Set missing MSSQL configuration options (#475)

* Restrict access to the SQL server by setting permitted ipv4 addresses * Set Entra ID administrator on the SQL Server by setting the username and object id * Enable public access for administrative use
DFE-Digital · Sep 2, 2024 · f67f735 · f67f735
1 parent 5df4b60
commit f67f735
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 3 deletions.
diff --git a/terraform/README.md b/terraform/README.md
@@ -201,8 +201,13 @@ No resources.
 | <a name="input_key_vault_access_ipv4"></a> [key\_vault\_access\_ipv4](#input\_key\_vault\_access\_ipv4) | List of IPv4 Addresses that are permitted to access the Key Vault | `list(string)` | n/a | yes |
 | <a name="input_monitor_email_receivers"></a> [monitor\_email\_receivers](#input\_monitor\_email\_receivers) | A list of email addresses that will receive alerts from App Insights | `list(string)` | n/a | yes |
 | <a name="input_monitor_endpoint_healthcheck"></a> [monitor\_endpoint\_healthcheck](#input\_monitor\_endpoint\_healthcheck) | Specify a route that should be monitored for a 200 OK status | `string` | n/a | yes |
+| <a name="input_mssql_azuread_admin_object_id"></a> [mssql\_azuread\_admin\_object\_id](#input\_mssql\_azuread\_admin\_object\_id) | Object ID of a User within Azure AD that you want to assign as the SQL Server Administrator | `string` | `""` | no |
+| <a name="input_mssql_azuread_admin_username"></a> [mssql\_azuread\_admin\_username](#input\_mssql\_azuread\_admin\_username) | Username of a User within Azure AD that you want to assign as the SQL Server Administrator | `string` | `""` | no |
 | <a name="input_mssql_database_name"></a> [mssql\_database\_name](#input\_mssql\_database\_name) | The name of the MSSQL database to create. Must be set if `enable_mssql_database` is true | `string` | n/a | yes |
+| <a name="input_mssql_firewall_ipv4_allow_list"></a> [mssql\_firewall\_ipv4\_allow\_list](#input\_mssql\_firewall\_ipv4\_allow\_list) | A list of IPv4 Addresses that require remote access to the MSSQL Server | <pre>map(object({<br>    start_ip_range : string,<br>    end_ip_range : optional(string, "")<br>  }))</pre> | `{}` | no |
+| <a name="input_mssql_managed_identity_assign_role"></a> [mssql\_managed\_identity\_assign\_role](#input\_mssql\_managed\_identity\_assign\_role) | Assign the 'Storage Blob Data Contributor' Role to the SQL Server User-Assigned Managed Identity. Note: If you do not have 'Microsoft.Authorization/roleAssignments/write' permission, you will need to manually assign the 'Storage Blob Data Contributor' Role to the identity | `bool` | `false` | no |
 | <a name="input_mssql_server_admin_password"></a> [mssql\_server\_admin\_password](#input\_mssql\_server\_admin\_password) | The administrator password for the MSSQL server. Must be set if `enable_mssql_database` is true | `string` | n/a | yes |
+| <a name="input_mssql_server_public_access_enabled"></a> [mssql\_server\_public\_access\_enabled](#input\_mssql\_server\_public\_access\_enabled) | Enable public internet access to your MSSQL instance. Be sure to specify 'mssql\_firewall\_ipv4\_allow\_list' to restrict inbound connections | `bool` | `false` | no |
 | <a name="input_project_name"></a> [project\_name](#input\_project\_name) | Project name. Will be used along with `environment` as a prefix for all resources. | `string` | n/a | yes |
 | <a name="input_redis_cache_capacity"></a> [redis\_cache\_capacity](#input\_redis\_cache\_capacity) | Redis Cache Capacity | `number` | n/a | yes |
 | <a name="input_redis_cache_sku"></a> [redis\_cache\_sku](#input\_redis\_cache\_sku) | Redis Cache SKU | `string` | n/a | yes |

diff --git a/terraform/container-apps-hosting.tf b/terraform/container-apps-hosting.tf
@@ -14,9 +14,14 @@ module "azure_container_apps_hosting" {
   registry_managed_identity_assign_role = local.registry_managed_identity_assign_role
   registry_server                       = local.registry_server
 
-  enable_mssql_database       = local.enable_mssql_database
-  mssql_server_admin_password = local.mssql_server_admin_password
-  mssql_database_name         = local.mssql_database_name
+  enable_mssql_database              = local.enable_mssql_database
+  mssql_server_admin_password        = local.mssql_server_admin_password
+  mssql_database_name                = local.mssql_database_name
+  mssql_firewall_ipv4_allow_list     = local.mssql_firewall_ipv4_allow_list
+  mssql_server_public_access_enabled = local.mssql_server_public_access_enabled
+  mssql_azuread_admin_username       = local.mssql_azuread_admin_username
+  mssql_azuread_admin_object_id      = local.mssql_azuread_admin_object_id
+  mssql_managed_identity_assign_role = local.mssql_managed_identity_assign_role
 
   image_name = local.image_name
 

diff --git a/terraform/locals.tf b/terraform/locals.tf
@@ -23,6 +23,11 @@ locals {
   enable_mssql_database                           = var.enable_mssql_database
   mssql_server_admin_password                     = var.mssql_server_admin_password
   mssql_database_name                             = var.mssql_database_name
+  mssql_firewall_ipv4_allow_list                  = var.mssql_firewall_ipv4_allow_list
+  mssql_server_public_access_enabled              = var.mssql_server_public_access_enabled
+  mssql_azuread_admin_username                    = var.mssql_azuread_admin_username
+  mssql_azuread_admin_object_id                   = var.mssql_azuread_admin_object_id
+  mssql_managed_identity_assign_role              = var.mssql_managed_identity_assign_role
   redis_cache_sku                                 = var.redis_cache_sku
   redis_cache_capacity                            = var.redis_cache_capacity
   enable_cdn_frontdoor                            = var.enable_cdn_frontdoor

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -360,6 +360,39 @@ variable "mssql_database_name" {
   type        = string
 }
 
+variable "mssql_firewall_ipv4_allow_list" {
+  description = "A list of IPv4 Addresses that require remote access to the MSSQL Server"
+  type = map(object({
+    start_ip_range : string,
+    end_ip_range : optional(string, "")
+  }))
+  default = {}
+}
+
+variable "mssql_server_public_access_enabled" {
+  description = "Enable public internet access to your MSSQL instance. Be sure to specify 'mssql_firewall_ipv4_allow_list' to restrict inbound connections"
+  type        = bool
+  default     = false
+}
+
+variable "mssql_azuread_admin_username" {
+  description = "Username of a User within Azure AD that you want to assign as the SQL Server Administrator"
+  type        = string
+  default     = ""
+}
+
+variable "mssql_azuread_admin_object_id" {
+  description = "Object ID of a User within Azure AD that you want to assign as the SQL Server Administrator"
+  type        = string
+  default     = ""
+}
+
+variable "mssql_managed_identity_assign_role" {
+  description = "Assign the 'Storage Blob Data Contributor' Role to the SQL Server User-Assigned Managed Identity. Note: If you do not have 'Microsoft.Authorization/roleAssignments/write' permission, you will need to manually assign the 'Storage Blob Data Contributor' Role to the identity"
+  type        = bool
+  default     = false
+}
+
 variable "key_vault_access_ipv4" {
   description = "List of IPv4 Addresses that are permitted to access the Key Vault"
   type        = list(string)