Support for publicNetworkAccess property on resource_arm_sql_server

[gpduck]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

This optional property allows setting the sql server to block public connections and only allow connections over private links.

New or Affected Resource(s)

• data_source_sql_server
• resource_arm_sql_server

Potential Terraform Configuration

resource "azurerm_sql_server" "example" {
  name                         = "mysqlserver"
  resource_group_name          = azurerm_resource_group.example.name
  location                     = azurerm_resource_group.example.location
  version                      = "12.0"
  administrator_login          = "mradministrator"
  administrator_login_password = "thisIsDog11"
  public_network_access = "Disabled"

  extended_auditing_policy {
    storage_endpoint                        = azurerm_storage_account.example.primary_blob_endpoint
    storage_account_access_key              = azurerm_storage_account.example.primary_access_key
    storage_account_access_key_is_secondary = true
    retention_in_days                       = 6
  }

  tags = {
    environment = "production"
  }
}

References

https://docs.microsoft.com/en-us/rest/api/sql/servers/createorupdate#serverpublicnetworkaccess

[janegilring]

Are there any ETA on implementing this?

[baoduy]

Hi, Quick check on the plan to release this feature?

[BradAF]

@janegilring @baoduy - Per this comment, I don't think it is going to be added to the azurerm_sql_server. You will need to switch over to azurerm_mssql_server in the azurerm provider 2.11.0+.

I just did so and it was fairly straightforward 1-to-1 replacement, though I am now getting errors when trying to implement a corresponding azurerm_sql_firewall_rule entry, so I am working on diagnosing that.

[janegilring]

I did migrate to azurerm_mssql_server, so my scenario is unblocked 👍

[mhaarbrink]

@janegilring @baoduy - Per this comment, I don't think it is going to be added to the azurerm_sql_server. You will need to switch over to azurerm_mssql_server in the azurerm provider 2.11.0+.

I just did so and it was fairly straightforward 1-to-1 replacement, though I am now getting errors when trying to implement a corresponding azurerm_sql_firewall_rule entry, so I am working on diagnosing that.

Hey @BradAF , did you resolve your FW rule issue? We are seeing issues adding FW rules as well when we disable public access.

[yupwei68]

Hi @gpduck , would you mind migrate to azurerm_mssql_server, who has already supported this field public_network_access_enabled?

[gpduck]

I'll take a look at it and see if I can convert my scripts over. Does this mean that the azurerm_sql_server resource is considered deprecated?

[yupwei68]

hi @gpduck , to some extents, you're right. azurerm_mssql_server is planned to cover all functions of azurerm_sql_server, and we don't add new features in azurerm_sql_server. The resource in mssql and 'sql' could be used in mix.

[BradAF]

@janegilring @baoduy - Per this comment, I don't think it is going to be added to the azurerm_sql_server. You will need to switch over to azurerm_mssql_server in the azurerm provider 2.11.0+. I just did so and it was fairly straightforward 1-to-1 replacement, though I am now getting errors when trying to implement a corresponding azurerm_sql_firewall_rule entry, so I am working on diagnosing that.

Hey @BradAF , did you resolve your FW rule issue? We are seeing issues adding FW rules as well when we disable public access.

Sorry for the late reply! To answer your question: kind of... I set TF_LOG=TRACE and found that apparently Azure itself did not allow me to configure firewall rules while the public network interface for the server is disabled. I assume they intend for you to use NSG rules when using private IPs:

I only had the one rule enabling 'Allow all Azure IPs' so maybe it is different, but I would recommend enabling the trace and seeing what you get returned.

[ravulachetan]

Hey @BradAF I am working on similar use case where i want to add firewall rules to SQL Server and keep "public network access" to Deny. But cannot add firewall rules with public network access as Deny. Keeping Public access as Allow does not matter if you have firewalls rules since Server is allowed Publicly. Is there any work around to add firewall rules and still keep Deny Public access?

[tombuildsstuff]

Closing this out since this is supported via azurerm_mssql_server resource which we recommend using instead - the older azurerm_sql_server resource will be deprecated in a future release.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.