Azure SQL Database

azure-sql-database

Logical SQL server + database with Entra-only auth, firewall/private endpoint, auditing, TDE and a failover-group option. Works with Terraform and OpenTofu (>= 1.6), azurerm provider >= 4.0, < 5.0.

Secure defaults:

• Public network access off (bring a private endpoint, or opt in to the public endpoint + firewall rules)
• Minimum TLS 1.2, transparent data encryption on
• Entra (Azure AD) admin with azuread_authentication_only = true by default — no SQL passwords anywhere
• Serverless General Purpose SKU by default: scales to zero cost when idle
• System-assigned managed identity on the server (needed for auditing/CMK)

Usage

module "sql" {
  source              = "./azure-sql-database"
  name                = "myapp-prod-sql"
  resource_group_name = "rg-myapp-prod"
  location            = "westeurope"
  database_name       = "appdb"

  entra_administrator = {
    login_username = "sql-admins"
    object_id      = "11111111-1111-1111-1111-111111111111" # Entra group
  }

  private_endpoint = {
    subnet_id            = azurerm_subnet.data.id
    private_dns_zone_ids = [azurerm_private_dns_zone.sql.id]
  }

  tags = { Environment = "prod" }
}

Inputs

Name	Type	Default	Description
name	string	—	Logical server name, globally unique (required)
resource_group_name	string	—	Existing resource group (required)
location	string	—	Azure region (required)
database_name	string	—	Database name (required)
database_sku_name	string	"GP_S_Gen5_2"	DB SKU (Basic, S0, GP_S_Gen5_2, BC_Gen5_2...)
collation	string	SQL_Latin1_General_CP1_CI_AS	Database collation
max_size_gb	number	32	Max database size
zone_redundant	bool	false	Zone-redundant replicas
backup_storage_redundancy	string	"Geo"	Geo / GeoZone / Zone / Local
serverless_min_capacity	number	0.5	Min vCores (serverless SKUs only)
serverless_auto_pause_delay_in_minutes	number	60	Auto-pause delay; -1 disables
pitr_retention_days	number	7	Point-in-time-restore retention (1-35)
long_term_retention	object	null	LTR policy (ISO 8601 durations)
administrator_login / administrator_password	string	null	SQL auth (optional; password sensitive)
entra_administrator	object	null	Entra admin; azuread_authentication_only defaults true
public_network_access_enabled	bool	false	Public endpoint toggle
allow_azure_services	bool	false	0.0.0.0 rule for Azure services
firewall_rules	map(object)	{}	Named IP ranges (public access only)
private_endpoint	object	null	Subnet + optional private DNS zone IDs
auditing	object	null	Storage endpoint and/or Log Analytics auditing
auditing_storage_account_access_key	string	null	Audit storage key (sensitive)
failover	object	null	Failover group with an existing partner server
tags	map(string)	{}	Tags applied to all resources

Either entra_administrator or administrator_login + administrator_password must be set (enforced by a precondition).

Outputs

server_id, server_name, server_fqdn, server_principal_id, database_id, database_name, private_endpoint_id, private_endpoint_ip_address, failover_group_id.

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/azurerm >= 4.0, < 5.0 (built against 4.76)
• The failover partner server must already exist (pass its resource ID); pair two instances of this module for a full active/standby pair.
• Look up the Entra admin object_id yourself (azuread provider or portal) — this module deliberately avoids a second provider dependency.

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).