azurermMssqlManagedInstanceTransparentDataEncryption
Manages the transparent data encryption configuration for a MSSQL Managed Instance
\~> NOTE: Once transparent data encryption is enabled on a MS SQL instance, it is not possible to remove TDE. You will be able to switch between 'ServiceManaged' and 'CustomerManaged' keys, but will not be able to remove encryption. For safety when this resource is deleted, the TDE mode will automatically be set to 'ServiceManaged'. See keyVaultUri for more information on how to specify the key types. As SQL Managed Instance only supports a single configuration for encryption settings, this resource will replace the current encryption settings on the server.
\~> Note: See documentation for important information on how handle lifecycle management of the keys to prevent data lockout.
Example Usage with Service Managed Key
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "EastUs",
name: "example-resources",
}
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
this,
"example_1",
{
address_space: ["10.0.0.0/16"],
location: "${azurerm_resource_group.test.location}",
name: "acctest-vnet1-mssql",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_2", {
address_prefixes: ["10.0.0.0/24"],
delegation: [
{
name: "managedinstancedelegation",
service_delegation: [
{
actions: [
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",
"Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action",
],
name: "Microsoft.Sql/managedInstances",
},
],
},
],
name: "subnet1-mssql",
resource_group_name: azurermResourceGroupExample.name,
virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
const azurermMssqlManagedInstanceExample =
new azurerm.mssqlManagedInstance.MssqlManagedInstance(this, "example_3", {
administrator_login: "missadministrator",
administrator_login_password: "NCC-1701-D",
identity: [
{
type: "SystemAssigned",
},
],
license_type: "BasePrice",
location: azurermResourceGroupExample.location,
name: "mssqlinstance",
resource_group_name: azurermResourceGroupExample.name,
sku_name: "GP_Gen5",
storage_size_in_gb: 32,
subnet_id: azurermSubnetExample.id,
vcores: 4,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMssqlManagedInstanceExample.overrideLogicalId("example");
const azurermMssqlManagedInstanceTransparentDataEncryptionExample =
new azurerm.mssqlManagedInstanceTransparentDataEncryption.MssqlManagedInstanceTransparentDataEncryption(
this,
"example_4",
{
managed_instance_id: azurermMssqlManagedInstanceExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMssqlManagedInstanceTransparentDataEncryptionExample.overrideLogicalId(
"example"
);
Example Usage with Customer Managed Key
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "EastUs",
name: "example-resources",
}
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
this,
"example_1",
{
address_space: ["10.0.0.0/16"],
location: "${azurerm_resource_group.test.location}",
name: "acctest-vnet1-mssql",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_3", {
address_prefixes: ["10.0.0.0/24"],
delegation: [
{
name: "managedinstancedelegation",
service_delegation: [
{
actions: [
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action",
"Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action",
],
name: "Microsoft.Sql/managedInstances",
},
],
},
],
name: "subnet1-mssql",
resource_group_name: azurermResourceGroupExample.name,
virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
const azurermMssqlManagedInstanceExample =
new azurerm.mssqlManagedInstance.MssqlManagedInstance(this, "example_4", {
administrator_login: "missadministrator",
administrator_login_password: "NCC-1701-D",
identity: [
{
type: "SystemAssigned",
},
],
license_type: "BasePrice",
location: azurermResourceGroupExample.location,
name: "mssqlinstance",
resource_group_name: azurermResourceGroupExample.name,
sku_name: "GP_Gen5",
storage_size_in_gb: 32,
subnet_id: azurermSubnetExample.id,
vcores: 4,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMssqlManagedInstanceExample.overrideLogicalId("example");
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
this,
"example_5",
{
access_policy: [
{
key_permissions: [
"Get",
"List",
"Create",
"Delete",
"Update",
"Recover",
"Purge",
"GetRotationPolicy",
],
object_id: dataAzurermClientConfigCurrent.objectId,
tenant_id: dataAzurermClientConfigCurrent.tenantId,
},
{
key_permissions: ["Get", "WrapKey", "UnwrapKey"],
object_id: `\${${azurermMssqlManagedInstanceExample.identity.fqn}[0].principal_id}`,
tenant_id: `\${${azurermMssqlManagedInstanceExample.identity.fqn}[0].tenant_id}`,
},
],
enabled_for_disk_encryption: true,
location: azurermResourceGroupExample.location,
name: "example",
purge_protection_enabled: false,
resource_group_name: azurermResourceGroupExample.name,
sku_name: "standard",
soft_delete_retention_days: 7,
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultKeyExample = new azurerm.keyVaultKey.KeyVaultKey(
this,
"example_6",
{
depends_on: [`\${${azurermKeyVaultExample.fqn}}`],
key_opts: ["unwrapKey", "wrapKey"],
key_size: 2048,
key_type: "RSA",
key_vault_id: azurermKeyVaultExample.id,
name: "byok",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultKeyExample.overrideLogicalId("example");
const azurermMssqlManagedInstanceTransparentDataEncryptionExample =
new azurerm.mssqlManagedInstanceTransparentDataEncryption.MssqlManagedInstanceTransparentDataEncryption(
this,
"example_7",
{
key_vault_key_id: azurermKeyVaultKeyExample.id,
managed_instance_id: azurermMssqlManagedInstanceExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMssqlManagedInstanceTransparentDataEncryptionExample.overrideLogicalId(
"example"
);
Arguments Reference
The following arguments are supported:
managedInstanceId- (Required) Specifies the name of the MS SQL Managed Instance. Changing this forces a new resource to be created.
keyVaultKeyId- (Optional) To use customer managed keys from Azure Key Vault, provide the AKV Key ID. To use service managed keys, omit this field.
\~> NOTE: In order to use customer managed keys, the identity of the MSSQL Managed Instance must have the following permissions on the key vault: 'get', 'wrapKey' and 'unwrapKey'
\~> NOTE: If managedInstanceId denotes a secondary instance deployed for disaster recovery purposes, then the keyVaultKeyId should be the same key used for the primary instance's transparent data encryption. Both primary and secondary instances should be encrypted with same key material.
autoRotationEnabled- (Optional) When enabled, the SQL Managed Instance will continuously check the key vault for any new versions of the key being used as the TDE protector. If a new version of the key is detected, the TDE protector on the SQL Managed Instance will be automatically rotated to the latest key version within 60 minutes.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
id- The ID of the MSSQL encryption protector
Timeouts
The timeouts block allows you to specify timeouts for certain actions:
create- (Defaults to 30 minutes) Used when creating the MSSQL.read- (Defaults to 5 minutes) Used when retrieving the MSSQL.update- (Defaults to 30 minutes) Used when updating the MSSQL.delete- (Defaults to 30 minutes) Used when deleting the MSSQL.
Import
\~> NOTE: This resource does not need to be imported to manage it, however the import will work.
SQL Managed Instance Transparent Data Encryption can be imported using the resource id, e.g.