample.fqn}}`],
    disable_bgp_route_propagation: false,
    location: azurermResourceGroupExample.location,
    name: "routetable-mi",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermRouteTableExample.overrideLogicalId("example");
const azurermSubnetRouteTableAssociationExample =
  new azurerm.subnetRouteTableAssociation.SubnetRouteTableAssociation(
    this,
    "example_14",
    {
      route_table_id: azurermRouteTableExample.id,
      subnet_id: azurermSubnetExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetRouteTableAssociationExample.overrideLogicalId("example");
const azurermMssqlManagedInstanceExample =
  new azurerm.mssqlManagedInstance.MssqlManagedInstance(this, "example_15", {
    administrator_login: "mradministrator",
    administrator_login_password: "thisIsDog11",
    depends_on: [
      `\${${azurermSubnetNetworkSecurityGroupAssociationExample.fqn}}`,
      `\${${azurermSubnetRouteTableAssociationExample.fqn}}`,
    ],
    license_type: "BasePrice",
    location: azurermResourceGroupExample.location,
    name: "managedsqlinstance",
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "GP_Gen5",
    storage_size_in_gb: 32,
    subnet_id: azurermSubnetExample.id,
    vcores: 4,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMssqlManagedInstanceExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

administratorLogin - (Required) The administrator login name for the new SQL Managed Instance. Changing this forces a new resource to be created.
administratorLoginPassword - (Required) The password associated with the administratorLogin user. Needs to comply with Azure's Password Policy
licenseType - (Required) What type of license the Managed Instance will use. Possible values are licenseIncluded and basePrice.
location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
name - (Required) The name of the SQL Managed Instance. This needs to be globally unique within Azure. Changing this forces a new resource to be created.
resourceGroupName - (Required) The name of the resource group in which to create the SQL Managed Instance. Changing this forces a new resource to be created.
skuName - (Required) Specifies the SKU Name for the SQL Managed Instance. Valid values include gpGen4, gpGen5, gpGen8Im, gpGen8Ih, bcGen4, bcGen5, bcGen8Im or bcGen8Ih.
storageSizeInGb - (Required) Maximum storage space for the SQL Managed instance. This should be a multiple of 32 (GB).
subnetId - (Required) The subnet resource id that the SQL Managed Instance will be associated with. Changing this forces a new resource to be created.
vcores - (Required) Number of cores that should be assigned to the SQL Managed Instance. Values can be 8, 16, or 24 for Gen4 SKUs, or 4, 8, 16, 24, 32, 40, 64, or 80 for Gen5 SKUs.
collation - (Optional) Specifies how the SQL Managed Instance will be collated. Default value is sqlLatin1GeneralCp1CiAs. Changing this forces a new resource to be created.
dnsZonePartnerId - (Optional) The ID of the SQL Managed Instance which will share the DNS zone. This is a prerequisite for creating an azurermSqlManagedInstanceFailoverGroup. Setting this after creation forces a new resource to be created.
identity - (Optional) An identity block as defined below.
maintenanceConfigurationName - (Optional) The name of the Public Maintenance Configuration window to apply to the SQL Managed Instance. Valid values include sqlDefault or an Azure Location in the format sql_{location}Mi_{size}(for example sqlEastUsMi1). Defaults to sqlDefault.
minimumTlsVersion - (Optional) The Minimum TLS Version. Default value is 12 Valid values include 10, 11, 12.
proxyOverride - (Optional) Specifies how the SQL Managed Instance will be accessed. Default value is default. Valid values include default, proxy, and redirect.
publicDataEndpointEnabled - (Optional) Is the public data endpoint enabled? Default value is false.
storageAccountType - (Optional) Specifies the storage account type used to store backups for this database. Changing this forces a new resource to be created. Possible values are grs, lrs and zrs. The default value is grs.
tags - (Optional) A mapping of tags to assign to the resource.
timezoneId - (Optional) The TimeZone ID that the SQL Managed Instance will be operating in. Default value is utc. Changing this forces a new resource to be created.

An identity block supports the following:

type - (Required) Specifies the type of Managed Service Identity that should be configured on this SQL Managed Instance. Possible values are systemAssigned, userAssigned.
identityIds - (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this SQL Managed Instance. Required when type is set to userAssigned.

\~> The assigned principalId and tenantId can be retrieved after the identity type has been set to systemAssigned and SQL Managed Instance has been created.

Attributes Reference

The following attributes are exported:

id - The SQL Managed Instance ID.
fqdn - The fully qualified domain name of the Azure Managed SQL Instance

An identity block exports the following:

principalId - The Principal ID for the Service Principal associated with the Identity of this SQL Managed Instance.
tenantId - The Tenant ID for the Service Principal associated with the Identity of this SQL Managed Instance.

-> You can access the Principal ID via azurermMssqlManagedInstanceExampleIdentity0PrincipalId and the Tenant ID via azurermMssqlManagedInstanceExampleIdentity0TenantId

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

create - (Defaults to 24 hours) Used when creating the Microsoft SQL Managed Instance.
update - (Defaults to 24 hours) Used when updating the Microsoft SQL Managed Instance.
read - (Defaults to 5 minutes) Used when retrieving the Microsoft SQL Managed Instance.
delete - (Defaults to 24 hours) Used when deleting the Microsoft SQL Managed Instance.

Import

Microsoft SQL Managed Instances can be imported using the resourceId, e.g.

terraform import azurerm_mssql_managed_instance.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myresourcegroup/providers/Microsoft.Sql/managedInstances/myserver