1. Using azure sql with msi

    TypeScript

    Managed Identity (MSI) enables Azure resources to authenticate to cloud services without storing credentials in code. It's a secure way for services like Azure SQL Database to authenticate with other Azure services.

    In the context of Azure SQL, you can use MSI for scenarios such as:

    • Allowing an Azure SQL server to authenticate to other services (e.g., Azure Key Vault to retrieve secrets).
    • Enabling applications to authenticate to the Azure SQL database using the identity of the Azure resource where the application is running.

    Below is a Pulumi program written in TypeScript showing how to provision an Azure SQL Managed Instance with system-assigned managed identity enabled.

    Detailed Explanation

    First, we import necessary modules and initialize the resource group and networking infrastructure, including a subnet with a delegations property that grants the SQL service permission to use the subnet.

    Next, we set up the SQL Managed Instance with a system-assigned identity, which is specified in the identity property of the ManagedInstanceArgs. We configure the instance's administrative credentials and define specifications such as storage size and VCore count.

    Finally, the program outputs the fully qualified domain name (FQDN) of the instance, which can be used to connect to the instance from client applications.

    Pulumi Program

    import * as azure from "@pulumi/azure-native"; import * as pulumi from "@pulumi/pulumi"; import * as network from "@pulumi/azure-native/network"; // Create a resource group for our resources const resourceGroup = new azure.resources.ResourceGroup("resourceGroup"); // Set up a virtual network and a subnet with delegation to the SQL service const virtualNetwork = new network.VirtualNetwork("virtualNetwork", { resourceGroupName: resourceGroup.name, addressSpace: { addressPrefixes: ["10.0.0.0/16"] }, location: resourceGroup.location, }); const subnet = new network.Subnet("subnet", { resourceGroupName: resourceGroup.name, virtualNetworkName: virtualNetwork.name, addressPrefix: "10.0.1.0/24", delegations: [{ name: "sqlDelegation", serviceName: "Microsoft.Sql/managedInstances" }], }); // Set up the Azure SQL Managed Instance with a system-assigned managed identity const sqlManagedInstance = new azure.sql.ManagedInstance("sqlManagedInstance", { resourceGroupName: resourceGroup.name, location: resourceGroup.location, // Define the managed instance's size, admin credentials, and storage details sku: { name: "GP_Gen5", tier: "GeneralPurpose", }, storageSizeInGB: 32, vCores: 8, // Enable system-assigned managed identity identity: { type: pulumi.output("SystemAssigned"), }, // Add the subnet ID to the instance subnetId: subnet.id, // Authentication details administratorLogin: "sqlAdmin", administratorLoginPassword: "ComplexPassword#1234", }, { dependsOn: [subnet] }); // Export the fully qualified domain name (FQDN) of the SQL Managed Instance export const sqlManagedInstanceFqdn = sqlManagedInstance.fullyQualifiedDomainName;

    This Pulumi program can be run "out of the box," providing that you have the Pulumi CLI and Azure CLI installed, and you are logged in to your Azure account. Once the pulumi up command is executed, this program will create the resources as described.

    For more information, you can check the Pulumi documentation for each of the resources:

    The identity block within the managed instance resource specifies that we want a system-assigned managed identity. Upon resource creation, Azure will create an identity and assign the relevant permissions to it for the managed instance.

    Remember to keep your administrator login credentials secure, use appropriate secret management practices, and replace "ComplexPassword#1234" with a strong, unique password.