1. Using azure-native sql with managedidentity

    TypeScript

    In Azure, using a Managed Identity with an Azure SQL resource can allow for secure, automatic authentication to Azure services that eliminates the need for handling credentials within your code or configuration. This is a preferred method of connecting to services that support Azure Active Directory (AAD) authentication when running in the Azure environment.

    Below is a Pulumi program in TypeScript that sets up an Azure SQL Server and a Managed Instance within it, utilizing a system-assigned Managed Identity. Managed Identity is a feature of Azure Active Directory and helps Azure services authenticate to each other in a secure manner.

    The following resources from azure-native are used:

    • Server - Represents an instance of a server for Microsoft Azure SQL Database.
    • ManagedInstance - Represents an instance of SQL Managed Instance which is a fully managed service provided by Microsoft.

    The Managed Identity can be enabled on the Server resource, and afterward, the ManagedInstance can be created within this server. The identity type is set to "SystemAssigned", which creates an identity associated with the service instance.

    Before you use the code, make sure you have installed the Pulumi CLI and logged in to Azure with the Azure CLI.

    Now, let's go through the code:

    import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure-native"; // Create an Azure Resource Group const resourceGroup = new azure.resources.ResourceGroup("resourceGroup"); // Create an Azure SQL Server with a System Assigned Managed Identity const sqlServer = new azure.sql.Server("sqlServer", { resourceGroupName: resourceGroup.name, location: resourceGroup.location, // Enabling Managed Identity (System Assigned) identity: { type: azure.sql.IdentityType.SystemAssigned, }, }); // Create a SQL Managed Instance inside the new server with the Managed Identity const sqlManagedInstance = new azure.sql.ManagedInstance("sqlManagedInstance", { resourceGroupName: resourceGroup.name, managedInstanceName: "myManagedInstance", location: resourceGroup.location, // Specify other properties as required, for example: subnetId: "/subscriptions/{subscriptionId}/resourceGroups/{rg}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/{subnet}", // Define the SKU for your managed instance sku: { name: "GP_Gen5", tier: "GeneralPurpose", }, administrators: { // set Azure Active Directory admin for the instance login: "exampleadmin", sid: "00000000-0000-0000-0000-000000000000", // SID of AAD principal principalType: "User", tenantId: "00000000-0000-0000-0000-000000000000", // AAD tenant ID }, // Additional optional parameters can be set as needed }); // Export the Azure SQL Server name and Managed Instance ID export const sqlServerName = sqlServer.name; export const sqlManagedInstanceId = sqlManagedInstance.id;

    The resourceGroup is a logical container into which all your Azure resources like SQL Servers, Databases, Networking components will be deployed.

    Next, a SQL Server sqlServer is created with a SystemAssigned identity which will grant this resource an identity in Azure AD. This identity can then be used to authenticate to other services that support Azure AD without needing to manage credentials.

    Within this server, a Managed Instance sqlManagedInstance is created. It includes specifications such as the subnetId which defines the subnet where the instance resides, the sku to specify performance characteristics, and administrators block to define an Azure Active Directory administrator for the Managed Instance.

    At the end of the program, the names of the SQL Server and the Managed Instance ID are exported, which can be used to reference or connect to these resources from other services/applications.

    When you run the Pulumi program, it employs the Azure Native Provider to interact with your Azure subscription and provision the resources specified in the code above. If you have not set up the Pulumi Azure Native Provider before, you might need to configure it with appropriate Azure credentials. The Pulumi CLI will guide you through that process if needed.