add mssql db module (#31)

* add mssql db module * Added rbac_id to mssql_server for role assignment - IAM Co-authored-by: Abdullah Khairi Kamarul Zaman <[email protected]>
aztfmod · Sep 25, 2020 · 70eac03 · 70eac03
1 parent 50dfd4f
commit 70eac03
Show file tree

Hide file tree

Showing 8 changed files with 127 additions and 0 deletions.
diff --git a/main.tf b/main.tf
@@ -73,6 +73,7 @@ locals {
 
   database = {
     mssql_servers               = try(var.database.mssql_servers, {})
+    mssql_databases             = try(var.database.mssql_databases, {})
     azurerm_redis_caches        = try(var.database.azurerm_redis_caches, {})
     synapse_workspaces          = try(var.database.synapse_workspaces, {})
     databricks_workspaces       = try(var.database.databricks_workspaces, {})

diff --git a/modules/databases/mssql_database/auditing.tf b/modules/databases/mssql_database/auditing.tf
@@ -0,0 +1,18 @@
+# Server auditing
+
+data "azurerm_storage_account" "mssqldb_auditing" {
+  count = try(var.settings.extended_auditing_policy.storage_account.key, null) == null ? 0 : 1
+
+  name                = var.storage_accounts[var.settings.extended_auditing_policy.storage_account.key].name
+  resource_group_name = var.storage_accounts[var.settings.extended_auditing_policy.storage_account.key].resource_group_name
+}
+
+resource "azurerm_mssql_server_extended_auditing_policy" "mssqldb" {
+  count = try(var.settings.extended_auditing_policy, null) == null ? 0 : 1
+
+  server_id                               = var.server_id
+  storage_endpoint                        = data.azurerm_storage_account.mssqldb_auditing.0.primary_blob_endpoint
+  storage_account_access_key              = data.azurerm_storage_account.mssqldb_auditing.0.primary_access_key
+  storage_account_access_key_is_secondary = try(var.settings.extended_auditing_policy.storage_account_access_key_is_secondary, false)
+  retention_in_days                       = try(var.settings.extended_auditing_policy.retention_in_days, null)
+}
diff --git a/modules/databases/mssql_database/database.tf b/modules/databases/mssql_database/database.tf
@@ -0,0 +1,52 @@
+resource "azurecaf_name" "mssqldb" {
+
+  name          = var.settings.name
+  resource_type = "azurerm_mssql_database"
+  prefixes      = [var.global_settings.prefix]
+  random_length = var.global_settings.random_length
+  clean_input   = true
+  passthrough   = var.global_settings.passthrough
+}
+
+resource "azurerm_mssql_database" "mssqldb" {
+  name                        = azurecaf_name.mssqldb.result
+  server_id                   = var.server_id
+  auto_pause_delay_in_minutes = try(var.settings.auto_pause_delay_in_minutes, null)
+  create_mode                 = try(var.settings.create_mode, null)
+  creation_source_database_id = try(var.settings.creation_source_database_id, null)
+  collation                   = try(var.settings.collation, null)
+  license_type                = try(var.settings.license_type, null)
+  max_size_gb                 = try(var.settings.max_size_gb, null)
+  min_capacity                = try(var.settings.min_capacity, null)
+  restore_point_in_time       = try(var.settings.restore_point_in_time, null)
+  read_replica_count          = try(var.settings.read_replica_count, null)
+  read_scale                  = try(var.settings.read_scale, null)
+  sample_name                 = try(var.settings.sample_name, null)
+  sku_name                    = try(var.settings.sku_name, null)
+  zone_redundant              = try(var.settings.zone_redundant, null)
+  tags                        = try(var.settings.tags, null)
+
+  dynamic "threat_detection_policy" {
+    for_each = lookup(var.settings, "threat_detection_policy", {}) == {} ? [] : [1]
+
+    content {
+      state                      = var.settings.threat_detection_policy.state
+      disabled_alerts            = try(var.settings.threat_detection_policy.disabled_alerts, null)
