import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Manages a Microsoft SQL Azure Database Server. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "database-rg", * location: "West Europe", * }); * const exampleServer = new azure.mssql.Server("example", { * name: "mssqlserver", * resourceGroupName: example.name, * location: example.location, * version: "12.0", * administratorLogin: "missadministrator", * administratorLoginPassword: "thisIsKat11", * minimumTlsVersion: "1.2", * azureadAdministrator: { * loginUsername: "AzureAD Admin", * objectId: "00000000-0000-0000-0000-000000000000", * }, * tags: { * environment: "production", * }, * }); * ``` * * ### Transparent Data Encryption (TDE) With A Customer Managed Key (CMK) During Create * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const current = azure.core.getClientConfig({}); * const example = new azure.core.ResourceGroup("example", { * name: "example-resources", * location: "West Europe", * }); * const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { * name: "example-admin", * location: example.location, * resourceGroupName: example.name, * }); * // Create a key vault with access policies which allow for the current user to get, list, create, delete, update, recover, purge and getRotationPolicy for the key vault key and also add a key vault access policy for the Microsoft Sql Server instance User Managed Identity to get, wrap, and unwrap key(s) * const exampleKeyVault = new azure.keyvault.KeyVault("example", { * name: "mssqltdeexample", * location: example.location, * resourceGroupName: example.name, * enabledForDiskEncryption: true, * tenantId: exampleUserAssignedIdentity.tenantId, * softDeleteRetentionDays: 7, * purgeProtectionEnabled: true, * skuName: "standard", * accessPolicies: [ * { * tenantId: current.then(current => current.tenantId), * objectId: current.then(current => current.objectId), * keyPermissions: [ * "Get", * "List", * "Create", * "Delete", * "Update", * "Recover", * "Purge", * "GetRotationPolicy", * ], * }, * { * tenantId: exampleUserAssignedIdentity.tenantId, * objectId: exampleUserAssignedIdentity.principalId, * keyPermissions: [ * "Get", * "WrapKey", * "UnwrapKey", * ], * }, * ], * }); * const exampleKey = new azure.keyvault.Key("example", { * name: "example-key", * keyVaultId: exampleKeyVault.id, * keyType: "RSA", * keySize: 2048, * keyOpts: [ * "unwrapKey", * "wrapKey", * ], * }, { * dependsOn: [exampleKeyVault], * }); * const exampleServer = new azure.mssql.Server("example", { * name: "example-resource", * resourceGroupName: example.name, * location: example.location, * version: "12.0", * administratorLogin: "Example-Administrator", * administratorLoginPassword: "Example_Password!", * minimumTlsVersion: "1.2", * azureadAdministrator: { * loginUsername: exampleUserAssignedIdentity.name, * objectId: exampleUserAssignedIdentity.principalId, * }, * identity: { * type: "UserAssigned", * identityIds: [exampleUserAssignedIdentity.id], * }, * primaryUserAssignedIdentityId: exampleUserAssignedIdentity.id, * transparentDataEncryptionKeyVaultKeyId: exampleKey.id, * }); * ``` * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.Sql` - 2023-08-01-preview * * ## Import * * SQL Servers can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:mssql/server:Server example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myresourcegroup/providers/Microsoft.Sql/servers/myserver * ``` */ export declare class Server extends pulumi.CustomResource { /** * Get an existing Server resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: ServerState, opts?: pulumi.CustomResourceOptions): Server; /** * Returns true if the given object is an instance of Server. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Server; /** * The administrator login name for the new server. Required unless `azureadAuthenticationOnly` in the `azureadAdministrator` block is `true`. When omitted, Azure will generate a default username which cannot be subsequently changed. Changing this forces a new resource to be created. */ readonly administratorLogin: pulumi.Output; /** * The password associated with the `administratorLogin` user. Needs to comply with Azure's [Password Policy](https://msdn.microsoft.com/library/ms161959.aspx). */ readonly administratorLoginPassword: pulumi.Output; /** * An integer value used to trigger an update for `administratorLoginPasswordWo`. This property should be incremented when updating `administratorLoginPasswordWo`. */ readonly administratorLoginPasswordWoVersion: pulumi.Output; /** * An `azureadAdministrator` block as defined below. */ readonly azureadAdministrator: pulumi.Output; /** * The connection policy the server will use. Possible values are `Default`, `Proxy`, and `Redirect`. Defaults to `Default`. */ readonly connectionPolicy: pulumi.Output; /** * Whether to enable the Express Vulnerability Assessment Configuration. Defaults to `false`. * * > **Note:** If you have enabled the Classic SQL Vulnerability Assessment configuration using the `azure.mssql.ServerVulnerabilityAssessment` resource, you must first delete it before enabling `expressVulnerabilityAssessmentEnabled`. If you wish to revert back to using the Classic SQL Vulnerability Assessment configuration you must first disable this setting. */ readonly expressVulnerabilityAssessmentEnabled: pulumi.Output; /** * The fully qualified domain name of the Azure SQL Server (e.g. myServerName.database.windows.net) */ readonly fullyQualifiedDomainName: pulumi.Output; /** * An `identity` block as defined below. */ readonly identity: pulumi.Output; /** * Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. */ readonly location: pulumi.Output; /** * The Minimum TLS Version for all SQL Database and SQL Data Warehouse databases associated with the server. Valid values are: `1.0`, `1.1` , `1.2` and `Disabled`. Defaults to `1.2`. * * > **Note:** The `minimumTlsVersion` is set to `Disabled` means all TLS versions are allowed. After you enforce a version of `minimumTlsVersion`, it's not possible to revert to `Disabled`. * * > **Note:** Azure Services will require TLS 1.2+ by August 2025, please see this [announcement](https://azure.microsoft.com/en-us/updates/v2/update-retirement-tls1-0-tls1-1-versions-azure-services/) for more. */ readonly minimumTlsVersion: pulumi.Output; /** * The name of the Microsoft SQL Server. This needs to be globally unique within Azure. Changing this forces a new resource to be created. */ readonly name: pulumi.Output; /** * Whether outbound network traffic is restricted for this server. Defaults to `false`. */ readonly outboundNetworkRestrictionEnabled: pulumi.Output; /** * Specifies the primary user managed identity id. Required if `type` within the `identity` block is set to either `SystemAssigned, UserAssigned` or `UserAssigned` and should be set at same time as setting `identityIds`. */ readonly primaryUserAssignedIdentityId: pulumi.Output; /** * Whether public network access is allowed for this server. Defaults to `true`. */ readonly publicNetworkAccessEnabled: pulumi.Output; /** * The name of the resource group in which to create the Microsoft SQL Server. Changing this forces a new resource to be created. */ readonly resourceGroupName: pulumi.Output; /** * A list of dropped restorable database IDs on the server. */ readonly restorableDroppedDatabaseIds: pulumi.Output; /** * A mapping of tags to assign to the resource. */ readonly tags: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The fully versioned `Key Vault` `Key` URL (e.g. `'https://.vault.azure.net/keys//`) to be used as the `Customer Managed Key`(CMK/BYOK) for the `Transparent Data Encryption`(TDE) layer. * * > **Note:** To successfully deploy a `Microsoft SQL Server` in CMK/BYOK TDE the `Key Vault` must have `Soft-delete` and `purge protection` enabled to protect from data loss due to accidental key and/or key vault deletion. The `Key Vault` and the `Microsoft SQL Server` `User Managed Identity Instance` must belong to the same `Azure Active Directory` `tenant`. * * > **Note:** Cross-tenant `Key Vault` and `Microsoft SQL Server` interactions are not supported. Please see the [product documentation](https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql#requirements-for-configuring-customer-managed-tde) for more information. * * > **Note:** When using a firewall with a `Key Vault`, you must enable the option `Allow trusted Microsoft services to bypass the firewall`. */ readonly transparentDataEncryptionKeyVaultKeyId: pulumi.Output; /** * The version for the new server. Valid values are: 2.0 (for v11 server) and 12.0 (for v12 server). Changing this forces a new resource to be created. */ readonly version: pulumi.Output; /** * Create a Server resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: ServerArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Server resources. */ export interface ServerState { /** * The administrator login name for the new server. Required unless `azureadAuthenticationOnly` in the `azureadAdministrator` block is `true`. When omitted, Azure will generate a default username which cannot be