Support for auto rotate key in azurerm_mssql_server_transparent_data_encryption

[johnfriedrich]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

sql Server transparent data encryption should offer a boolean to enable key auto rotation like in the Azure UI

New or Affected Resource(s)

• azurerm_mssql_server_transparent_data_encryption

Potential Terraform Configuration

resource "azurerm_mssql_server_transparent_data_encryption" "encrypt" {
  server_id = azurerm_mssql_server.main.id
  key_vault_key_id = key.id
  auto_rotate_key = true
}

References

• 0000

[aristosvo]

Hi @johnfriedrich! Thanks for your issue.

I tried to set it in the Portal, az and via the API as part of a first implementation, but in all cases it wasn't set at all.

❯ az sql server tde-key set  -g acctestRG-mssql -s acctestsqlserver --auto-rotation-enabled true -t AzureKeyVault --kid https://acctestsqlserver.vault.azure.net/keys/keyVault/a25a448e5b2c47cb84019ae2a30655c7
{
  "autoRotationEnabled": false,
  "id": "/subscriptions/<subId>/resourceGroups/acctestRG-mssql/providers/Microsoft.Sql/servers/acctestsqlserver/encryptionProtector/current",
  "kind": "azurekeyvault",
  "location": null,
  "name": "current",
  "resourceGroup": "acctestRG-mssql",
  "serverKeyName": "acctestsqlserver_keyVault_a25a448e5b2c47cb84019ae2a30655c7",
  "serverKeyType": "AzureKeyVault",
  "subregion": null,
  "thumbprint": null,
  "type": "Microsoft.Sql/servers/encryptionProtector",
  "uri": "https://acctestsqlserver.vault.azure.net/keys/keyVault/a25a448e5b2c47cb84019ae2a30655c7"
}

Did you have a working setup and what did it take to fixate that setting?

[johnfriedrich]

Hello, thanks for looking into it. Well I was reading documentation and found this setting, thought it could be useful for us but did not find it in azurerm terraform and created this ticket. (Did not try to actually set this setting by then)

I can confirm that setting it via the portal does not work. Getting api errors in chrome dev console.

[aristosvo]

@johnfriedrich Oops, seems like we're too early 🙊:

Auto-Rotation feature for Azure SQL DB and MI hasn’t yet been announced publicly. The Portal changes have been deployed which is why customers are being to see the “Auto-Rotate key” option.

We are hoping to release this in public preview by end of CY.

[MarcinGrinberg]

@aristosvo I don't know if this is a good moment to implement this feature. From my side I see that checkbox vanished in UI. Via Azure CLI there is still an option of enabling auto-rotation which I successfully did. Also confirmed that rotation works and updates the key in TDE configuration It took around 60 minutes to update after a key rotation.

Edit: FYI this feature was pushed till the end of the year to go for public preview. So maybe not the best time to implement yet.

Thanks!

[MarcinGrinberg]

@aristosvo FYI feature just got into preview: https://techcommunity.microsoft.com/t5/azure-sql-blog/automated-key-rotation-for-tde-byok-now-available-in-preview-for/ba-p/3607932

[aristosvo]

@MarcinGrinberg I'll take a look!

[github-actions[bot]]

This functionality has been released in v3.29.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.