+      email_account_admins       = try(var.settings.threat_detection_policy.email_account_admins, null)
+      email_addresses            = try(var.settings.threat_detection_policy.email_addresses, null)
+      retention_days             = try(var.settings.threat_detection_policy.retention_days, null)
+      storage_endpoint           = try(data.azurerm_storage_account.mssqldb_tdp.0.primary_blob_endpoint, null)
+      storage_account_access_key = try(data.azurerm_storage_account.mssqldb_tdp.0.primary_access_key, null)
+      use_server_default         = try(var.settings.threat_detection_policy.use_server_default, null)
+    }
+  }
+}
+
+# threat detection policy
+
+data "azurerm_storage_account" "mssqldb_tdp" {
+  count = try(var.settings.threat_detection_policy.storage_account.key, null) == null ? 0 : 1
+
+  name                = var.storage_accounts[var.settings.threat_detection_policy.storage_account.key].name
+  resource_group_name = var.storage_accounts[var.settings.threat_detection_policy.storage_account.key].resource_group_name
+}
diff --git a/modules/databases/mssql_database/main.tf b/modules/databases/mssql_database/main.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    azurecaf = {
+      source = "aztfmod/azurecaf"
+    }
+  }
+  required_version = ">= 0.13"
+}
diff --git a/modules/databases/mssql_database/variables.tf b/modules/databases/mssql_database/variables.tf
@@ -0,0 +1,4 @@
+variable global_settings {}
+variable settings {}
+variable server_id {}
+variable storage_accounts {}
diff --git a/modules/databases/mssql_server/output.tf b/modules/databases/mssql_server/output.tf
@@ -0,0 +1,7 @@
+output id {
+  value = azurerm_mssql_server.mssql.id
+}
+
+output rbac_id {
+  value = azurerm_mssql_server.mssql.identity[0].principal_id
+}
diff --git a/mssql_databases.tf b/mssql_databases.tf
@@ -0,0 +1,36 @@
+
+output mssql_databases {
+  value     = module.mssql_databases
+  sensitive = true
+}
+
+module "mssql_databases" {
+  source     = "./modules/databases/mssql_database"
+  for_each   = local.database.mssql_databases
+
+  global_settings  = local.global_settings
+  settings         = each.value
+  server_id        = try(each.value.remote_tfstate, null) == null ? module.mssql_servers[each.value.mssql_server_key].id : data.terraform_remote_state.mssql_remote_server[each.key].outputs[each.value.remote_tfstate.output_key][each.value.mssql_server_key].id
+  storage_accounts = module.storage_accounts
+}
+
+#
+# Get remote mssql server to deploy the database
+#
+data "terraform_remote_state" "mssql_remote_server" {
+  for_each = {
+    for key, value in local.database.mssql_databases : key => value
+    if try(value.remote_tfstate, null) != null
+  }
+
+  backend = "azurerm"
+  config = {
+    storage_account_name = var.tfstates[each.value.remote_tfstate.tfstate_key].storage_account_name
+    container_name       = var.tfstates[each.value.remote_tfstate.tfstate_key].container_name
+    resource_group_name  = var.tfstates[each.value.remote_tfstate.tfstate_key].resource_group_name
+    key                  = var.tfstates[each.value.remote_tfstate.tfstate_key].key
+    use_msi              = var.use_msi
+    subscription_id      = var.use_msi ? var.tfstates[each.value.remote_tfstate.tfstate_key].subscription_id : null
+    tenant_id            = var.use_msi ? var.tfstates[each.value.remote_tfstate.tfstate_key].tenant_id : null
+  }
+}
diff --git a/roles.tf b/roles.tf
@@ -32,6 +32,7 @@ locals {
     resource_groups            = module.resource_groups
     managed_identities         = module.managed_identities
     storage_accounts           = module.storage_accounts
+    mssql_servers              = module.mssql_servers
     synapse_workspaces         = module.synapse_workspaces
     subscriptions              = merge(try(var.subscriptions, {}), { "logged_in_subscription" = { id = data.azurerm_subscription.primary.id } })
     logged_in = {