subsequently changed. Changing this forces a new resource to be created. */ administratorLogin?: pulumi.Input; /** * The password associated with the `administratorLogin` user. Needs to comply with Azure's [Password Policy](https://msdn.microsoft.com/library/ms161959.aspx). */ administratorLoginPassword?: pulumi.Input; /** * An integer value used to trigger an update for `administratorLoginPasswordWo`. This property should be incremented when updating `administratorLoginPasswordWo`. */ administratorLoginPasswordWoVersion?: pulumi.Input; /** * An `azureadAdministrator` block as defined below. */ azureadAdministrator?: pulumi.Input; /** * The connection policy the server will use. Possible values are `Default`, `Proxy`, and `Redirect`. Defaults to `Default`. */ connectionPolicy?: pulumi.Input; /** * Whether to enable the Express Vulnerability Assessment Configuration. Defaults to `false`. * * > **Note:** If you have enabled the Classic SQL Vulnerability Assessment configuration using the `azure.mssql.ServerVulnerabilityAssessment` resource, you must first delete it before enabling `expressVulnerabilityAssessmentEnabled`. If you wish to revert back to using the Classic SQL Vulnerability Assessment configuration you must first disable this setting. */ expressVulnerabilityAssessmentEnabled?: pulumi.Input; /** * The fully qualified domain name of the Azure SQL Server (e.g. myServerName.database.windows.net) */ fullyQualifiedDomainName?: pulumi.Input; /** * An `identity` block as defined below. */ identity?: pulumi.Input; /** * Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. */ location?: pulumi.Input; /** * The Minimum TLS Version for all SQL Database and SQL Data Warehouse databases associated with the server. Valid values are: `1.0`, `1.1` , `1.2` and `Disabled`. Defaults to `1.2`. * * > **Note:** The `minimumTlsVersion` is set to `Disabled` means all TLS versions are allowed. After you enforce a version of `minimumTlsVersion`, it's not possible to revert to `Disabled`. * * > **Note:** Azure Services will require TLS 1.2+ by August 2025, please see this [announcement](https://azure.microsoft.com/en-us/updates/v2/update-retirement-tls1-0-tls1-1-versions-azure-services/) for more. */ minimumTlsVersion?: pulumi.Input; /** * The name of the Microsoft SQL Server. This needs to be globally unique within Azure. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * Whether outbound network traffic is restricted for this server. Defaults to `false`. */ outboundNetworkRestrictionEnabled?: pulumi.Input; /** * Specifies the primary user managed identity id. Required if `type` within the `identity` block is set to either `SystemAssigned, UserAssigned` or `UserAssigned` and should be set at same time as setting `identityIds`. */ primaryUserAssignedIdentityId?: pulumi.Input; /** * Whether public network access is allowed for this server. Defaults to `true`. */ publicNetworkAccessEnabled?: pulumi.Input; /** * The name of the resource group in which to create the Microsoft SQL Server. Changing this forces a new resource to be created. */ resourceGroupName?: pulumi.Input; /** * A list of dropped restorable database IDs on the server. */ restorableDroppedDatabaseIds?: pulumi.Input[]>; /** * A mapping of tags to assign to the resource. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The fully versioned `Key Vault` `Key` URL (e.g. `'https://.vault.azure.net/keys//`) to be used as the `Customer Managed Key`(CMK/BYOK) for the `Transparent Data Encryption`(TDE) layer. * * > **Note:** To successfully deploy a `Microsoft SQL Server` in CMK/BYOK TDE the `Key Vault` must have `Soft-delete` and `purge protection` enabled to protect from data loss due to accidental key and/or key vault deletion. The `Key Vault` and the `Microsoft SQL Server` `User Managed Identity Instance` must belong to the same `Azure Active Directory` `tenant`. * * > **Note:** Cross-tenant `Key Vault` and `Microsoft SQL Server` interactions are not supported. Please see the [product documentation](https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql#requirements-for-configuring-customer-managed-tde) for more information. * * > **Note:** When using a firewall with a `Key Vault`, you must enable the option `Allow trusted Microsoft services to bypass the firewall`. */ transparentDataEncryptionKeyVaultKeyId?: pulumi.Input; /** * The version for the new server. Valid values are: 2.0 (for v11 server) and 12.0 (for v12 server). Changing this forces a new resource to be created. */ version?: pulumi.Input; } /** * The set of arguments