Using azure-native sql with managedidentity
TypeScriptIn Azure, using a Managed Identity with an Azure SQL resource can allow for secure, automatic authentication to Azure services that eliminates the need for handling credentials within your code or configuration. This is a preferred method of connecting to services that support Azure Active Directory (AAD) authentication when running in the Azure environment.
Below is a Pulumi program in TypeScript that sets up an Azure SQL Server and a Managed Instance within it, utilizing a system-assigned Managed Identity. Managed Identity is a feature of Azure Active Directory and helps Azure services authenticate to each other in a secure manner.
The following resources from
azure-native
are used:Server
- Represents an instance of a server for Microsoft Azure SQL Database.ManagedInstance
- Represents an instance of SQL Managed Instance which is a fully managed service provided by Microsoft.
The Managed Identity can be enabled on the
Server
resource, and afterward, theManagedInstance
can be created within this server. The identity type is set to "SystemAssigned", which creates an identity associated with the service instance.Before you use the code, make sure you have installed the Pulumi CLI and logged in to Azure with the Azure CLI.
Now, let's go through the code:
import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure-native"; // Create an Azure Resource Group const resourceGroup = new azure.resources.ResourceGroup("resourceGroup"); // Create an Azure SQL Server with a System Assigned Managed Identity const sqlServer = new azure.sql.Server("sqlServer", { resourceGroupName: resourceGroup.name, location: resourceGroup.location, // Enabling Managed Identity (System Assigned) identity: { type: azure.sql.IdentityType.SystemAssigned, }, }); // Create a SQL Managed Instance inside the new server with the Managed Identity const sqlManagedInstance = new azure.sql.ManagedInstance("sqlManagedInstance", { resourceGroupName: resourceGroup.name, managedInstanceName: "myManagedInstance", location: resourceGroup.location, // Specify other properties as required, for example: subnetId: "/subscriptions/{subscriptionId}/resourceGroups/{rg}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/{subnet}", // Define the SKU for your managed instance sku: { name: "GP_Gen5", tier: "GeneralPurpose", }, administrators: { // set Azure Active Directory admin for the instance login: "exampleadmin", sid: "00000000-0000-0000-0000-000000000000", // SID of AAD principal principalType: "User", tenantId: "00000000-0000-0000-0000-000000000000", // AAD tenant ID }, // Additional optional parameters can be set as needed }); // Export the Azure SQL Server name and Managed Instance ID export const sqlServerName = sqlServer.name; export const sqlManagedInstanceId = sqlManagedInstance.id;
The
resourceGroup
is a logical container into which all your Azure resources like SQL Servers, Databases, Networking components will be deployed.Next, a SQL Server
sqlServer
is created with aSystemAssigned
identity which will grant this resource an identity in Azure AD. This identity can then be used to authenticate to other services that support Azure AD without needing to manage credentials.Within this server, a Managed Instance
sqlManagedInstance
is created. It includes specifications such as thesubnetId
which defines the subnet where the instance resides, thesku
to specify performance characteristics, andadministrators
block to define an Azure Active Directory administrator for the Managed Instance.At the end of the program, the names of the SQL Server and the Managed Instance ID are exported, which can be used to reference or connect to these resources from other services/applications.
When you run the Pulumi program, it employs the Azure Native Provider to interact with your Azure subscription and provision the resources specified in the code above. If you have not set up the Pulumi Azure Native Provider before, you might need to configure it with appropriate Azure credentials. The Pulumi CLI will guide you through that process if needed.