for constructing a Server resource. */ export interface ServerArgs { /** * The administrator login name for the new server. Required unless `azureadAuthenticationOnly` in the `azureadAdministrator` block is `true`. When omitted, Azure will generate a default username which cannot be subsequently changed. Changing this forces a new resource to be created. */ administratorLogin?: pulumi.Input; /** * The password associated with the `administratorLogin` user. Needs to comply with Azure's [Password Policy](https://msdn.microsoft.com/library/ms161959.aspx). */ administratorLoginPassword?: pulumi.Input; /** * An integer value used to trigger an update for `administratorLoginPasswordWo`. This property should be incremented when updating `administratorLoginPasswordWo`. */ administratorLoginPasswordWoVersion?: pulumi.Input; /** * An `azureadAdministrator` block as defined below. */ azureadAdministrator?: pulumi.Input; /** * The connection policy the server will use. Possible values are `Default`, `Proxy`, and `Redirect`. Defaults to `Default`. */ connectionPolicy?: pulumi.Input; /** * Whether to enable the Express Vulnerability Assessment Configuration. Defaults to `false`. * * > **Note:** If you have enabled the Classic SQL Vulnerability Assessment configuration using the `azure.mssql.ServerVulnerabilityAssessment` resource, you must first delete it before enabling `expressVulnerabilityAssessmentEnabled`. If you wish to revert back to using the Classic SQL Vulnerability Assessment configuration you must first disable this setting. */ expressVulnerabilityAssessmentEnabled?: pulumi.Input; /** * An `identity` block as defined below. */ identity?: pulumi.Input; /** * Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. */ location?: pulumi.Input; /** * The Minimum TLS Version for all SQL Database and SQL Data Warehouse databases associated with the server. Valid values are: `1.0`, `1.1` , `1.2` and `Disabled`. Defaults to `1.2`. * * > **Note:** The `minimumTlsVersion` is set to `Disabled` means all TLS versions are allowed. After you enforce a version of `minimumTlsVersion`, it's not possible to revert to `Disabled`. * * > **Note:** Azure Services will require TLS 1.2+ by August 2025, please see this [announcement](https://azure.microsoft.com/en-us/updates/v2/update-retirement-tls1-0-tls1-1-versions-azure-services/) for more. */ minimumTlsVersion?: pulumi.Input; /** * The name of the Microsoft SQL Server. This needs to be globally unique within Azure. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * Whether outbound network traffic is restricted for this server. Defaults to `false`. */ outboundNetworkRestrictionEnabled?: pulumi.Input; /** * Specifies the primary user managed identity id. Required if `type` within the `identity` block is set to either `SystemAssigned, UserAssigned` or `UserAssigned` and should be set at same time as setting `identityIds`. */ primaryUserAssignedIdentityId?: pulumi.Input; /** * Whether public network access is allowed for this server. Defaults to `true`. */ publicNetworkAccessEnabled?: pulumi.Input; /** * The name of the resource group in which to create the Microsoft SQL Server. Changing this forces a new resource to be created. */ resourceGroupName: pulumi.Input; /** * A mapping of tags to assign to the resource. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The fully versioned `Key Vault` `Key` URL (e.g. `'https://.vault.azure.net/keys//`) to be used as the `Customer Managed Key`(CMK/BYOK) for the `Transparent Data Encryption`(TDE) layer. * * > **Note:** To successfully deploy a `Microsoft SQL Server` in CMK/BYOK TDE the `Key Vault` must have `Soft-delete` and `purge protection` enabled to protect from data loss due to accidental key and/or key vault deletion. The `Key Vault` and the `Microsoft SQL Server` `User Managed Identity Instance` must belong to the same `Azure Active Directory` `tenant`. * * > **Note:** Cross-tenant `Key Vault` and `Microsoft SQL Server` interactions are not supported. Please see the [product documentation](https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql#requirements-for-configuring-customer-managed-tde) for more information. * * > **Note:** When using a firewall with a `Key Vault`, you must enable the option `Allow trusted Microsoft services to bypass the firewall`. */ transparentDataEncryptionKeyVaultKeyId?: pulumi.Input; /** * The version for the new server. Valid values are: 2.0 (for v11 server) and 12.0 (for v12 server). Changing this forces a new resource to be created. */ version: pulumi.Input; }